The US Federal Bureau of Investigation (FBI) has issued a warning regarding the Silent Ransom Group (SRG), which has increasingly focused its extortion efforts on law firms across the US over the past two years. Also known as Luna Moth, the group employs tactics such as callback phishing and social engineering to gain unauthorised access to the systems of legal practices, aiming to steal sensitive data for ransom.
Operating since 2022, SRG has expanded its target base significantly, primarily focusing on US-based law firms due to the sensitive nature of their data. In addition to law firms, the group has also engaged in attacks against companies in the medical and insurance sectors. However, legal firms remain the primary target.
The tactics used by SRG have evolved over time, with the group initially relying on phishing emails that simulate communication from well-known businesses offering subscription services. Victims receive emails requesting small “subscription fees,” which generate minimal suspicion. To cancel these fake subscriptions, victims are directed to call a number provided in the email. This leads to a situation where they inadvertently download remote access software that grants SRG control over their devices.
Recent developments indicate that since March 2025, SRG has shifted to a direct approach by making phone calls and impersonating IT department staff. Employees are prompted to join remote access sessions via links sent through email or navigated from their web browsers. Once access is granted, attackers escalate privileges minimally before quickly exfiltrating data using tools such as WinSCP or Rclone.
Extortion attempts following data breaches and threats
After extracting sensitive information, SRG sends ransom emails threatening to publish or sell the data if payment is not made. The group also uses phone calls to pressure employees into engaging in ransom negotiations. Although they maintain a site for posting stolen data, they do not consistently follow through with this threat.
The group does not encrypt victims’ systems but instead targets sensitive information for extortion purposes. Ransom demands from SRG can range from $1m to $8m based on the size of the breached organisation.
A recent report by EclecticIQ corroborates the FBI’s findings, detailing how SRG targets legal and financial institutions by registering domains that impersonate IT support portals. Victims are often misled through malicious emails featuring fake helpdesk numbers.
To mitigate risks associated with these attacks, the FBI recommends implementing strong password policies, activating two-factor authentication for all staff members, conducting regular data backups, and providing training on identifying phishing attempts.
Signs of SRG activity may include unauthorised downloads of system management tools, suspicious email communications claiming data theft, or unsolicited calls from individuals posing as IT staff. Network defenders are advised to remain vigilant regarding these potential indicators in order to prevent future breaches.
Read more: FBI reports RansomHub ransomware compromises 210 victims since February
