For your information, the Silent Ransom Group (SRG) goes by other names namely UNC3573, Luna Moth as well as Chatty Spider. The former targets law firms by data theft followed by extortion instead of the classic encryption of valuable data. First it sends phishing emails to staff or makes phone calls to them. Since the phishing emails don’t contain malicious links or suspicious attachments, they don’t trigger security alerts. The phishing emails urge the recipient to contact fake IT support. The IT support tells them into install remote access software on their systems. Since the remote access tool are reputed ones no security alert or warning occur. Once the hacker gains access to the staff’s computer they search for important and valuable legal documents. They then transfer the data to their own systems. After that they send an email to the targeted law firm demanding payment failing which they would publish or sell the stolen data. Since legal firms are vulnerable to reputational damage or may be subject to hefty regulatory fines, they are likely to pay the demanded amount silently.

Earlier tactics were to transmit malware to the law firm’s computers and encrypt data. Next a demand for money was made in lieu of decrypting the data. That is termed the classic ransomware encryption model. Now if the SRG fails in its attempt to steal legal data it sends an individual to the legal firm premises who poses as a member of the IT support. He/she states that a back up of the system is required for security purposes. The former attaches a USB device or external hard drive to the system and exfiltrates the valuable data.

After gaining access to a device the SRH actor escalates privileges and proceeds to data exfiltration without encryption. Typically, WinSCP (Windows Secure Copy) or versions of ‘Rclone’ are employed to exfiltrate data. Other modes are to exfiltrate data to reputed and trusted destinations including Microsoft OneDrive and Google Drive.

How to Protect Your Organization from SRG and Like-Minded Threat Actors

Verify the person claiming to be from your company’s IT support before giving remote or physical access to your systems. The company staff should be trained to identify phishing as well as social engineering attacks. Make it mandatory to use MFA (Multi Factor Authentication). Restrict remote access permissions. Always verify the person’s identity through official channels before granting permission. Limit external drive installation permissions on important systems. Have a company staff escort the IT support person to prevent fraudulent activities.

More About the Silent Ransom Group

It is believed that this entity is active since 2022. As per the FBI, SRH focuses on targeting law firms as the latter possess highly confidential client information, litigation documents as well as critical communications.

FAQs 

1. What is the Silent Ransom Group (SRG)?
   The Silent Ransom Group (SRG), also known as UNC3573, Luna Moth, and Chatty Spider, is a cybercriminal group that primarily targets law firms. Unlike traditional ransomware groups, SRG focuses on stealing sensitive data and extorting victims rather than encrypting files.
2. How does SRG gain access to a law firm’s systems?
   SRG commonly uses phishing emails and social engineering phone calls. Victims are persuaded to contact fake IT support personnel, who then convince them to install legitimate remote access software. Once access is granted, the attackers search for and steal valuable legal documents.
3. How is SRG different from traditional ransomware groups?
   Traditional ransomware groups encrypt an organization’s data and demand payment for decryption. SRG typically skips the encryption stage and directly steals sensitive information, threatening to publish or sell it unless a ransom is paid.
4. What tools does SRG use to exfiltrate stolen data?
   SRG often uses tools such as WinSCP (Windows Secure Copy) and Rclone to transfer stolen data. They may also exfiltrate data to trusted cloud storage platforms such as Microsoft OneDrive and Google Drive to avoid raising suspicion.
5. What measures can organizations take to protect themselves from SRG attacks?
   Organizations should verify the identity of anyone claiming to be IT support, train employees to recognize phishing and social engineering attacks, enforce Multi-Factor Authentication (MFA), restrict remote access permissions, limit the use of external storage devices, and ensure IT personnel are escorted when accessing sensitive systems.

SOURCES:-

https://www.bleepingcomputer.com/news/security/silent-ransom-group-targets-law-firms-with-fake-it-support-calls/

https://www.esecurityplanet.com/threats/silent-ransom-group-targets-law-firms-with-it-impersonation-attacks/

https://www.halcyon.ai/ransomware-alerts/an-old-tactic-returns-silent-ransom-groups-active-use-of-physical-intrusion-against-u-s-law-firms

https://www.bitdefender.com/en-us/blog/hotforsecurity/fbi-warns-criminals-impersonating-it-support-law-firms

https://www.helpnetsecurity.com/2026/05/27/fbi-silent-ransom-group-law-firms-social-engineering/