FBI Reports Hacker Group After US Law Firms (Again)

The U.S. Federal Bureau of Investigation (FBI) Cyber Division (Internet Crime Complaint Center) has issued a warning that certain malicious cyber actors are targeting law firms.  Law firms are a ripe target for valuable information concerning clients, including intellectual property.  The warning states, in part:

The cyber threat actor Silent Ransom Group (SRG), also known as Luna Moth, Chatty Spider, and UNC3753, is targeting law firms using information technology (IT) themed social engineering calls, and callback phishing emails, to gain remote access to systems or devices and steal sensitive data to extort the victims. While SRG has historically victimized companies in many sectors, starting Spring 2023, the group has consistently targeted US-based law firms, likely due to the highly sensitive nature of legal industry data. . . .

As of March 2025, SRG was observed changing their tactics to calling individuals and posing as an employee from their company’s IT department. SRG will then direct the employee to join a remote access session, either through an email sent to them, or navigating to a web page. Once the employee grants access to their device, they are told that work needs to be done overnight. Once in the victim’s device, a typical SRG attack involves minimal privilege escalation and quickly pivots to data exfiltration conducted through “WinSCP” (Windows Secure Copy) or a hidden or renamed version of “Rclone.” If the compromised device does not have administrative privileges, WinSCP portable is used to exfiltrate victim data. Although this tactic has only been observed recently, it has been highly effective and resulted in multiple compromises. Similar to their phishing emails posing as a company with a subscription, once SRG exfiltrates data, they extort the victim by sending them a ransom email threatening to sell or post the data online. SRG will also call employees at a victim company to pressure them into engaging in ransom negotiations. SRG has developed a publicly available site to post victim data, however, they are inconsistent in their use of the site, and do not always follow through on posting victim data.