Silent Ransom Group (SRG) Strengthens Data Leak Operations with Fast-Flux Botnet Tactics
A notable development in the realm of cyber extortion has emerged as the Silent Ransom Group (SRG) adopts a sophisticated fast-flux botnet infrastructure. This strategic shift aims to complicate tracking and disruption efforts of their data leak operations, significantly impacting sensitive sectors such as law firms.
The Evolution of SRG
Active since at least 2022, SRG has gained notoriety for its unique approach to cyber extortion. Unlike traditional ransomware groups that typically encrypt victims’ files, SRG focuses on stealing sensitive data. They exert pressure on organizations by threatening to publish or sell the stolen information. This method has made them particularly dangerous, as it circumvents some of the defenses organizations employ against ransomware attacks.
The FBI has recently issued advisories warning that SRG is specifically targeting U.S.-based law firms and other sensitive industries. Their tactics include social engineering and even in-person attacks, which heightens the risk for organizations that handle confidential information.
Fast-Flux Technology Explained
Fast flux is a cybercriminal technique involving the rapid rotation of malicious domains through numerous IP addresses. This often utilizes compromised devices, such as routers and modems, making it challenging for investigators and security teams to pinpoint the actual backend infrastructure.
According to research from Resecurity, two domains associated with SRG—business-data-leaks.com and ep6pheij.com—were found to be employing this fast-flux technique. These domains rotate DNS records through residential and mobile IP addresses, supported by a botnet that spans 18 countries and 22 internet service providers.
The Technical Landscape
Resecurity’s investigation revealed that the infrastructure behind SRG does not include datacenter or hosting IPs. Instead, every node traced back to consumer internet service providers, indicating the use of compromised residential devices to obscure the group’s operations. The analysis showed that each DNS query returned between 10 and 18 IP addresses, changing every two to three minutes. This rotation is controlled by a backend command-and-control server, distinguishing it from legitimate content delivery networks.
The research also indicated that both domains share approximately 50 to 60 percent of the same bot pool, suggesting they are operated by the same threat actor. Notably, nine IP addresses appeared in the rotation pools of both domains, with nodes located in various regions, including North Macedonia, Croatia, and Egypt.
Implications for the Legal Sector
The focus of SRG on law firms raises significant concerns. Legal organizations are custodians of highly sensitive client data, including privileged communications and confidential legal documents. The potential for such data to be leaked publicly poses severe risks, making law firms attractive targets for extortion groups.
SRG employs various attack methods, including callback phishing, voice phishing, and impersonation of IT support staff. In some instances, members of the group have allegedly infiltrated law firm offices under the guise of IT personnel to gain physical access to systems. They also target third-party vendors and supply chain partners to indirectly reach law firms.
Once inside a network, SRG prioritizes data theft over deploying encryption-based ransomware. This strategy allows them to evade some of the protective measures organizations typically implement against ransomware, such as backup restoration.
The Clearnet Data Leak Site
In a departure from the practices of many ransomware gangs, SRG operates a clearnet data leak site. This approach makes the site more accessible to victims, journalists, and the public, thereby increasing the pressure on victims by making the threat of exposure more visible. As of June 2026, the site reportedly lists nearly 100 victim organizations, with new victims added regularly.
Resecurity has also identified a potential new project linked to SRG called Spy Corporate, which surfaced in May 2026. The domain spycorp.pro employs a similar token-based mechanism and shares IPs with SRG’s fast-flux infrastructure, indicating a direct connection.
National Security Concerns
The findings regarding SRG’s operations come in the wake of a joint advisory issued by cybersecurity agencies from the United States, United Kingdom, Australia, Canada, and New Zealand. This advisory highlighted fast flux as a national security concern and called for enhanced cooperation between public and private sector organizations to disrupt such infrastructures.
SRG’s use of fast flux underscores the group’s increasing sophistication and the urgent need for law firms and other sensitive organizations to bolster their cybersecurity measures. Security experts recommend that law firms implement training programs to help employees identify phishing and vishing attempts, enforce multi-factor authentication, and verify IT support requests through trusted channels.
Conclusion
The threat posed by groups like SRG is particularly acute for the legal sector. Resecurity noted that law firms accounted for nearly a quarter of all ransomware-related incidents tracked in the first quarter of 2026, positioning the sector as the fourth-most targeted industry.
For law firms, the risk extends beyond data encryption or operational disruptions. Groups like SRG leverage stolen information as a means of extortion, transforming confidentiality into a significant vulnerability.
Source: the420.in
Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.
