The FBI recently issued a warning about a troubling new tactic being employed by a cybercriminal group called the Silent Ransom Group (SRG), also known by aliases such as Luna Moth and Chatty Spider. This group has been leveraging IT-themed social engineering techniques to execute callback phishing attacks, enabling them to gain unauthorized access to systems and steal sensitive information.
Targeting the Legal Sector
Historically, SRG has cast a wide net, targeting various sectors, including healthcare and insurance. However, since spring 2023, the group seems to have honed in on U.S.-based law firms and similar organizations. According to the FBI, this shift is likely due to the extremely sensitive nature of legal data which these firms handle.
The SRG has been active since 2022 and is particularly notorious for its use of callback phishing emails—often referred to as reverse vishing. In these schemes, they impersonate well-known companies, claiming that the victim has signed up for a subscription service. If the victim wishes to cancel this fictitious subscription, they are instructed to call a provided number. During this call, the attacker sends a link for the victim to download remote access software, allowing them to infiltrate the victim’s device. Once access is established, the attackers search for sensitive data, later threatening to release that information unless a ransom is paid.
In March 2025, the group adapted its tactics, incorporating direct phone calls. Posing as IT department employees, they engage in social engineering—also known as vishing, short for “voice phishing.” During these calls, SRG attempts to convince employees to grant remote access under the pretense of urgent software maintenance. If successful, the attackers can quickly move from basic access to more extensive data exfiltration, typically utilizing tools like WinSCP or a modified version of Rclone.
Challenges in Detection
The effectiveness of SRG’s vishing methods cannot be overstated. The FBI has noted a significant number of compromises resulting from these attacks. One of the alarming aspects is that the group often puts pressure on victim organizations to engage in ransom negotiations. While they maintain a site to publish stolen data, their inconsistent usage makes it difficult to track the extent of their activities.
Signs of Compromise
Due to the employment of legitimate management and access tools, SRG attacks can evade detection by traditional antivirus software. Organizations are encouraged to be vigilant and look out for several warning signs, including:
- Unauthorized downloads of remote access tools such as Zoho Assist, AnyDesk, or Splashtop.
- Connections made through WinSCP or Rclone to unknown external IP addresses.
- Communications indicating that data has been compromised, whether through emails or voicemails.
- Unexpected phone calls from unidentified individuals claiming to represent the IT department.
- Emails regarding subscription services that require a phone call to resolve purported charges.
Prevention Strategies
To combat these types of threats effectively, organizations should implement several protective measures:
- Conduct comprehensive staff training focused on recognizing and responding to phishing attempts.
- Establish clear authentication policies for confirming IT staff identities with employees.
- Implement two-factor authentication for all users to add an additional layer of security.
The FBI is actively seeking information from those who have been affected by SRG attacks. Victims are encouraged to report any ransom notes, phone numbers, or other communications related to these attacks, including cryptocurrency wallet information used for ransom payments. These actions can help in building a comprehensive understanding of SRG’s methods and enhancing protective measures.
