Silent Ransom Group impersonating IT support, conducting in-person attacks

So far, the group has been targeting law firms, but their unique strategy could easily enter into the health sector.

What happened

The FBI has released a new alert about Silent Ransom Group (SRG), also known as Luna Moth, Chatty Spider, and UNC3753 that has been targeting organizations in-person. The threat tactic was first discovered in April 2025, and so far, SRG has mostly targeted law firms. However, the FBI notes that SRG has also targeted medical and insurance industries in the past with different tactics. The group’s goal is to exfiltrate data and threaten to sell or publish it. SRG is also known to contact victims’ employees and clients to create more stress.

Going deeper

The group uses information technology-themed social engineering calls, where they pose as IT employees helping their colleagues. According to the FBI, “SRG actors either directly call or send phishing emails to urge employees to call the SRG actor posing as IT support.” For instance, SRG may email an employee about a subscription charge and request the employee to call SRG, unaware it’s a phishing email. During the call, SRG will first attempt to remotely access the organization’s network by tricking the victim into granting access through remote desktop sessions.

If remote access is unsuccessful, or the victim seems suspicious, SRG will send an individual posing as an IT support employee in-person to insert a device into the computer. The FBI elaborates, “In this scheme, the threat actor tells the victim they need to image the device or create a backup file to address potential impacts from the phishing email.”

Once the device is in the computer, the hacker immediately escalates their privileges and exfiltrates data.

Why it matters

While the FBI’s alert is focused on law firms, trends in hacking attacks generally jump from industry to industry, and healthcare, education, and insurance companies should pay close attention. Since SRG has been successful in these attacks, it’s also possible that other malicious groups will use their methods.

Although this attack method is primarily conducted over the phone or in-person, it almost always begins with a suspicious email telling employees to contact SRG. Paubox has previously noted that email is one of the most-used vectors in attacks, initiating over 70% of all data breaches, and this new method is a reminder that even if strategies evolve, they often continue to use email.

The big picture

The FBI has provided some tips for organizations to prevent attacks, although they note, “Recent SRG campaigns left few artifacts on compromised machines. Traditional antivirus products are also unlikely to flag the intrusion because SRG generally uses legitimate system management or remote access tools to carry out the attack.” To prevent these attacks, organizations should always verify the credentials of anyone trying to access company assets. Sensitive data, like electronic protected health information (ePHI) should require additional identity verification.

According to SecurityWeek, training is also a key component of prevention; organizations should help employees learn to identify phishing or voice-phishing attempts and establish clear policies for communicating with IT support. Organizations can also disable remote access and permissions for external drive installations.

FAQs

How frequently are attacks being carried out?

The FBI did not provide specific examples of when the attack was successful, but they did state that the tactic has been “observed recently” and is “highly effective and resulted in multiple compromises.”

Why is SRG targeting law firms?

The FBI noted that SRG has targeted US-based law firms, likely due to the sensitive nature of the data they hold. However, the FBI stated that other organizations with sensitive information, specifically medical and insurance industries, should prepare for the threat.