The FBI is warning that the Silent Ransom Group has escalated its attacks by sending individuals directly to victim offices to steal sensitive data after remote intrusion attempts fail.
According to a new FBI alert, the cybercrime group, also known as Luna Moth, Chatty Spider, and UNC3753, has been targeting U.S. law firms using social engineering tactics designed to gain remote access to internal systems and exfiltrate confidential data for extortion.
The FBI said the attackers typically begin by impersonating internal IT support staff through phishing emails or direct phone calls. Victims are instructed to join remote desktop sessions or install remote access tools under the pretense of resolving technical problems or canceling fake subscription charges.
If the remote access attempt is unsuccessful, the group has reportedly started dispatching individuals to the target organization in person. The visitor claims to be an IT employee sent to image the device or create a backup related to the earlier phishing incident. Once inside, the individual inserts an external storage device or USB drive into the victim’s computer to steal data directly.
The FBI said the group focuses on rapid data theft rather than traditional ransomware encryption. Investigators observed Silent Ransom Group using legitimate administrative and file transfer tools, including WinSCP and modified versions of Rclone to quietly move stolen data from compromised environments.
Unlike many ransomware gangs, Silent Ransom Group often leaves minimal forensic evidence behind because victims voluntarily grant access during the social engineering process. Traditional antivirus products may also fail to detect the activity since the attackers rely heavily on legitimate system management tools instead of custom malware.
The group has reportedly targeted law firms since at least 2023, though researchers say organizations in healthcare, finance, and other sectors have also been impacted. Law firms are considered especially valuable targets because of the large amount of confidential legal, financial, and corporate data they store.
After stealing data, the Silent Ransom Group threatens victims with public leaks or sales of the stolen information unless ransom demands are paid. The FBI said attackers have also contacted employees and clients directly to increase pressure during extortion negotiations.
The Bureau urged organizations to verify the identity of anyone requesting access to company systems or devices, especially individuals claiming to be internal IT staff. The FBI also recommended restricting external device usage, limiting remote access permissions, and enforcing phishing-resistant multi-factor authentication.