Silent Ransom Group walked into US law firm offices in 2025 and 2026, plugging USB devices into workstations while posing as IT technicians. One victim paid $20 million in May 2026. The FBI issued two separate FLASH alerts in 13 months, and Mandiant documented dozens of organizations breached between January and May 2026 alone. The group, also tracked as Luna Moth and UNC3753, has claimed more than 100 attacks since 2022, all without deploying a single line of ransomware code.
What Is Silent Ransom Group (Luna Moth)?
Silent Ransom Group (SRG) is a financially motivated cybercrime operation that emerged in March 2022 following the collapse of the Conti ransomware syndicate. Security researchers track the group under four aliases: Luna Moth, Chatty Spider, UNC3753, and LeakedData. The group’s infrastructure and operational patterns suggest a Russia-based origin, though attribution remains presumed rather than legally confirmed by any government agency.
Unlike most ransomware groups, SRG does not encrypt victim files. Instead, it steals highly sensitive data and demands payment under threat of publishing or selling that data on a dark web leak site. This distinction matters enormously for defenders because traditional endpoint detection built around ransomware encryption behaviors fails to flag SRG activity. The group relies almost exclusively on legitimate remote access and data transfer tools, a technique researchers call “living off the land” (LOTL). No custom malware, no suspicious binaries, no behavioral signatures that signature-based antivirus can catch.
Since Spring 2023, SRG has concentrated attacks on US-based law firms. The reason is straightforward: law firms hold attorney-client privileged data, litigation strategy documents, merger and acquisition details, regulatory findings, and personally identifiable information across thousands of client matters. That data is worth far more under extortion threat than encrypted files would ever generate in a traditional ransom. “Law firm data is a uniquely coercive asset,” researchers at Halcyon noted in their June 2026 analysis. “Clients, opposing parties, regulators, and the bar itself all become potential vectors of reputational and legal exposure the moment a threat actor holds that data.”
The group also targets insurance entities, healthcare organizations, and financial services firms, but US law firms represent its primary and most consistent focus. The FBI has confirmed SRG operates a professional English-speaking call center since at least 2022, enabling high-volume vishing campaigns that sound indistinguishable from legitimate IT support calls.
Four Years of Tactical Evolution: From Emails to Office Visits
SRG has completed three distinct attack phases since 2022. Each phase represents a deliberate tactical upgrade, not an accidental drift, and each was adopted in direct response to defenders catching up with the previous method.
| Phase | Period | Entry Method | Primary Tools | Detection Difficulty |
|---|---|---|---|---|
| 1 — Callback Phishing | March 2022 to early 2025 | Fake subscription invoices (Duolingo, Masterclass) prompting victim to call SRG number | AnyDesk, Zoho Assist, Splashtop | Medium — phishing emails detectable with email security |
| 2 — Vishing | March 2025 to present | Direct calls impersonating the victim’s internal IT helpdesk; staff convinced to install RMM software | AnyDesk, RustDesk, Syncro, Atera, Quick Assist | High — no email artifact, fully human-to-human |
| 3 — Physical Intrusion | April 2025 to present | Operator visits office posing as IT technician; physically attaches USB storage to workstation | USB storage media, WinSCP, Rclone | Very High — bypasses all network and endpoint controls |
Phase 1 relied on fake invoices from recognizable subscription services. A law firm employee received an email claiming they had been charged $299 for a Masterclass or Duolingo subscription they never ordered. The invoice instructed them to call a phone number to dispute the charge. That number connected to SRG’s call center, where trained operators walked the employee through installing a remote access tool under the pretense of processing the refund. Once installed, the operator had full desktop control.
Phase 2, active since March 2025, removed the email entirely. Operators call firm employees directly, identifying themselves as internal IT staff. They cite a plausible pretext — often a security scan, a software migration, or a compliance audit — and convince the employee to initiate a screen-sharing session or download an approved-sounding RMM utility. The group harvests phone numbers and names from firm websites, LinkedIn profiles, and bar association directories, targeting partners, associates, and administrative staff at all seniority levels.
Phase 3, first observed in April 2025 and confirmed active by the FBI in May 2026, adds physical presence. After a vishing call fails, or as an alternative entry method when remote access proves too difficult, an SRG operator shows up at the firm’s offices in person. They present as an employee from the same IT vendor or internal IT department referenced in the prior phone call, request brief access to a specific workstation for a maintenance task, and plug in a USB storage device. The data transfer takes seconds. The operator leaves before anyone at the firm realizes what happened.
The $20 Million Ransom: What Happened in May 2026
The largest confirmed SRG extortion payment disclosed publicly is $20 million, paid by a US law firm in May 2026. The firm’s name has not been released. What is confirmed, per Halcyon’s June 2026 threat analysis, is that SRG demanded the amount after exfiltrating a critical volume of client data covering proprietary legal agreements, personal information across multiple client matters, and financial records. SRG’s dark web leak site posts function as countdown clocks, giving victims a window to pay before data publication begins.
The $20 million figure places this incident among the largest single extortion payments ever attributed to a data-theft-only group — a category that excludes traditional ransomware payments involving encryption and decryption keys. Howden’s cyber team, which tracks ransom payments across insured clients, confirmed in mid-2026 that multiple law firms have paid multi-million dollar ransoms to SRG in recent months, with the May 2026 case representing the disclosed peak. “The leverageability of privileged legal data is functionally unlimited in certain matters,” a Howden analyst noted in their mid-2026 sector briefing. “A single litigation file, in the right case, justifies demands that dwarf what encrypted hospital systems have historically generated.”
The mechanics of SRG’s negotiation follow a consistent pattern: initial demand, partial data release as proof of possession, counter-offer, escalation threat, and payment or publication. The group maintains functional customer service infrastructure — a negotiation channel where victims communicate with the group — further evidence that SRG operates as a professional criminal enterprise rather than an opportunistic hacking collective.
Physical Intrusion: When the Attacker Walks Through the Front Door
The physical intrusion technique represents a qualitative shift in the threat landscape that most enterprise security frameworks are not built to address. Network security, endpoint detection, email filtering, and multi-factor authentication all fail as controls when the attacker sits down at a workstation inside the building with a legitimate-looking badge and a plausible story.
Per the FBI’s May 2026 Cyber Security Alert (IC3 CSA/2026/260526.pdf), the physical intrusion sequence works as follows. SRG actors first attempt the vishing route, calling the target and attempting to establish a screen-sharing session. If that attempt fails, or if the target hangs up and reports the call to IT, SRG escalates. An operator — sometimes the same person who made the original call — arrives at the firm’s physical location within days. They carry credentials or wear attire consistent with a generic IT support contractor and approach reception or walk directly to the workstation of the employee they called.
Once at the workstation, the operator attaches a USB storage device and copies targeted file directories, case management system exports, or shared drive contents before leaving. The entire interaction at the workstation can take under five minutes. Firms that use visitor management systems, require escort policies for contractors, or maintain physical security checks at workstation areas would disrupt this attack vector. Most law firms, particularly mid-size and smaller practices, do not maintain those controls for IT contractors who arrive with a plausible explanation.
“This tactic effectively exploits the gap between cybersecurity and physical security programs, which are often not integrated and lack coordinated defenses,” Halcyon researchers wrote in their June 2026 analysis. The gap is structural: a firm’s IT security team rarely communicates with front desk staff about the risk of unannounced IT contractors. Receptionist training focuses on client hospitality, not social engineering resistance.
CyberScoop, citing the FBI’s May 2026 alert, reported that if the physical intrusion attempt fails — for example if the firm requires ID verification or advance scheduling for contractors — SRG does not abandon the target. The group pivots back to the remote access attempt, trying different employees identified from the firm’s public website, until it achieves entry through one of the three methods.
Two FBI FLASH Alerts in 13 Months: An Unusual Escalation
The FBI’s Cyber Division issued its first formal warning about SRG targeting law firms in May 2025 (IC3 CSA/2025/250523.pdf). That alert focused on the vishing campaign and callback phishing methods, described SRG’s RMM tool preferences, and identified WinSCP and Rclone as the primary exfiltration tools. It directed law firms to report suspicious activity to their local FBI Cyber Squad via fbi.gov/contact-us/field-offices.
Thirteen months later, in May 2026, the FBI issued a second alert (IC3 CSA/2026/260526.pdf) specifically addressing the physical intrusion escalation. The fact that the FBI released a second FLASH alert on the same group within 13 months is unusual. The FBI typically issues FLASH alerts for novel, high-priority threats, not follow-up briefings on the same actor. The second alert signals that SRG’s physical intrusion technique caught the law firm sector sufficiently off guard that the FBI judged a dedicated warning necessary.
The 2026 alert expanded the list of monitored remote access tools to include Zoho Assist, Quick Assist, AnyDesk, RustDesk, Syncro, Splashtop, and Atera, and it added Microsoft OneDrive and Google Drive as exfiltration staging points alongside WinSCP and Rclone connections to external IP addresses. The FBI also confirmed in the 2026 alert that SRG has claimed responsibility for more than 100 attacks, a number that undercounts the full campaign scope since the group does not publicly list all victims it has successfully extorted.
Mandiant’s June 2026 Report: Dozens of Firms Breached in 5 Months
On June 5, 2026, Google Cloud’s Mandiant division published its analysis of the UNC3753 campaign, covering the period from January through May 2026. Mandiant identified breaches at dozens of organizations across professional, legal, and financial services in the United States during that five-month span, making this one of the most concentrated sector-focused extortion campaigns Mandiant has publicly attributed to a single threat cluster in recent years.
Mandiant’s research confirmed the vishing methodology in detail: the group harvests phone numbers and email addresses from employees publicly listed on organizational websites, then places targeted calls posing as the IT helpdesk or internal security team. The pretext varies — data migration, invoice discrepancy, security audit — but the outcome is consistent. The employee installs an RMM utility or joins a screen-sharing session, giving the operator full view of and control over the workstation.
“UNC3753 leverages voice phishing and social engineering deception techniques to achieve remote access into corporate environments,” Mandiant researchers wrote in their June 2026 report. “Once inside the environment, the threat actors either directly conduct searches to locate and exfiltrate highly sensitive data, or manipulate the victim into executing these actions on their behalf.” The second scenario — where the operator instructs the victim to find and transfer their own sensitive files — is particularly difficult to detect because the data transfer appears as a sanctioned user action rather than a suspicious process.
Mandiant also confirmed the physical intrusion component, noting that in instances linked to UNC3753, threat actors accessed victims’ systems in person, with individuals posing as IT technicians entering corporate offices to attempt direct exfiltration of data via USB storage media. The Mandiant report and the concurrent FBI alert together represent the most authoritative public documentation of this campaign to date.
The Legal Sector Under Siege: 200+ Incidents in 18 Months
SRG is not the only threat group targeting law firms, though it is the most systematic. The broader picture is striking. Halcyon tracked 134 ransomware incidents against law firms and legal services in the first quarter of 2026 alone, making the legal sector the fourth-most targeted industry by ransomware during the period and accounting for more than 6 percent of all ransomware attacks Halcyon tracked. LinkedIn threat intelligence posts from May 2026 cited more than 200 ransomware incidents in the legal sector across 2025 and early 2026, close to double the prior-year rate.
INC Ransom, a separate and distinct group from SRG, hit at least 20 law firms in 2026 through its own campaign. The convergence of multiple threat groups on the legal sector in the same period reflects a structural reality: law firms historically invested less in cybersecurity than financial institutions or healthcare organizations subject to heavy regulatory requirements, creating a target pool with high data value and lower defensive maturity than the data warrants.
The American Bar Association’s 2025 cybersecurity survey found that 29 percent of responding firms had experienced a data breach at some point. Security spending at law firms, as a proportion of revenue, runs significantly below the financial services and healthcare sectors. State bar association rules on client confidentiality create notification complications that can delay breach disclosure, further extending the window during which threat actors operate undetected and extracted data depreciates in defensive value.
No Malware, No Alerts: Why LOTL Defeats Traditional Security
The defining characteristic of SRG’s technical approach is the near-total absence of custom malware. The group uses tools that already exist on enterprise networks or that appear legitimate when installed: AnyDesk and Splashtop are common in managed service provider environments, Rclone is a standard backup tool, WinSCP is a routine file transfer utility, and OneDrive or Google Drive uploads look identical to normal employee activity unless specifically monitored.
“Since living-off-the-land techniques are used, the threat actor’s activities are rarely flagged by security solutions,” the HIPAA Journal noted in its analysis of the FBI’s 2025 alert. That assessment remains accurate in 2026. Endpoint detection and response (EDR) products tuned for ransomware encryption patterns, process injection, or privilege escalation will not fire on an AnyDesk session initiated by a legitimate-looking employee action. SIEM rules that alert on RMM tool installation only after IT tickets are cross-referenced will miss installations approved verbally by an operator impersonating IT staff.
The LOTL strategy also complicates forensic attribution after the fact. The absence of malware means there are no command-and-control beacons, no custom packer signatures, and no ransomware notes to analyze. Incident responders must reconstruct the attack from access logs, RMM session records, and network flow data showing large outbound transfers — artifacts that are often incomplete at mid-size law firms with limited logging infrastructure.
“The challenge defenders face is that every single tool SRG uses is dual-use,” researchers at CYPFER noted in their analysis of the Luna Moth campaign. “AnyDesk is installed legitimately by thousands of managed service providers every day. Rclone runs legitimate backup jobs every night. Without behavioral context, you cannot distinguish the attacker from the admin.”
Attack Toolkit: From Remote Access to Cloud Exfiltration
SRG’s toolkit has expanded significantly from the 2022 era. The FBI’s 2026 alert lists seven remote access tools in active use: Zoho Assist, Quick Assist, AnyDesk, RustDesk, Syncro, Splashtop, and Atera. The variation is deliberate. By rotating across multiple RMM platforms, the group avoids triggering detection rules built around any single tool. IT departments that block AnyDesk may not have policies covering RustDesk or Atera. Syncro and Splashtop are common enough in managed service environments that blocking them would disrupt legitimate IT operations at many firms.
| Tool Category | Specific Tools | Purpose | Detection Signal |
|---|---|---|---|
| Remote Access (RMM) | AnyDesk, Splashtop, RustDesk, Zoho Assist, Quick Assist, Syncro, Atera | Establish remote desktop control over victim workstation | Unauthorized installation not in IT-managed inventory; unsolicited IT call precedes installation |
| File Exfiltration (direct) | WinSCP, Rclone | Transfer files to attacker-controlled external servers | Outbound SFTP/sync connections to non-approved external IPs; Rclone process with external destination flags |
| Cloud Staging | Microsoft OneDrive, Google Drive | Stage stolen data in cloud before pulling to attacker infrastructure | Large outbound upload volume to cloud endpoints from non-corporate-sanctioned accounts |
| Physical Exfiltration | USB storage media | Direct copy at workstation during in-person visit | USB device connection log; visitor management audit; physical security camera review |
Once the operator has remote access or physical access, data exfiltration proceeds through one of four channels: WinSCP transfers to an external IP, Rclone sync to an attacker-controlled server, uploads to Microsoft OneDrive or Google Drive staging accounts, or direct copy to USB storage media in the physical intrusion scenario. The cloud staging method is particularly difficult to detect without data loss prevention (DLP) policies monitoring outbound uploads to cloud storage platforms by account, because the traffic looks identical to normal user file activity at the network level.
Ransom Without Encryption: The Data-Leak Extortion Model
SRG’s extortion model differs fundamentally from traditional ransomware in two ways that make it harder to recover from without paying. First, there is no encrypted copy to restore from backup. The firm’s data remains accessible and operational. The pressure is not business disruption — it is exposure. Second, once the data is stolen, paying the ransom does not guarantee deletion. Threat actors that accept payment can, and some do, return later with additional demands. The firm receives no cryptographic proof of destruction.
SRG communicates ransom demands directly to victim organizations after exfiltration, setting deadlines for payment before publishing data on its leak site. The group follows through on publication threats when victims refuse to pay, making the consequences of non-payment concrete rather than theoretical. For a law firm representing clients in active litigation, regulatory proceedings, or M&A transactions, publication of client data can constitute a material breach of fiduciary duty with consequences extending far beyond the initial ransom demand.
The $20 million payment in May 2026 reflects this calculus. A firm assessing whether to pay $20 million versus face publication of client files, potential bar complaints, client departures, and litigation exposure from affected clients may calculate that payment is the lesser harm — even knowing that payment carries no guarantee of data destruction. This perverse incentive structure is precisely why the FBI consistently advises against paying ransoms, and also why firms with genuinely sensitive data continue to pay them at multi-million dollar levels.
Threat Group Comparison: SRG vs. Other Extortion Operations
SRG occupies a distinct niche in the threat landscape. Unlike most ransomware groups, it does not deploy encryption ransomware and does not appear in the Ransomware-as-a-Service (RaaS) ecosystem as an affiliate-based operation. Its model is closer to pure data extortion groups like Lapsus$ or Scattered Spider, but with a sustained, sector-focused campaign that neither of those groups maintained at comparable depth or duration.
| Group | Active Since | Primary Method | File Encryption | Primary Sector (2026) | Largest Known Demand | Physical Intrusion |
|---|---|---|---|---|---|---|
| Silent Ransom Group (Luna Moth) | 2022 | Vishing + physical intrusion | No | US law firms | $20M (May 2026) | Yes (FBI confirmed 2025–2026) |
| INC Ransom | 2023 | Phishing, VPN exploitation | Yes | Healthcare, legal (20 firms 2026) | Not publicly disclosed | No |
| Black Basta | 2022 | Vishing, Teams phishing | Yes | Healthcare, finance | $50M (reported 2024) | No |
| Scattered Spider | 2022 | SIM swapping, vishing, MFA fatigue | Via ALPHV partnership | Hospitality, tech | $15M+ (2023) | No confirmed incidents |
| Cl0p | 2019 | Zero-day exploitation (MOVEit) | Occasionally | Enterprise, government supply chain | $75M+ (MOVEit 2023) | No |
SRG’s differentiation from peers comes down to operational discipline and physical capability. Black Basta pivoted toward Microsoft Teams-based vishing in 2024 but deployed encryption ransomware at the end of its attack chains. Scattered Spider relied on help desk impersonation and SIM swapping but did not sustain a single-sector focus comparable to SRG’s three-year concentration on law firms. Cl0p generated larger aggregate payouts but depended on zero-day vulnerabilities rather than social engineering — a fundamentally different threat model requiring different defenses.
The physical intrusion component sets SRG apart from every group in the table. No other major extortion group has been documented by the FBI engaging in systematic in-person office intrusions as part of its access methodology. The technique requires significant operational resources: personnel who speak fluent professional English, present convincingly as IT contractors, and travel to victim locations across the United States, is infrastructure that most cybercrime groups cannot sustain.
Defending Against Silent Ransom Group: 8 Controls for Law Firms
The FBI’s 2026 alert and Mandiant’s research identify a clear set of indicators and mitigations. Law firms should prioritize these eight controls, ordered roughly by detection and prevention impact:
- Maintain an RMM tool allowlist. Define which remote access tools IT is authorized to install on workstations. Any RMM installation not on the approved list should trigger an immediate alert. Block unapproved RMM software at the endpoint via application control policies.
- Train staff to verify all unsolicited IT calls through a known-good number. Implement a call-back verification policy: any unsolicited call from IT requesting remote access must be verified by hanging up and calling the IT helpdesk using the internally published number. This single control defeats most vishing attempts.
- Implement DLP on outbound cloud uploads. Monitor for large outbound transfers to OneDrive and Google Drive from accounts that are not corporate-sanctioned, or from volumes that deviate from normal user behavior baselines.
- Deploy USB device control at endpoints. Use group policy or endpoint management to log or block USB storage device connections on all workstations. Alert on USB device attachments outside of scheduled IT maintenance windows.
- Establish a contractor verification protocol for physical access. Require all IT contractors to be pre-registered, scheduled, and escorted to workstations. Train receptionists to call the IT department to verify any unannounced contractor visit before granting access to office floors or workstation areas.
- Enable network monitoring for WinSCP and Rclone traffic. Create SIEM rules alerting on outbound SFTP traffic to non-sanctioned external destinations. Flag Rclone processes with destination parameters pointing outside the corporate environment.
- Audit public-facing staff directories. The group harvests targets from firm websites. Reduce the detail in publicly published staff directories, removing direct phone numbers where possible, or restrict detailed contact information to authenticated client portals.
- Treat subscription invoice emails as a social engineering vector. Train staff that any subscription invoice prompting a phone call, rather than an online account login, should be reported to IT before any action is taken. SRG’s Phase 1 phishing relied entirely on this lure through early 2025.
Why Law Firms Remain Structurally Vulnerable in 2026
Law firms operate under a tension that other regulated industries do not face with the same intensity: attorney-client privilege creates both the data’s extraordinary value to extortionists and institutional resistance to the external monitoring required to detect a breach in progress. Deploying robust DLP on privileged client communications requires careful design to avoid creating discoverable records of monitoring itself. Many firms have deferred that design work in favor of simpler perimeter security.
Partnership structures at law firms also complicate cybersecurity governance. Unlike corporations with a CISO reporting to a board, many law firms govern technology spending through partner committees where security competes directly against revenue-generating initiatives. IT security managers at law firms frequently report insufficient budget authority to deploy the endpoint controls, network monitoring, and user training programs that would address the SRG threat model specifically.
The FBI’s dual alert strategy in 2025 and 2026 is partly an acknowledgment that the legal sector has not responded fast enough to prior warnings. The 2025 alert described a vishing threat that was fully operational and actively exploiting law firms. Thirteen months later, the same group had escalated to physical office intrusions and extracted a $20 million payment. The gap between the FBI’s first warning and that payment is exactly the window that inadequate defensive response left open.
Predictions: What Silent Ransom Group Does Next
Based on the three-phase tactical evolution documented over four years and current operational patterns confirmed by both the FBI and Mandiant, five developments are probable in the next 18 months:
- SRG will expand physical intrusion to additional sectors. The technique has proven effective enough at law firms that the group has no incentive to restrict it geographically or by industry. Healthcare organizations with large sensitive data sets and inconsistent physical security for IT contractors are the most probable next primary targets, alongside private equity firms and hedge funds that hold client financial data under comparable confidentiality obligations.
- Ransom demands will exceed $20 million in at least one disclosed case before the end of 2026. The May 2026 payment establishes a precedent. Victims with sufficiently sensitive data may face demands calibrated to what a firm would calculate as preferable to client-data exposure. The $20 million demand was almost certainly based on specific assessment of the victim firm’s matter portfolio and client identities.
- Cloud storage exfiltration will become SRG’s primary method, replacing WinSCP and Rclone. OneDrive and Google Drive traffic is far harder to block without disrupting legitimate operations. The 2026 alert’s inclusion of cloud staging channels signals active experimentation, and the technique faces fewer network-level restrictions than direct SFTP connections to external IPs.
- A law firm breach will result in bar complaints and malpractice liability becoming public before end of 2026. The concentration of attacks on law firms, combined with the volume of data now in SRG’s possession from victims that did not pay, means a publication event affecting a high-profile client matter is statistically likely in the near term. That event, when it occurs, will accelerate bar association guidance on mandatory cybersecurity standards.
- Other extortion groups will adopt physical intrusion tactics. The FBI’s public confirmation that physical intrusion is operationally viable as a data theft technique will be noted by other criminal organizations. Within 12 to 18 months, at least one additional criminal group is likely to document a similar in-person intrusion approach targeting US businesses.
Related Coverage
For broader context on the threats and trends covered in this analysis:
- Foxconn Hit by Nitrogen Ransomware: 8TB Stolen, Apple and Nvidia Data Exposed [2026]
- Ransomware Groups Up 49%: 8,159 Victims Hit in 2025 [2026]
- AI Cyberattacks: 90% Autonomous, 40K Flaws [2026]
- npm Supply Chain Attacks: 1.2M Malicious Packages [2026]
- Phishing Attacks: How to Recognize and Avoid Them
- Data Breaches: How They Happen and How to Protect Yourself
- Online Security Explained: A Practical Guide
Frequently Asked Questions
What is Silent Ransom Group?
Silent Ransom Group (SRG), also known as Luna Moth, Chatty Spider, and UNC3753, is a Russia-linked financially motivated cybercrime group active since March 2022. It specializes in data theft and extortion without deploying ransomware encryption. The group steals sensitive data and threatens to publish or sell it unless victims pay. It emerged after the Conti ransomware syndicate collapsed and has focused on US law firms as a primary target since Spring 2023.
How does Luna Moth attack law firms?
SRG uses three methods: callback phishing via fake subscription invoices that prompt victims to call an SRG operator; vishing calls where operators impersonate internal IT staff to trick employees into installing remote access tools; and physical office intrusions where operators pose as IT contractors and plug USB storage devices directly into workstations to copy data. All three methods are currently active as of June 2026.
Why does Silent Ransom Group target law firms?
Law firms hold attorney-client privileged data, litigation strategy, M&A documents, regulatory findings, and client PII across thousands of matters. That data creates disproportionate extortion leverage because its disclosure can trigger bar complaints, malpractice claims, client defections, and regulatory consequences that significantly exceed the ransom amount. The threat of exposure is more coercive than encrypted files would be.
What tools does Silent Ransom Group use?
For remote access, SRG uses AnyDesk, RustDesk, Zoho Assist, Quick Assist, Syncro, Splashtop, and Atera. For data exfiltration, it uses WinSCP and Rclone to transfer files to external servers, Microsoft OneDrive and Google Drive as cloud staging points, and USB storage devices during physical intrusion attacks. No custom malware is deployed — the group relies entirely on legitimate dual-use tools already common in enterprise environments.
Has the FBI warned about Silent Ransom Group?
Yes. The FBI’s Cyber Division issued two FLASH alerts: the first in May 2025 (IC3 CSA/2025/250523.pdf) covering vishing attacks on law firms, and a second in May 2026 (IC3 CSA/2026/260526.pdf) specifically addressing the physical intrusion escalation. Two alerts on the same group in 13 months is unusual and signals sustained, high-priority threat activity against a sector the FBI considers at significant risk.
How much has Silent Ransom Group extorted from victims?
The largest single disclosed payment is $20 million, paid by a US law firm in May 2026. Howden’s cyber team confirmed multiple multi-million dollar payments by law firm victims in 2025 and 2026. SRG has claimed responsibility for more than 100 attacks since 2022, though not all victims have disclosed payment details publicly. The group’s total extortion receipts are unknown but almost certainly exceed $100 million across the full campaign.
Does Silent Ransom Group encrypt files like traditional ransomware?
No. SRG does not encrypt victim files. It steals data and threatens to publish or sell it. This means backups do not solve the problem: the firm’s data remains accessible and operational, but the stolen copy can still be weaponized for extortion. This also means traditional ransomware detection tools that look for encryption behavior will not flag an SRG intrusion in progress — defenders must instead focus on detecting the access and exfiltration phases.
How can organizations detect a Silent Ransom Group attack in progress?
The FBI’s 2026 alert identifies four key indicators: unauthorized downloads of remote monitoring tools including Zoho Assist, Quick Assist, AnyDesk, RustDesk, Syncro, Splashtop, or Atera; WinSCP or Rclone connections to external IP addresses; unusual data transfers to Microsoft OneDrive or Google Drive from non-corporate accounts; and unsolicited calls from individuals claiming to work in the IT department. USB device connection logs can also reveal physical intrusion attempts. Correlating these signals in a SIEM is the most reliable detection approach given the absence of malware artifacts.
