What happened?
The FBI published an alert on 26 May advising that the Silent Ransom Group (SRG) - also tracked as UNC3753, Luna Moth, and Chatty Spider - is actively targeting law firms using social engineering and impersonation techniques. Mandiant reports that the group targeted multiple organisations across the legal, financial, and professional services sectors between January and May 2026.
SRG's attack chain is deliberately low-tech. Victims first receive a benign email, typically themed around an invoice or routine business matter, containing no malicious payload. This serves purely as a pretext for a follow-up phone call in which the attacker impersonates IT support and persuades the victim to join a screen-sharing session or install a legitimate remote access tool. Once access is granted, the attacker exfiltrates sensitive data for use in extortion demands. In some cases, the time between initial contact and data exfiltration is measured in hours.
In a notable escalation, SRG has extended its tactics beyond the digital domain. Individuals posing as IT personnel have attempted to gain physical access to offices to extract data directly from endpoints using removable media - a reminder that social engineering is not limited to what happens on a screen.
So what?
SRG's model diverges from conventional ransomware in a way that makes it particularly difficult to detect and respond to. Traditional ransomware is disruptive by design: encryption halts operations, triggers incident response, and forces engagement with insurers, regulators, and law enforcement. Data exfiltration, by contrast, leaves systems fully functional. Victims frequently have no indication that anything has happened until an extortion demand arrives.
Law firms are a logical target. The combination of highly sensitive client data, legal professional privilege obligations, reputational risk, and regulatory exposure - to the SRA and ICO in the UK - creates strong pressure to resolve incidents quickly and quietly. That pressure is itself part of what makes the extortion model work.
Detection is further complicated by SRG's deliberate use of legitimate tooling. Screen-sharing sessions, file transfers, and cloud uploads are routine in most organisations. Because the attacker blends into normal business operations rather than deploying identifiable malware, traditional endpoint and network controls are less effective, and there are limited indicators of compromise to proactively monitor. The threat cannot be managed through signature-based detection alone.
The physical dimension deserves specific attention. Many security programmes treat cyber and physical controls as separate domains. SRG exploits that gap directly: an attacker with physical access to a workstation can bypass a significant number of technical safeguards, particularly where device controls and access management policies are not tightly enforced.
What should I do?
Because SRG relies on legitimate tools and human behaviour rather than malware, defensive measures need to address the full attack chain - from the initial email through to data movement and physical access.
- Strengthen identity verification - Deploy phishing-resistant MFA and enforce device trust as a condition of access. Credential-based controls alone are insufficient when an attacker is persuading a legitimate user to grant access voluntarily.
- Control and monitor remote access tools - Maintain an approved list of remote monitoring and screen-sharing tools, block unapproved alternatives, and ensure all usage is logged and reviewed. Legitimate tools used outside expected patterns should generate alerts.
- Shift detection focus to data movement - Rather than relying primarily on malware detection, prioritise visibility over data access and exfiltration activity. Anomalous file access volumes, bulk transfers to cloud storage, and unusual network egress are more reliable signals for this type of attack.
- Educate employees on social engineering - Staff should be trained to recognise vishing and IT impersonation tactics, with clear guidance on legitimate support processes.
- Require verification for sensitive requests - Ensure that any requests involving remote access or software installation are independently verified through trusted channels. This approach prevents attackers from exploiting trust-based interactions.
- Enforce least privilege - Access rights must follow the principle of least privilege so users only have what they need to perform their roles, limiting the scope of any potential impact if an account is compromised.
- Monitor for identified indicators of compromise - Ensure any security tools are configured to detect the IOCs highlighted in Mandiant’s report.
- Strengthen physical security - Visitor access should be subject to strict verification, with mandatory escorting and supervision policies in place.
- Limit removable media use - Restricting the use of removable media on sensitive systems helps prevent direct data exfiltration, adding an extra layer of protection against physical threats.