Silent Ransom Group Uses Fake IT Support Calls to Breach Law Firms

Law firms are being hit hard by a new wave of social‑engineering attacks that start with a harmless‑looking email and end with a remote‑support session that hands attackers unfettered network access. The threat actor behind the campaign, known as the Silent Ransom Group (also tracked as UNC3753, Luna Moth, and Chatty Spider), has refined a phone‑centric playbook that can exfiltrate confidential client files within hours and follow up with aggressive extortion letters.

---

How the attack unfolds

1. Invoice‑style phishing email – The victim receives a brief message from a consumer‑grade email address that mimics an internal invoice or IT notice. The email contains no malicious link; its sole purpose is to prompt the recipient to call a phone number listed in the message.
2. Callback phishing call – When the employee calls back, an attacker poses as an IT help‑desk technician. Using a script that references the “invoice” or a fabricated system alert, the caller convinces the target to launch a remote‑support session.
3. Remote‑support hijack – The attacker directs the victim to open a legitimate remote‑control tool—Microsoft Teams, Zoom, Quick Assist, or Microsoft Terminal Services—and then asks the user to install a third‑party remote‑monitoring and management (RMM) solution such as AnyDesk, Zoho Assist, Bomgar, or SuperOps.
4. Stealthy command delivery – During the session the group often shares installation links and PowerShell commands through privnote.com, a self‑destructing note service that leaves little trace in browser histories.
5. Data collection – Once inside, the gang sweeps document‑management platforms (iSeries, iManage, NetDocuments) and cloud storage (OneDrive, SharePoint, Google Drive) for contracts, M&A files, tax records, and personal identifiers. Exfiltration is performed with tools like WinSCP or Rclone.
6. Rapid extortion – Within 30 minutes of leaving the network, the attackers send a ransom note demanding payment to prevent public disclosure. The letter gives a three‑day deadline and threatens to notify clients, regulators, and the media.

Caption: Silent Ransom Group attack flow

The FBI’s recent FLASH advisory adds a physical‑theft variant: attackers may follow the phone call with an in‑person visit to “image” workstations or copy files to external media. While forensic evidence of the in‑person step is limited, the timing and target selection align closely with the remote‑access campaign.

---

Expert perspective

"Legal firms store a concentration of high‑value data that, if exposed, can trigger massive regulatory fines and client lawsuits. The Silent Ransom Group knows that a quick, quiet settlement is often more appealing than a public breach," says Chris Roberts, senior threat analyst at Mandiant.

Roberts emphasizes that the group’s reliance on voice phishing—rather than purely email‑based lures—makes detection harder for traditional email security gateways. "The initial email is benign, so it passes through most filters. The real weapon is the phone call, which bypasses technical controls entirely."

---

Practical steps for law firms and professional services

1. Harden verification of IT support interactions

• Require a secondary authentication channel: When a user receives a call from “IT,” they must verify the request through an internal ticketing system (e.g., ServiceNow) or a dedicated Slack channel.
• Maintain a published IT‑support phone list: Publish the official numbers on the intranet and train staff to cross‑check any unsolicited calls.

2. Restrict remote‑access tool usage

• Whitelist approved RMM solutions in your endpoint management platform and block the installation of any unapproved remote‑control binaries.
• Enable Just‑In‑Time (JIT) access for privileged accounts, so elevation occurs only after a multi‑factor approval workflow.

3. Harden endpoint and network controls

• Enforce MFA on all privileged accounts and on any service that can generate remote‑support links.
• Apply application‑control policies that prevent execution of unsigned binaries from temporary directories (e.g., %TEMP%).
• Segment document‑management servers from the general corporate LAN; use VLANs and firewall rules that limit lateral movement.

4. Monitor for tell‑tale indicators

• Watch for outbound connections to newly registered domains that follow the pattern <org>-itdesk.com or <org>-helpdesk.com.
• Log usage of privnote.com and other disposable‑note services; flag any download of executable payloads from such URLs.
• Deploy UEBA (User and Entity Behavior Analytics) to detect abnormal remote‑support sessions, especially those that last longer than a few minutes or originate from external IP ranges.

5. Prepare for extortion scenarios

• Develop a breach‑response playbook that includes a “no‑pay” decision tree, legal counsel notification, and a pre‑approved communication template for clients and regulators.
• Maintain offline backups of critical legal documents and store them in immutable, air‑gapped storage to reduce leverage.

---

Broader trends and why this matters

The Silent Ransom Group’s shift away from encrypting ransomware toward pure data‑theft extortion mirrors a larger industry movement. Attackers realize that the value of confidential legal information—especially M&A intel and client‑sensitive data—often exceeds the ransom paid for decryption keys. By coupling rapid exfiltration with a tight deadline for payment, the gang forces victims into a high‑pressure decision.

Additionally, the use of fast‑flux infrastructure (as highlighted by Resecurity) makes takedown efforts difficult. The group’s leak sites rotate through residential IP pools across Latin America, Eastern Europe, and Asia, complicating IP‑based blocking.

---

What you can do today

1. Audit your remote‑support policies – Verify that only approved tools are allowed and that every session is logged and reviewed.
2. Run a phishing simulation that includes a callback component – Test whether employees will call a number and how they verify the caller’s identity.
3. Implement DNS threat‑intelligence feeds that flag fast‑flux domains and disposable‑note services.
4. Schedule a tabletop exercise with legal, compliance, and PR teams to rehearse the extortion response flow.

By tightening verification, limiting tool exposure, and preparing a coordinated response, law firms can break the Silent Ransom Group’s short‑window of opportunity and protect the sensitive data their clients entrust to them.

---

For more technical details, see the full Mandiant report and the FBI FLASH advisory linked in the article.