Security

Beware: Law Firms under Siege by Silent Ransom Group’s Fraudulent IT Support Calls

Published

3 hours ago

June 7, 2026

The Silent Ransom Group extortion gang is actively targeting U.S. law firms and professional services organizations in social engineering attacks that often lead to data theft within hours of initial contact, according to a new report by cybersecurity firm Mandiant.

The report follows an FBI FLASH advisory published last week warning that the Silent Ransom Group was targeting U.S. law firms in social engineering and even in-person data theft attacks, with Mandiant now providing additional technical details about how the intrusions are conducted.

Mandiant says the threat group, tracked as UNC3753, Luna Moth, and Chatty Spider, targeted dozens of organizations across the legal, financial, and professional services sectors between January and May 2026.

Mandiant warned that legal firms remain especially attractive targets because they store large volumes of highly sensitive client information and may feel pressured to resolve extortion incidents to avoid reputational and regulatory damage.

“Legal services firms represent high-value targets for extortion actors. They maintain concentrated repositories of extremely sensitive client transaction files, merger and acquisition plans, client trade secrets, and corporate regulatory reports,” explains Mandiant.

“Threat groups recognize that legal entities are subject to heavy reputational and regulatory exposure and may be highly motivated to resolve extortion situations quietly to protect their professional standing.”

The researchers say the attacks begin with invoice-themed phishing emails from consumer email accounts. These emails do not contain malicious links or attachments and instead serve as a precursor for follow-up phone calls from attackers impersonating corporate IT staff.

Conducting attacks via voice calls has been an ongoing tactic by these threat actors for years, which they previously used in BazarCall social engineering campaigns tied to Ryuk and Conti ransomware attacks. A callback phishing attack is when threat actors send benign-looking phishing emails containing alarming or IT-related lures that prompt the recipient to call them back at an enclosed phone number.

In the current campaign, the Silent Ransom Group impersonates IT help desks and convinces employees to join remote support sessions via Microsoft Teams, Zoom, Quick Assist, or Microsoft Terminal Services.

During these sessions, the threat actors trick the target into installing remote monitoring and management tools such as AnyDesk, Zoho Assist, Bomgar, or SuperOps, thereby granting them initial access to the corporate network.

Mandiant also discovered phishing domains tied to the campaign that impersonate internal IT portals using naming patterns such as:



<organization>-itdesk[.]com

<organization>-it[.]com

<organization>-helpdesk[.]com

The researchers say the threat actors also use privnote[.]com, a self-destructing messaging service, to share installation links and commands with targets during remote support sessions. According to Mandiant, this tactic helps reduce forensic artifacts left in browser histories or corporate chat logs.

Once inside a network, the group searches for sensitive legal and financial documents, including contracts, tax records, Social Security numbers, and merger or acquisition files. The attackers commonly target document management platforms and cloud storage repositories before exfiltrating the data using tools such as WinSCP or Rclone.

Mandiant says the extortion operation is highly aggressive, with ransom demands often arriving within 30 minutes of the attackers leaving the victim environment.

“These highly aggressive extortion letters give organizations a three-day deadline to respond and initiate ransom negotiations. If the victim organization is unresponsive, the threat actors declare they will call and email target employees and external clients directly to alert them of the data breach,” reports Mandiant.

“The extortion letters explicitly emphasize that the leak will compromise client trust, invite substantial regulatory fines, and suggest that external clients sue the victim organization for data mishandling.”

The report also references the FBI’s recent advisory in which law enforcement warned that the Silent Ransom Group was targeting U.S. law firms with in-person data theft attacks.

According to the FBI, attackers impersonate internal IT staff over phone calls and emails, then attempt to gain remote access or physically visit offices to “image” computers or create backups while secretly stealing files.

While Mandiant said there was limited forensic evidence, the researchers believe these in-person attacks are likely linked to UNC3753 based on similarities in targeting, timelines, and operational behavior.

The Silent Ransom Group has been active since at least 2022, when it was part of the Ryuk and Conti cybercrime syndicate.

As previously reported by BleepingComputer, the threat actors were previously linked to BazarCall callback phishing campaigns that provided initial access in Conti and Ryuk ransomware attacks.

After the Conti syndicate shut down in 2022, the group shifted to standalone data theft and extortion operations under the Silent Ransom Group branding.

Researchers say the group no longer relies on traditional ransomware encryption and instead focuses entirely on data-theft extortion, in which they steal sensitive data and pressure victims into paying to prevent leaks.

A separate report released this week by Resecurity found that the gang is also operating fast-flux infrastructure to hide and protect its data-leak platforms.

DNS fast flux is a method where attackers constantly rotate a domain’s IP addresses through a large pool of compromised devices to hide their infrastructure and make takedowns or blocking far more difficult.

According to the company, the infrastructure uses residential IP addresses across multiple countries and ISPs to make takedowns more difficult.

Resecurity said the group’s “business-data-leaks[.]com” leak site and related infrastructure rely on residential proxy networks spread across Latin America, Eastern Europe, Central Asia, the Middle East, and Asia.

“`

Enhancing Cybersecurity Measures Against Phishing and Social Engineering Attacks

A recent study conducted by researchers highlighted the interconnectedness of cybercrime infrastructure with various related services and domains. This finding underscores the need for organizations to bolster their defenses against evolving threats such as phishing, business email compromise (BEC), and account takeover attacks.

Both Mandiant and the FBI have recommended several proactive measures to safeguard against these sophisticated attacks. These include implementing stringent verification procedures for IT support interactions, restricting the use of remote access tools, enforcing multi-factor authentication (MFA), limiting the use of USB storage devices, and providing comprehensive training to employees to recognize and thwart voice phishing attempts.

For organizations seeking to fortify their defenses against phishing and social engineering tactics, BleepingComputer is collaborating with Abnormal to host an insightful webinar titled “Stop chasing alerts: Automating email security with behavioral AI.” This webinar aims to shed light on how behavioral AI can empower security teams to detect and respond to modern phishing attacks, automate investigation and remediation processes, and alleviate the operational challenges posed by alert fatigue and increasingly sophisticated social engineering schemes.

Research indicates that security teams only detect and alert on 14% of successful attacks, leaving the majority of threats undetected within the organization’s environment. The Picus whitepaper offers valuable insights on how breach and attack simulation can test the efficiency of SIEM and EDR rules, thereby preventing threats from slipping past detection mechanisms.

Access the whitepaper to enhance your organization’s cybersecurity posture.