Anatomy of a Silent Ransom Group Attack on a Law Firm

A partner at a mid-sized firm gets an email about an invoice. There's no link to click, no attachment to open, nothing for a filter to flag. A day later, the phone rings. The caller knows the firm's name, sounds calm and professional, and explains that IT is migrating some data and needs two minutes of screen-sharing to finish the job. By the end of that call, an attacker has remote control of a workstation. Within the hour, client files are being copied out of the firm's document management system. Within a business day, an extortion letter lands, giving the firm three days to negotiate before the data goes public.

Nothing in that sequence involved malware, a stolen password, or an exploited vulnerability. The email gateway, multi-factor authentication, and the firewall all did exactly what they were built to do, and none of them mattered, because the whole breach ran through a conversation. This is how the Silent Ransom Group operates, and law firms have become one of its preferred targets. The attack keeps working because almost every control a typical firm relies on was designed for a different kind of threat. What follows traces the group's method from the first email to the final extortion note, and shows where the defenses that actually work belong.

Who the Silent Ransom Group is

The Silent Ransom Group (SRG) goes by several names. Google's Mandiant tracks the cluster as UNC3753, and it is also known as Luna Moth and Chatty Spider, with Microsoft using the label Storm-0252. The aliases all point to the same financially motivated crew, active since at least 2022, that emerged from the wreckage of the Conti ransomware syndicate. In its earlier life the group ran "BazarCall" callback-phishing campaigns that fed initial access to Ryuk and Conti ransomware operations. After Conti shut down, the operators rebranded and shifted to standalone work.

The most important thing to understand about SRG is what they don't do: they don't encrypt anything. There is no ransomware payload locking up your servers, no screen full of skulls demanding Bitcoin to restore files. Instead they steal data and threaten to leak or sell it. That choice is strategic. Encryption-based ransomware can often be defeated by good backups, so a firm with clean offline copies can refuse to pay and restore. Pure data-theft extortion removes that escape route. Once confidential files are in an attacker's hands, no backup brings them back from being for sale.

The model has scaled. According to a June 2026 analysis by the threat intelligence firm Resecurity, the group's data leak site listed close to 100 victim organizations, and at least 38 law firms have had data leaked through these tactics. Resecurity also notes that law firms accounted for roughly a quarter of all ransomware-related incidents tracked in the first quarter of 2026, making the legal sector the fourth-most-targeted industry. Mandiant's investigation found the group hitting dozens of legal, financial, and professional services organizations across the United States between January and May 2026. Numbers like these describe a sustained, industrialized operation, not a run of opportunistic hits.

Why law firms are deliberate targets

Plenty of cybercrime is opportunistic, striking whoever happens to be vulnerable. SRG's focus on law firms is chosen on purpose, and the reasoning is worth spelling out because it explains why the extortion works.

Law firms sit on concentrated repositories of exactly the data that creates leverage. As Mandiant puts it, legal services firms "maintain concentrated repositories of extremely sensitive client transaction files, merger and acquisition plans, client trade secrets, and corporate regulatory reports." A single document management system can hold pending deal terms, privileged communications, litigation strategy, personally identifiable information, and tax records such as W-2, W-9, and 1099 forms. For an extortionist, that concentration is the prize. They don't need to break into a hundred companies when one firm's files touch a hundred clients.

Then there's the pressure to pay. A law firm's entire business rests on confidentiality and client trust. A public leak doesn't just risk regulatory fines, it threatens the attorney-client relationship at the core of the practice, invites malpractice exposure, and can drive clients to competitors overnight. Mandiant assesses that threat groups specifically recognize that legal entities face heavy reputational and regulatory exposure and "may be highly motivated to resolve extortion situations quietly to protect their professional standing." The obligations that make a firm trustworthy are the same ones that make it more likely to pay rather than disclose. The leverage isn't downtime or locked systems, it's the threat of exposure, and the attacker knows what a firm will pay to keep its reputation off a leak site.

Anatomy of the attack, stage by stage

The strength of SRG's playbook is its tempo and its reliance on legitimate tools. Mandiant found that in many incidents the entire sequence, from first contact to data theft and extortion, happened within a single business day. In some cases, searching, staging, and stealing files was completed in under an hour. Here is how that hour comes together.

1. The invoice lure. It starts with a plain email, usually invoice- or subscription-themed, sent from a consumer email account. There is no malicious link or attachment, which is exactly the point. The message exists to plant a pretext and prime the target for a follow-up call, while sliding past email security that has nothing harmful to detect. Sometimes the lure is skipped entirely and the call comes cold.

2. The phone call. This is the heart of the attack. An operator calls an employee while posing as internal IT support or the firm's security team, often using publicly listed names and numbers harvested from the firm's own website. Under the cover of a security issue or a data migration project, the caller builds rapport and walks the target toward a screen-sharing session. The pace is patient. In one Mandiant case, the attacker held five separate calls with the same target over three days to establish trust and keep access alive. To reinforce the illusion, the group registers lookalike domains that mimic internal IT portals, using naming patterns built around the firm's name plus terms like "it," "itdesk," or "helpdesk."

3. Screen-sharing and remote access tools. Once the employee agrees to share their screen, the attacker bridges from a conversation to a foothold. They start with built-in or common tools the user already trusts, such as Zoom, Microsoft Teams, Quick Assist, or Microsoft Terminal Services. Then they push for persistence by talking the employee into installing commercial remote monitoring and management (RMM) software like AnyDesk, Bomgar, Zoho Assist, or SuperOps. To pass along install links and commands without leaving a trail, they often use Privnote, a self-destructing notes service that wipes the message after it's read, keeping artifacts out of browser history and chat logs.

4. The pivot into firm systems. With remote control established, the attacker moves toward the data. Mandiant observed intrusions that abused bring-your-own-device setups: the operator ran a remote session on an employee's personal laptop, then used that machine to reach the firm's virtual desktop infrastructure through native clients like Windows 365 or Citrix. From there they enumerate local directories, OneDrive folders, and mapped network drives, working out where the valuable material lives.

5. Document harvesting. This is where targeting a law firm pays off for the attacker. They run keyword searches inside document management platforms such as iManage to locate the most sensitive folders: tax forms, audit files, client agreements, and Social Security numbers. The results get staged into ordinary-looking locations, typically the user's Downloads folder or roaming profile, ready for bulk transfer.

6. Exfiltration. To move the data out, the group reaches for portable, legitimate file-transfer utilities like WinSCP or Rclone, or simply logs into an attacker-controlled cloud storage account directly in the victim's browser and uploads the files. In one engagement documented by Mandiant, the attacker exfiltrated 1.7 GB from a local OneDrive folder to a Google Drive account, then pivoted into a virtual desktop session and pulled another 14.4 GB using WinSCP. Sometimes the destination folders are even renamed to mimic the victim firm's branding.

7. The extortion. The pressure starts almost immediately. Mandiant reports that an extortion email often arrives within 30 minutes of the attacker leaving the environment. The letters are unbranded and aggressive, set a three-day deadline to open negotiations, and threaten that if the firm stays silent, the group will contact employees and external clients directly to alert them of the breach, then publish the stolen archives on a public leak site. The message is engineered to maximize fear of exposure: regulatory fines, client lawsuits, lost deals, and reputational ruin all get named explicitly.

The escalation: when the attacker walks in the door

The most striking development in this campaign is that the social engineering doesn't always stay on the phone. According to an FBI advisory referenced by Mandiant, when remote attempts fail, the group has sent someone to the victim's physical location. A person posing as an IT technician shows up at the office, claims they need to image a device or create local backups to fix a security problem, and once they have hands on a machine, they copy data straight to a USB drive.

Mandiant's threat intelligence group assesses that these in-person intrusions are likely linked to the same actor based on overlaps in targeting, timing, and behavior, though it notes the forensic evidence is limited and stops short of firm attribution. Assessed or confirmed, the tactic exposes a real gap. Most firms have spent years hardening their digital perimeter while their physical front door is still guarded mainly by politeness and a sign-in sheet. A confident stranger in business clothes who says IT sent them can walk past defenses that no amount of endpoint software would stop, because the whole intrusion happens at the level of human trust.

Why your existing defenses don't stop it

Run back through that attack and notice how little of it your security stack was built to catch.

The email gateway sees a short, friendly message with no link and no attachment. There is nothing malicious in it to score or quarantine, so it sails through. Multi-factor authentication, the control most firms treat as their backbone, is irrelevant here, because no one is stealing a password and logging in from afar. The employee authenticates their own session and then hands control to the attacker willingly. Your endpoint protection and firewall watch the attacker work and see nothing alarming, because the tools in use are legitimate, signed, and often already approved somewhere in the environment. Zoom, Quick Assist, AnyDesk, and WinSCP are not malware.

Backups, the usual last resort against ransomware, don't help either. They answer the question of how to get your data back, but SRG never takes it away in the first place. The files sit untouched on your servers while copies of them travel toward a buyer, so there is no recovery that changes the outcome.

The common thread is that every stage of this attack runs through a person making a reasonable-seeming decision. The technology performed exactly as designed. The decision is where the breach happened, which is why the most effective defenses concentrate there.

How to stop a Silent Ransom Group attack

Defending against this threat means accepting that the decisive control is human, then surrounding that human with process and technology that make the attack harder to pull off and easier to catch.

Start with the human layer, because it's where the attack lands.

• Adopt and publicize an out-of-band IT verification rule. Employees should know one thing cold: internal IT will never cold-call and ask them to install remote-access software or share their screen on the spot. Any such request gets verified through a known internal channel, like calling the help desk back on a published number or confirming through a ticketing system, before anyone touches a keyboard. The rule only works if people actually know it and have practiced using it under pressure.

• Drill employees against IT-impersonation vishing specifically. Generic annual awareness training does little against a calm, adaptive caller who sounds exactly like the IT person you spoke to last month. Staff need realistic practice recognizing and refusing the move: the unsolicited call, the screen-share request, the urgency, the install link. Both the FBI and Mandiant explicitly recommend awareness training tailored to these tactics, techniques, and procedures, and a dedicated approach to training employees against AI voice scams looks very different from a standard phishing module. More on how to run that kind of simulation below.

Then layer technical controls that correspond to each stage of the attack:

• Control remote-access and screen-sharing software. Use application allowlisting (for example Windows Defender Application Control or equivalent endpoint tooling) to block the installation and execution of unauthorized RMM and remote-support tools. Consider restricting interactive screen-control inside meeting platforms where it isn't needed.

• Require corporate-managed devices for sensitive access. Conditional access policies should ensure that only corporate-owned, managed devices can authenticate to virtual desktop infrastructure or VPN. That closes the personal-laptop pivot that SRG has used to reach firm systems.

• Harden removable media. Disable read/write access to external USB storage on endpoints and on devices used to reach virtual desktops. This neutralizes the in-person USB-exfiltration tactic directly.

• Monitor egress and document stores. Alert on bulk file searches and mass downloads inside iManage, SharePoint, and email repositories, and watch network flows for high-volume transfers via tools like WinSCP and Rclone or unusual uploads to consumer cloud accounts. Enforce MFA on the document management systems themselves.

• Verify physical visitors against work orders. Require photo identification, log it, confirm any technician against a pre-scheduled work order with the dispatching organization, and escort service personnel inside the building.

Process and technology raise the bar at every step. But the attack still begins with a phone ringing on a real person's desk, and that person's reaction decides whether the rest of the chain ever starts. The person has to be ready, and readiness comes from realistic practice, not policy memos.