What happened
A financially motivated threat group is conducting a targeted data theft and extortion campaign against US legal, professional, and financial services firms using a blend of phishing, voice-based social engineering, and legitimate remote access tools.
According to Google’s Mandiant division, the activity is linked to a threat cluster tracked as UNC3753, associated with the Silent Ransom group. Rather than relying on traditional ransomware encryption, the actors focus on gaining access to corporate environments, stealing sensitive data, and then demanding ransom payments under the threat of public disclosure.
The attack chain typically begins with a seemingly benign, invoice-themed email used as a pretext for follow-up voice phishing (vishing) calls. Attackers pose as internal IT or security staff and guide victims into screen-sharing sessions or the installation of remote monitoring and management (RMM) tools such as AnyDesk or Zoho Assist.
In some cases, the group escalates further by physically visiting corporate offices under IT-related pretenses, attempting to gain direct access to devices. Google’s Mandiant division noted that once inside, UNC3753 operators move quickly, sometimes completing data theft and extortion within an hour of initial compromise.
Who is affected
US-based law firms, along with organizations in professional services and financial services, are the primary targets of these campaigns. Firms handling high-value legal matters such as mergers and acquisitions, tax work, litigation, and regulatory advisory services are particularly exposed due to the sensitivity and concentration of client data.
Clients of these firms are indirectly impacted, as stolen datasets often include contracts, personally identifiable information, financial records, and privileged legal communications. The exposure creates significant third-party risk across industries that rely on external counsel, including finance, healthcare, and technology.
Why CISOs should care
This campaign highlights a shift away from noisy ransomware disruptions toward fast, stealth-driven data exfiltration and extortion. Because systems are not always encrypted or taken offline, breaches may go undetected until ransom demands are issued.
Google’s Mandiant division emphasizes that attackers are increasingly abusing trusted workflows, such as screen sharing, enterprise collaboration tools, and remote access utilities, to bypass traditional perimeter defenses. The speed of these attacks, with some progressing from initial contact to data theft in under an hour, significantly reduces detection and response windows.
For CISOs, this raises the importance of user-targeted defense, identity controls, and monitoring of remote access behaviors, particularly in environments where BYOD and virtual desktop infrastructure are used.
3 practical actions
- Educate employees on vishing and IT impersonation tactics, especially those involving screen sharing and remote support tools.
- Enforce strict controls and conditional access policies around RMM tools, screen-sharing platforms, and remote access sessions.
- Monitor for rapid data staging and exfiltration patterns, particularly within legal repositories and enterprise document systems.
