What happened
The Silent Ransom Group extortion gang is actively targeting U.S. law firms and professional services organizations through social engineering attacks that can lead to data theft within hours of initial contact.
The campaign follows an FBI FLASH advisory warning that the Silent Ransom Group was targeting U.S. law firms through social engineering and in-person data theft attacks. The group, tracked by Mandiant as UNC3753, Luna Moth, and Chatty Spider, targeted dozens of organizations across the legal, financial, and professional services sectors between January and May 2026.
The attacks begin with invoice-themed phishing emails sent from consumer email accounts. These emails do not contain malicious links or attachments. Instead, they serve as a precursor to follow-up phone calls from attackers impersonating corporate IT staff. In the current campaign, the attackers pose as IT help desks and convince employees to join remote support sessions through Microsoft Teams, Zoom, Quick Assist, or Microsoft Terminal Services.
During these sessions, the threat actors trick targets into installing remote monitoring and management tools such as AnyDesk, Zoho Assist, Bomgar, or SuperOps. This gives the attackers initial access to the corporate network. Phishing domains tied to the campaign also impersonate internal IT portals using naming patterns such as organization-specific IT desk, IT, or helpdesk domains.
Once inside a network, the group searches for sensitive legal and financial documents, including contracts, tax records, Social Security numbers, and merger or acquisition files. The attackers commonly target document management platforms and cloud storage repositories before exfiltrating data using tools such as WinSCP or Rclone.
The extortion operation is highly aggressive, with ransom demands often arriving within 30 minutes of the attackers leaving the victim environment. The extortion letters give organizations three days to respond and begin ransom negotiations. If victims do not respond, the attackers threaten to contact employees and external clients directly to alert them of the data breach.
The FBI also warned that attackers impersonating internal IT staff may attempt to physically visit offices to image computers or create backups while secretly stealing files. There was limited forensic evidence, but the in-person attacks are believed to be likely linked to the same activity based on similarities in targeting, timelines, and operational behavior.
Who is affected
U.S. law firms and professional services organizations are the primary targets, with dozens of organizations across the legal, financial, and professional services sectors targeted between January and May 2026.
Legal services firms are especially exposed because they hold concentrated repositories of sensitive client information, including transaction files, merger and acquisition plans, trade secrets, regulatory reports, contracts, tax records, Social Security numbers, and other legal or financial documents. The attackers appear to use the sensitivity of this data, along with the reputational and regulatory pressure surrounding it, to intensify extortion demands.
Why CISOs should care
This campaign shows how low-friction social engineering can bypass traditional email security controls. The initial phishing emails do not contain malicious links or attachments, making them harder to detect through tools that primarily inspect payloads. The real compromise occurs later, when attackers use voice calls and remote support sessions to convince employees to install legitimate remote access tools.
For CISOs, the operational risk is not limited to phishing awareness. The campaign abuses trusted IT support workflows, common collaboration platforms, and widely used remote management tools. Once the attackers gain access, data theft can occur quickly, with theft potentially happening within hours of initial contact and ransom demands arriving within 30 minutes after the attackers leave the environment.
The campaign also reinforces the need to treat legal, financial, and professional services data repositories as high-value extortion targets. Document management platforms, cloud storage repositories, and sensitive client files require tighter monitoring because the attackers are not focused on encryption. They are focused on stealing data and using client, regulatory, and reputational pressure to force payment.
3 practical actions
- Verify IT support interactions before allowing remote access: The attackers impersonate corporate IT staff and convince employees to join support sessions through Microsoft Teams, Zoom, Quick Assist, or Microsoft Terminal Services. Organizations should require employees to confirm unexpected IT support requests through a separate trusted channel before joining sessions, installing software, or granting remote control.
- Restrict and monitor remote access tools: Silent Ransom Group tricks targets into installing tools such as AnyDesk, Zoho Assist, Bomgar, and SuperOps to gain initial access. CISOs should limit which remote monitoring and management tools are approved, block unauthorized installations, and alert on new remote access tool usage across endpoints.
- Protect sensitive document repositories from rapid exfiltration: Once inside a network, the attackers search for contracts, tax records, Social Security numbers, merger and acquisition files, document management platforms, and cloud storage repositories before exfiltrating data with tools such as WinSCP or Rclone. Security teams should monitor unusual access to sensitive repositories, flag bulk downloads, and detect use of file transfer tools commonly used for data exfiltration.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.