Silent Ransom Group Targets U.S. Law Firms with Vishing Attacks
The Cyber Division of the Federal Bureau of Investigation (FBI) has issued a warning to U.S. law firms about targeted attacks by the Silent Ransom Group. Since Spring 2023, the group has been consistently targeting U.S. law firms, although it has also conducted attacks in many sectors, including healthcare.
The Silent Ransom Group has been in operation since 2022 and engages in data theft and extortion, breaching company networks, exfiltrating sensitive data, and issuing ransom demands. The group threatens to sell the stolen data or publish it on its dark web data leak site if the ransom is not paid. The group is known to contact employees at the attacked company to pressure them into engaging in ransom negotiations. Law firms are being targeted as they hold large volumes of highly sensitive data, and are thought to be more likely to pay a ransom to prevent the sale or publication of stolen data.
The Silent Ransom group primarily gains access to victims’ networks through callback phishing campaigns that impersonate companies such as Duolingo and Masterclass, and others that offer subscription plans for their services. The emails advise recipients that the subscription for the service is about to incur a charge. In order to prevent the charge from being applied, the customer service team must be called using the number provided in the email. The subscription charges are relatively small, so the emails are unlikely to arouse major suspicion, and since the emails contain no malicious hyperlinks or attachments, they are unlikely to be flagged or quarantined by email security solutions.
If the user calls the number, social engineering tricks are used to convince the user to download a remote access solution such as Zoho Assist or AnyDesk in order to remove the software, as the user is told that this is the only way to prevent the subscription charge from being applied. If the user installs the software, they give Silent Ransom full control of their device. The user is told that the uninstall has been successful, and they will not be charged. After achieving persistence, Silent Ransom searches for sensitive data, exfiltrates files to private servers, and issues a ransom demand via email.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The FBI has observed new tactics being used by Silent Ransom since March 2025. Rather than callback phishing, the group has started vishing attacks posing as an employee of the company’s IT department. Similar to the callback phishing attacks, Silent Ransom seeks to establish a remote access session, in this case, to fix a fictitious IT issue. Once the employee has provided access, they are told that the work to fix the issue needs to be performed overnight. These attacks require minimal privilege escalation, followed by data exfiltration through “WinSCP” (Windows Secure Copy) or a hidden or renamed version of “Rclone.” Since living-of-the-land techniques are used, the threat actor’s activities are rarely flagged by security solutions.
The FBI has shared indicators of attacks, including unauthorized downloads of remote monitoring tools, WinSCP and Rclone connections to external IP addresses, unsolicited calls from individuals claiming to work in the IT department, and emails about subscription services that require a phone call to resolve. Due to the difficulty of blocking the initial emails, it is vital that this attack technique is covered in security awareness training. Other recommendations include developing and communicating policies regarding how contact will be made with employees by the IT department, and ensuring two-factor authentication is implemented for all employees. In the event of an attack, the FBI recommends sharing as much information as possible about the attack with the FBI.
