Extortion Group Conducts Social Engineering Campaign Impersonating Victim’s IT Department
Silent Ransom Group, a data theft and extortion group that targets law firms, healthcare organizations, and insurance and finance companies, is conducting a social engineering campaign posing as IT support workers. Silent Ransom Group (aka Luna Moth, Chatty Spider, UNC3753) is a financially motivated threat group that, as the name suggests, quietly infiltrates networks, exfiltrates sensitive data, and demands payment to prevent the stolen data from being publicly leaked or sold. The group does not use ransomware to encrypt files.
Silent Ransom Group has demonstrated a penchant for attacking U.S. law firms, although it has conducted attacks on other sectors such as insurance, finance, and healthcare, where the leaking of sensitive data can cause significant reputational harm and regulatory scrutiny. Silent Ransom Group has conducted phishing campaigns in the past, using social engineering techniques to trick employees into installing remote access software.
One such campaign involved phishing emails notifying the recipient about a subscription for a service that was about to incur a charge. The recipient was told that in order to prevent that charge, they must call the telephone number provided in the email. The call would be answered, and the user would be tricked into downloading remote access software, which was used to gain persistent access to the user’s systems. Data would be identified and exfiltrated, and a ransom demand would then be issued.
The latest campaign has been running since at least Spring 2026, according to a recent Federal Bureau of Investigation (FBI) Cyber Alert. A Silent Ransom Group actor poses as an employee of the victim’s IT department, contacting the victim over the telephone. In some cases, email will be used, requesting the victim contact the threat actor by phone.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Over the telephone, the user will be directed to grant access to a remote desktop session under the guise of fixing an IT issue. Should that attempt fail, the threat actor will arrange to visit the victim’s location in person to fix the issue. On an in-person visit, the threat actor will insert a storage device into the victim’s computer. The victim is told that they need to image the device or create a backup file to address potential impacts from the phishing email.
Once access is gained to a device, either physically or via a remote session, privileges are escalated minimally, and data is quickly exfiltrated, either to internal file-sharing platforms such as Google Drive or Microsoft OneDrive, or using WinSCP or Rclone. For the in-person visits, data is copied onto an external hard drive or USB drive.
In addition to raising awareness of the scam with employees, it is important to verify the identity of any individual attempting to gain physical access to company spaces. The FBI has made several recommendations for improving defenses against Silent Ransom Group attacks in the alert, including strengthening authentication controls, informing employees about the scam, and strengthening physical security controls, including conducting checks of identification documentation before granting access to the facility.
