For years, ransomware attacks followed a predictable script. A phishing email arrives. Someone clicks a link. Files get encrypted. A ransom note appears. That script has now been rewritten. The FBI recently warned that a ransomware group is taking a different approach. Instead of hiding behind screens, its members show up at law firms in person. This escalation blends digital deception with physical intrusion, creating a new and dangerous threat for the legal sector. Understanding this hybrid attack model is critical for any firm that handles sensitive client data.
How does Silent Ransom Group initially gain access to law firms?
The Silent Ransom Group (SRG), which also operates under names like Luna Moth, Chatty Spider, and UNC3753, relies heavily on social engineering. Their primary method involves impersonating IT support personnel. An attacker will call or email an employee, claiming to be from the firm’s internal tech team.
The message often carries a sense of urgency. The fake IT staffer might say there is a critical security update needed or that the employee’s workstation has triggered an alert. The goal is to convince the victim to grant remote desktop access to their computer. Once the attacker connects, they can move laterally through the network without needing to exploit software vulnerabilities.
This approach targets human psychology rather than technical flaws. It exploits trust in internal authority figures. The FBI’s Internet Crime Complaint Center (IC3) published a warning noting that SRG has targeted law firms specifically since spring 2023. The group has been active since 2022 and has also victimized insurance, finance, and healthcare organizations. Their playbook is proven across multiple industries.
Mini Payoff: They pose as IT support via phone calls or phishing emails, tricking victims into granting remote desktop access.
What makes law firms an attractive target for this group?
Law firms hold a unique combination of assets that make them irresistible to cybercriminals. They store vast amounts of confidential client data, including financial records, intellectual property, merger details, and personal identifying information. This data is not just valuable — it is protected by strict ethical and legal obligations.
Attorney-client privilege adds another layer of pressure. If a firm’s data is leaked, clients may sue for malpractice or breach of confidentiality. Regulators may impose fines. The firm’s reputation can suffer irreparable damage. These consequences create a strong incentive to pay a ransom quickly, without involving law enforcement or forensic investigators.
Attackers understand this calculus. They know that law firms are under regulatory pressure to resolve incidents quickly. They also perceive law firms as willing to pay ransoms to protect privileged materials from public exposure. This makes the legal sector a high-value target compared to other industries where data sensitivity may be lower.
Mini Payoff: Law firms hold sensitive client data, face regulatory pressure, and are perceived as willing to pay ransoms to protect attorney-client privilege.
What is unusual about SRG’s recent tactics?
Here is where it gets interesting. Most ransomware groups operate entirely remotely. They never see their victims. SRG has broken that pattern. In some cases, when phone phishing fails, the group sends a threat actor to the victim’s physical location. The attacker arrives in person, claiming to be a technician who needs to image the device or create a backup file.
The pretext is plausible. The fake technician tells the employee that the earlier phishing email may have caused damage, and they need to scan the computer or install security software. Once granted physical access, the threat actor inserts a storage device — typically a USB drive or external hard drive — directly into the victim’s computer.
This in-person approach bypasses many traditional security controls. Network firewalls, endpoint detection systems, and multi-factor authentication do not stop someone who is physically present and authorized to be in the building. The attacker can quickly escalate privileges and begin exfiltrating data without deploying encryption malware. SRG is known for conducting data theft extortion attacks that skip the encryption step entirely.
Mini Payoff: They have escalated to in-person visits where a threat actor inserts a storage device into the victim’s computer.
What tools does SRG use to exfiltrate stolen data?
Once SRG gains access, they move fast. They use common, legitimate tools that blend in with normal network activity. The FBI advisory identifies two primary tools: Windows Secure Copy (WinSCP) and a hidden or renamed version of Rclone. Both are file transfer utilities that system administrators use daily.
WinSCP is a graphical file transfer client that supports SFTP, FTP, and SCP protocols. Attackers can use it to copy files from the victim’s computer to a remote server. Rclone is an open-source command-line program designed for syncing files to cloud storage platforms. SRG often renames the Rclone executable or hides it to avoid detection by security software.
Depending on the situation, data is exfiltrated to filesharing platforms like Google Drive or Microsoft OneDrive. In cases where the attacker visits in person, the data may be copied directly to a physical disc or USB drive. This flexibility allows the group to adapt their exfiltration method to the victim’s environment. They do not rely on a single technique.
Mini Payoff: They use WinSCP or Rclone to exfiltrate data to cloud storage like Google Drive or to physical drives.
You may also enjoy reading: Kalshi & Rhode Island Sue Each Other Over Prediction Markets.
What indicators can help detect an SRG attack?
Recognizing the signs of an SRG attack early can prevent data loss. The FBI’s advisory lists several indicators that security teams and employees should watch for. Unauthorized downloads of remote access tools are a major red flag. If an employee installs software like TeamViewer, AnyDesk, or LogMeIn without a legitimate business reason, it should trigger an investigation.
Another indicator is the presence of unknown USB drives or external hard drives connected to workstations. Employees should be trained to question anyone who appears unannounced claiming to need physical access to a computer. Threat actors often pose as IT support, so verifying identity through a separate communication channel is essential.
Network monitoring teams should look for unexpected WinSCP or Rclone connections. These tools often generate traffic to cloud storage services or IP addresses not normally used by the firm. A sudden spike in outbound data transfer, especially outside business hours, is another warning sign. Finally, any call or email from someone claiming to be IT support that pressures the recipient to act quickly should be treated with suspicion.
Mini Payoff: Look for unauthorized downloads of remote access tools, unknown USB drives, WinSCP/Rclone connections, and unidentified individuals claiming to be IT support.
How law firms can defend against ransomware social engineering law attacks
The tactics used by SRG represent a form of ransomware social engineering law attack that requires a layered defense. Technical controls alone are not enough when attackers can walk through the front door. Firms must combine security awareness training, strict physical access policies, and robust monitoring.
Employee training should cover the specific scenarios SRG uses. Staff must know how to verify the identity of anyone claiming to be from IT. A simple callback to a known internal number can stop an attack. They should also understand that no legitimate technician will ask them to download remote access software or insert an unknown USB drive.
Physical security policies should require visitors to sign in, wear badges, and be escorted at all times. Unannounced IT personnel should be treated as suspicious until verified. Workstations should have USB ports disabled or restricted to authorized devices only. Network segmentation can limit the damage if an attacker gains access to a single machine.
On the technical side, firms should monitor for the specific tools SRG uses. Deploying endpoint detection and response (EDR) solutions that can flag renamed copies of Rclone or unexpected WinSCP usage is a practical step. Logging and alerting on outbound data transfers to cloud storage services can catch exfiltration in progress. Regular security audits and penetration tests should include social engineering scenarios that mimic SRG’s methods.
Frequently Asked Questions
How can a law firm verify a person claiming to be from IT support?
Establish a clear verification protocol. The employee should hang up the phone or close the chat window and call the internal IT help desk number directly. Do not use any contact information provided by the caller. If the person is in person, ask for their employee ID and call the IT department to confirm their identity before allowing access to any computer.
What is the difference between a traditional ransomware attack and a data theft extortion attack?
In a traditional ransomware attack, the attacker encrypts the victim’s files and demands payment for the decryption key. In a data theft extortion attack, the attacker steals sensitive data and threatens to leak it publicly unless a ransom is paid. SRG uses the latter method, skipping encryption entirely. This approach can be harder to detect because files are not locked or modified.
Is it safe to use cloud storage platforms like Google Drive after an SRG attack?
If your firm has been compromised, assume that any cloud storage accounts used by the attacker are also compromised. Change all passwords immediately, enable multi-factor authentication, and review sharing permissions. The attacker may have used a compromised account to upload data. Work with a forensic investigator to determine the full scope of the breach before resuming normal operations.
