On May 26, 2026, the FBI issued a FLASH alert (FLASH-20260526-01, TLP:CLEAR) regarding the Silent Ransom Group. In it, the Bureau documents an unprecedented escalation: sending an individual to a company’s offices to connect a hard drive to a workstation and exfiltrate data. As of June 15, 2026, ransomware.live had identified 115 organizations targeted by the group, including 107 in the United States; in the vast majority of cases, the group prioritizes data theft and the threat of publication over file encryption. Active since at least 2022, the group has gradually abandoned all malware. Its attack chain now relies primarily on voice-based social engineering, legitimate tools, and reputational pressure. The fact that it has resorted to sending people to knock on doors says something specific about the state of extortion in 2026, and about the limitations of defenses built exclusively around the digital perimeter.
Who is the Silent Ransom Group
Tracked under the names Luna Moth, Chatty Spider, and UNC3753, the Silent Ransom Group steals data and threatens to publish it. No more encryption, no more keys to sell. The FBI explicitly classifies it as an actor that “carries out data theft and extortion operations without resorting to traditional ransomware encryption.”
Since at least 2023, the group has primarily targeted U.S. law firms, organizations that hold third-party data with high reputational value and for which the incentive to quietly settle an extortion incident is structurally high. The sequence is now well-documented. A law firm employee receives a call from their supposed IT department, opens a screen-sharing session to resolve a security issue presented as urgent, and a few hours later, hundreds of gigabytes of confidential documents have been exfiltrated from the network. The extortion demand that follows gives the victim three days to respond, and paying guarantees nothing: Unit 42 has documented cases where the group ceased all communication after receiving payment, without providing proof that the data had been deleted.
To understand why SRG operates without a single line of malicious code, we must go back to its origins.
A connection to the Conti ecosystem and the BazarCall campaigns
Mandiant tracks UNC3753 as a distinct cluster exhibiting overlaps in tactics, techniques, and procedures with UNC2686, the cluster associated with the BazarCall campaigns. These campaigns provided Conti and Ryuk with initial access between 2021 and 2022 using a callback phishing scheme: an alarm email prompted the recipient to call back a number controlled by the attacker, who then manipulated them into installing the BazarLoader malware.
After the Conti syndicate disbanded in the spring of 2022, this cluster repositioned itself as an independent operator under the name Silent Ransom Group. The continuity is evident in the attack chain: where BazarCall deployed BazarLoader, TRICKBOT, URSNIF, and SILENTNIGHT, UNC3753 has stripped its arsenal of all malicious payloads, replacing them with legitimate remote monitoring and management (RMM). The group did deploy the LockBit.Black ransomware in certain operations in 2022, before abandoning it to focus solely on extortion through data theft—a model that neutralizes victims’ primary argument for not paying: the availability of their backups.
A malware-free attack chain, completed in under an hour
Between January and May 2026, Mandiant published the first comprehensive public analysis of UNC3753’s operational cycle, based on several incident response engagements with U.S. law and financial firms. To date, this report remains the most detailed technical reference on the group.
The group’s operational cycle is distinguished by its speed. Mandiant documented incidents where the entire sequence, from initial contact to exfiltration, took place in a single business day, with the search, staging, and theft of files sometimes taking less than an hour.
The March 2025 Tactical Shift
For three years, the sequence began with subscription-themed emails – fake software renewal alerts -usually accompanied by a PDF containing a phone number for a call center controlled by the attacker. Starting in March 2025, Mandiant documents a shift: the group abandons the impersonation of third-party brands and begins posing directly as the targeted organization’s internal IT support. The operational difference is substantial: the employee no longer receives a call from an external service provider they can verify, but from a supposed member of the organization’s IT department or security team whom they have no reason to doubt, especially if a suspicious email has just provided them with a credible pretext for contacting support. Around the same time, Halcyon notes that the group began deploying AI chatbots via the Reamaze platform on typosquatted helpdesk portals in the names of the targeted organizations, thereby automating the initial point of contact with victims. It is this shift that the FBI in turn documents in its May 2026 alert.
Initial access via vishing
The sequence begins with an innocuous email regarding an invoice, sent from a general-purpose account. It contains neither active links nor attachments: its sole purpose is to establish a credible pretext for the call that follows. Posing as internal IT support or a member of the security team, an attacker directly calls the targeted employee – identified from the organization’s public directories (website, LinkedIn) – at all organizational levels. They then guide the target into a screen – sharing session via Zoom, Microsoft Teams, Quick Assist, or Microsoft Remote Desktop services, and use this visual control to install an RMM agent: AnyDesk, Bomgar, Zoho Assist, or, in some cases, SuperOps. The installation is triggered by a cURL command transmitted via Privnote, a self-destructing messaging service that leaves no trace in browser history or corporate email logs.
The Shift to Internal Infrastructure
Once access is established, the attackers pivot to the internal infrastructure. They have been observed exploiting Zoom sessions on personal devices (BYOD) to reach the company’s VDI infrastructure via native Windows 365 or Citrix clients. From these virtual environments, they map local folders, active OneDrive folders, and mapped network shares. In law firms, they specifically target document management platforms like iManage, where they run keyword searches to locate tax files (W-2, W-9, 1099 forms), audits, client contracts, and Social Security numbers.
Exfiltration via consumer-grade channels
Exfiltration adapts to existing controls. The group uses portable versions of WinSCP or Rclone for bulk FTP/SFTP transfers. When endpoint controls allow it, the attackers connect directly from the victim’s browser to a consumer file-sharing account they control (Google Drive, among others) and drag-and-drop the staged files, which they sometimes rename to mimic the target organization’s branding. In an incident documented by Mandiant, the group exfiltrated 1.7 GB from the local OneDrive folder to Google Drive, then pivoted to the VDI to exfiltrate an additional 14.4 GB via WinSCP. Google has since disabled the associated Drive accounts. In other cases, the attackers had the victims themselves transfer files directly from iManage, instructing them to email them to controlled addresses. But since the spring of 2026, the sequence no longer stops at the digital perimeter.
From vishing to physical intrusion: fake technicians sent to offices
Since spring 2026, the FBI has documented an unprecedented escalation: when remote social engineering fails, an individual is physically sent to the targeted organization’s premises. Posing as an IT technician, they convince staff that they need to copy the hard drive or create a local backup to address the aftermath of a detected phishing email. Once access to a workstation is gained, they connect a USB drive or external hard drive and exfiltrate the data directly.
Since spring 2026, the FBI has documented this escalation in its FLASH alert dated May 26, 2026: “If this attempt fails, SRG sends a cybercriminal to the victim’s location to access their computer and insert a storage device. As part of this scheme, the cybercriminal explains to the victim that they need to create an image of the device or a backup file to mitigate the potential consequences of the phishing email.”
Mandiant assesses that these physical intrusions are likely linked to UNC3753, based on cross-referencing of structure, timeline, and targeting. Researchers note, however, that “ the lack of forensic evidence and the absence of subsequent extortion attempts preclude any official attribution.”
For targeted organizations, the challenge is now twofold: how to verify the identity of a caller on the phone, and how to verify the identity of a visitor who shows up at the front desk claiming to be from IT support.
Why U.S. law firms are the ideal target
Targeting U.S. law firms has been a consistent pattern for the group since at least 2023. The FBI issued an initial advisory in May 2025, followed by a FLASH alert in May 2026 – exactly one year later – which indicates a persistent threat.
The profile of these targets fits the model of an operator that relies on reputation-based extortion rather than encryption. Law firms handle large volumes of highly sensitive data (client transaction files, merger and acquisition plans, trade secrets, regulatory reports); they are subject to strict confidentiality obligations and significant regulatory exposure; and they have a strong incentive to settle an extortion incident discreetly to protect their professional reputation. Resecurity notes that in the first quarter of 2026, law firms accounted for nearly a quarter of all tracked ransomware incidents, making them the fourth most targeted sector. Beyond the legal sector, the group also targeted accounting firms and the insurance, finance, healthcare, and hospitality sectors.
In June 2026, the group’s LEAKEDDATA leak site (business-data-leaks[.]com) listed nearly 100 victim organizations according to Resecurity, while ransomware.live had recorded 115 as of June 15, 2026, including 107 in the United States: Business Services (63 victims) and Financial Services (42 victims) were the most targeted sectors. The group itself claims that the vast majority of targeted firms agree to pay, which puts the actual number of attacks well above the number of victims published on the leak site.
A pure extortion model, designed to apply pressure
The absence of encryption is the cornerstone of the group’s business model. Unlike classic double extortion, which combines encryption with the threat of a leak, the Silent Ransom Group operates solely on the reputational front: data is stolen and then used as leverage for extortion.
Extortion communications often arrive within 30 minutes of the attackers exiting the target environment. They give the organization three days to begin negotiations. If there is no response, the group threatens to contact the victim’s employees, partners, and customers directly to alert them of the breach – adding external pressure to the internal pressure – and announces the publication of the exfiltrated data on LEAKEDDATA. The typical extortion email, an example of which Mandiant has published, emphasizes regulatory risks, fines, claims from aggrieved customers, and reputational damage, before concluding with an explicit deadline: “ You have 3 days to begin communication.” ” The logic is sound: this model is faster to implement than a ransomware deployment, requires no malware development, leaves few forensic traces, and directly bypasses the victims’ primary defense – restoring from a backup.
A leak site on the clearnet, masked by a fast-flux network
While the vast majority of ransomware groups host their leak sites on Tor, the Silent Ransom Group exposes its site on the clearnet. Resecurity sees this as a deliberate choice: to facilitate access for victims without a Tor browser, increase public visibility to amplify reputational pressure, and simplify the infrastructure. A leak site accessible from any mainstream browser turns every publication into an event viewable by everyone.
This exposure is mitigated by a fast-flux DNS infrastructure. Resecurity has identified that the group’s two main domains, ep6pheij[.]com and business-data-leaks[.]com, operate on a fast-flux network powered by a botnet of 24 IP addresses spread across 18 countries and 22 distinct ISPs. In practice, the two domains never point to the same server for more than a few minutes: each DNS query simultaneously returns 10 to 18 IP addresses, which are rotated every 2 to 3 minutes. All IP addresses correspond to residential connections, likely compromised home routers, modems, and gateways (IoT and CPE devices). 50 to 60% of the connections are shared between the two domains, confirming a single operator. The highest geographical concentration is in Latin America (50% of nodes), with infected home devices in Bolivia, Mexico, Argentina, Ecuador, Colombia, and the Caribbean.
Both domains are registered with Web Commerce Communications Limited (WebNic[.]cc), an ICANN-accredited registrar in Southeast Asia, which also manages the nameservers orchestrating the rotation of IP addresses. The leak site uses a token mechanism similar to Traffic Distribution Tokens (TDS), which generates dynamic URLs to direct each visitor to a specific folder of stolen data. This system serves a dual purpose: facilitating victims’ access to their own exfiltrated data, while preventing automated scraping of the site’s index, which complicates analysis by third parties and researchers. Resecurity also identified, in May 2026, a related project named Spy Corporate (spycorp[.]pro), which shares the same IP rotation infrastructure, the same CSRF token mechanism, and the same registrar, with a law firm among its first published victims.
Two FBI alerts in one year, zero arrests
The institutional response was limited to advisories. The FBI issued a private sector advisory in May 2025, followed by a FLASH alert in May 2026 that broadened the threat scope by explicitly including physical intrusion attempts – an escalation the Bureau deemed serious enough to classify as a standalone attack indicator. To date, no arrests, indictments, or sanctions have been publicly linked to the group.
Mandiant notes that the group’s almost exclusive use of legitimate tools (commercial RMMs, consumer file-sharing applications, ephemeral communications) leaves very few actionable traces after an incident. The FBI confirms this in its FLASH alert: “Recent campaigns conducted by the SRG have left few traces on compromised machines. Traditional antivirus software is also unlikely to detect the intrusion, as the SRG generally uses legitimate system management or remote access tools to carry out its attacks. ” The FBI further notes that the use of these tools should not be considered malicious in and of itself without analytical evidence that they are being used under the group’s direction.
Recommended defenses against vishing and physical intrusion
The recommendations from Mandiant and the FBI converge on a few concrete measures. The first line of defense is identity verification via a separate channel. Any request for remote access initiated by an unsolicited call or email must be confirmed through an independent channel (a callback to an official listed number, confirmation with the direct supervisor) before opening a screen-sharing session, even if the caller appears to know internal details of the organization. This vigilance also applies to visitors: the FBI recommends systematically copying the official ID of any external technical service provider arriving on-site.
Environments must then audit and block the installation of any unapproved RMM tools via application control policies (Windows Defender Application Control or equivalents) that prevent the execution of unlisted binaries, and restrict interactive screen-sharing features in Zoom and Teams for non-technical staff. Conditional access policies must ensure that only devices managed by the organization authenticate on the VDI or VPN infrastructure, with enhanced MFA (step-up) when a personal device accesses it. To prevent physical data exfiltration, read/write capabilities on USB drives and removable media must be disabled via GPO or MDM, on both corporate devices and BYOD devices used as VDI entry points.
Detection of ongoing data exfiltration remains a challenge. Comprehensive logging of transfers at the firewall level, alerts on outbound connections to unauthorized file-sharing APIs, and monitoring of SSH traffic (port 22) for high-volume WinSCP and Rclone transfers help identify data exfiltration. In iManage, SharePoint, or similar environments, real-time alerts on massive searches, spikes in search terms, and bulk downloads serve as an early warning sign.
What this model says about extortion in 2026
The Silent Ransom Group has rendered part of endpoint-focused defensive investment obsolete: no EDR flags WinSCP or Zoom as a threat, and no antivirus blocks a phone call. The same shift toward voice-based social engineering is evident among other English-speaking actors, such as in the vishing campaign carried out by ShinyHunters against the SSO accounts of global companies: the human element is once again the perimeter.
Physical intrusion crosses another threshold. This means that digital perimeter security is no longer sufficient if access to the premises is not subject to equivalent authentication procedures: for a law firm or a financial services provider, an unannounced visitor claiming to be from IT support becomes a full-fledged attack vector. And the group’s rise coincides with a decline in the ransom payment rate by 2025: as victims become more resistant to encryption, betting on reputation, confidentiality, and regulatory pressure becomes a profitable alternative, without the technical burden of developing new defenses.
As long as the reputational value of third-party data held by law firms, auditors, insurers, and healthcare providers exceeds the cost of a ransom, the economic logic of the Silent Ransom Group will remain intact. Its most effective weapon is not an encryption tool, but a phone call – and that is precisely what makes it difficult to stop with conventional tools.
As long as the reputational value of third-party data held by law firms, auditors, insurers, and healthcare providers exceeds the cost of a ransom, the economic logic of the Silent Ransom Group will remain intact. Its most effective weapon isn’t an encryption tool – it’s a phone call – and that is precisely what makes it difficult to stop with tools.
Sources
Google Cloud Blog / Mandiant: Ongoing Targeted Campaign Against US Law Firms
Resecurity: Silent Ransom Group (SRG): Uncovering DNS Fast Flux Infrastructure
BleepingComputer: Silent Ransom Group targets law firms with fake IT support calls
BleepingComputer: FBI warns of in-person data theft attacks from extortion gang
Infosecurity Magazine: Silent Ransom Group Uses In-Person IT Impersonation to Breach Systems
Ransomware.live: SilentRansomGroup
SecurityWeek: Silent Ransom Group Uses DNS Fast Flux in Attacks
