FBI Warns of Silent Ransom Group Targeting Law Firms via Scam Calls

The FBI has issued a warning to US law firms about a rising cyber threat targeting the legal sector. A group known as Silent Ransom Group (SRG), also called Luna Moth or Chatty Spider, has been focusing its attacks on law firms since early 2023, using a combination of phishing emails and social engineering calls to gain access to sensitive legal data.

This group is no newcomer. Operating since 2022, SRG has a track record of targeting industries such as healthcare and insurance. But in recent months, law firms have become their top target, likely because of the sensitive client information these firms handle.

Back in November 2023, the FBI issued an alert highlighting SRG’s use of callback phishing to breach networks. In these attacks, the group sends phishing messages designed as unclickable images, often creating a false sense of urgency and providing a phone number for the recipient to call. This tactic bypasses traditional email security filters and lures victims into making contact, where the attackers then guide them into compromising their own systems.

****Their Tactics****

Aligning with their tickets, SRG’s new phishing campaigns are also deceptively simple. They send emails pretending to come from companies offering subscription services, warning the recipient about a small, questionable charge. To cancel, victims are instructed to call a number provided in the email. On that call, attackers convince the victim to download remote access software, giving SRG an entry point into the company’s systems.

However, what’s new about this campaign is that SRG has started calling employees directly, pretending to be from the company’s own IT department. They instruct the employee to join a remote session or visit a specific web page, again installing tools that give the attackers control. Once inside, they use tools like WinSCP or disguised versions of Rclone to quietly exfiltrate sensitive data.

After stealing the data, SRG sends ransom notes demanding payment to prevent the release or sale of the stolen information. Sometimes, they even follow up with phone calls to pressure companies into negotiations.

“Similar to their phishing emails posing as a company with a subscription, SRG will also call employees at a victim company to pressure them into engaging in ransom negotiations.”

The FBI

It is worth noting that the FBI’s alert came on the same day Cofense Intelligence’s May 2025 report revealed widespread abuse of Remote Access Tools (RATs) by cybercriminal groups. The report identified ConnectWise ScreenConnect as the most frequently abused RAT in 2025 attacks so far.

****Why Law Firms?****

Law firms make attractive targets because of the nature of their work such as confidential client details, corporate negotiations, and sensitive legal documents. A breach here doesn’t just threaten financial loss; it risks severe reputational harm.

However, it is not only recently that cybercriminals have been targeting law firms and the valuable information they hold. In April 2022, researchers observed scammers using AI-generated images to create fake law firm identities.

****Hard to Detect, Harder to Stop****

One reason SRG’s campaigns are effective is that they use legitimate system management and remote access tools, which are less likely to alert antivirus. Their attacks leave few traces, making post-attack investigations and protection more difficult.

This is why the FBI is urging everyone, including researchers and even victims, to share any ransom notes used by SRG during the attacks. If you have the phone number the group used to call, the wallet address they provided, or even voice call recordings, the FBI is seeking that information.

The FBI’s alert advised Network administrators to watch for unusual downloads of tools like Zoho Assist, AnyDesk, Splashtop, Syncro, or Atera, and to pay attention to unexplained external file transfers using WinSCP or Rclone.

Other red flags include unexpected emails about subscription renewals, strange calls or voicemails claiming data theft, and unsolicited contact from people claiming to be part of the company’s IT team.

The Silent Ransom Group (SRG), aka Luna Moth or Chatty Spider, is targeting law firms. Tactics include IT social engineering calls and callback phishing emails to remotely access devices and steal data for extortion. Learn more about SRG’s IOCs and TTPs: https://t.co/ro96zjD1hA pic.twitter.com/pBAd89WaBJ

— FBI (@FBI) May 23, 2025

The FBI recommends paying strong attention to basic cybersecurity practices. This includes training staff to spot phishing attempts and social engineering tactics, and setting clear internal guidelines for how the IT team communicates with employees.

Additionally, using strong passwords along with two-factor authentication (2FA) across the organization and maintaining regular data backups can also help reduce the damage in case of a breach.