The FBI recently issued a warning to law firms about ongoing and increasing cyber threat activity by the Silent Ransom Group (SRG), also known as Luna Moth, Chatty Spider, and UNC3753. The group is specifically targeting law firms using sophisticated social engineering tactics designed to access and extort sensitive data.
That’s where managed IT services step in, offering expert solutions that help you stay secure, efficient, and future-ready.
But when deciding between managed IT services and co-managed IT services, how do you know which is right for your business?
What is the Silent Ransom Group?
Silent Ransom Group is not new to the threat landscape, having previously surfaced in 2022. At the time, SRG attempted to breach firms primarily using callback phishing emails. SRG would send mass phishing emails offering bogus subscription plans for a small fee. To cancel this supposed “subscription,” the target is directed to call a number, ultimately connecting to the threat actor. SRG will email the target a link under the pretense of canceling the subscription. However, once the link is clicked, remote access software is downloaded, giving SRG access to the person’s device or even the firm’s entire network.
SRG has now shifted its tactic.
What is Silent Ransom Group’s Latest Attack Method?
Silent Ransom Group is specifically and aggressively targeting law firms using phone-based social engineering whereby threat actors impersonate IT staff to gain unauthorized access to a firm’s network. SRG calls an individual and poses as an IT team member. SRG directs the employee to join a remote access session via email or webpage. Once the threat actor accesses the network, they quickly exfiltrate sensitive data. Similar to the phishing scheme, SRG then demands ransom payments or else they will publicly release the sensitive data. SRG has also been observed calling other employees at the breached firm to pressure them into engaging in ransom negotiations.
Because the target legitimately provides access to the cyber threat actor, the data exfiltration happens very quickly, and minimal digital footprints are left behind. As a result, the breach often goes undetected until the law firm receives a ransom demand from SRG.
Why Target Law Firms?
Law firms are generally a popular target of cyber actors due to the nature of the industry. Law firms have a tremendous amount of valuable and sensitive information of their clients, including intellectual property, personally identifiable information (PII), financial records, client communication, legal documents, and litigation strategies. Law firms tend to be highly risk-averse when it comes to potential data exposure and reputational harm, which often leads them to quickly and quietly paying the ransom.
What are the Indicators of Compromise?
Due to the nature of these breach tactics, traditional cybersecurity mechanisms may not be effective in preventing or alerting the law firm to the attack. The FBI warns of potential indicators of compromise (IOC) to watch for:
- SRG has been using certain system management and remote access tools, including Zoho Assist, Syncro, AnyDesk, Splashtop, and Atera. Law firms should be on alert for new and unauthorized downloads of these tools.
- Data exfiltration is being conducted via WinCP or Rclone, so law firms should watch for those connections made to an external IP address.
- Emails, phone calls, and voicemails received from unfamiliar entities claiming data was stolen.
- Emails regarding subscriptions that provide a phone number to cancel the service or remove pending renewal charges.
- Employees receiving unsolicited phone calls from someone claiming to work in IT.
Cybersecurity Best Practices
As cyber threats continue to grow in sophistication and frequency, protecting sensitive data and maintaining online privacy is vital. With so many different kinds of threats, there are a number of essential strategies to help your firm stay secure and mitigate potential threats:
- Education. People are the first line of defense against cyberthreats. Ongoing training for everyone who works at your firm is important to help people recognize and know how to respond to a potential threat. Risky behavior, such as clicking on suspicious links or visiting unsecured websites, must be avoided.
- Password Policies. Passwords are the primary gateway to your systems, and weak credentials leave them vulnerable to security breaches. Your policy should require all users to create strong, unique passwords that include a mix of uppercase and lowercase letters, numbers, and special characters. Contrary to outdated practices, passwords do not need to be updated regularly—instead, they should be changed only when there's a policy update or evidence of compromise.
- Multi-Factor Authentication (MFA). Your law firm must implement MFA, which adds a critical second layer of security by requiring users to verify their identity with an additional step—such as entering a code from an authenticator app or a message sent via text or email. This significantly reduces the risk of unauthorized access, even if credentials are stolen.
- Establish Clear Policies. Law firms should document strict protocols for how staff should handle suspicious emails and phone calls. For example, if someone receives an unsolicited call from the firm’s IT department or IT partner, the person should hang up and call them back. Do not call back any number provided by the caller over the phone. Either call your IT department directly or contact your IT partner through typical means (i.e., email, portal, or by calling the phone number from their website).
- Limit Remote Access Privileges. If your firm does not require certain remote access or support tools, they should be disabled, uninstalled, or even blocked. Further, administrative privileges should be disabled on employee devices where it is unnecessary.
- Cyber Breach Response Plan. Even with the best offenses and defenses in place, your law firm must have a detailed cyber breach response plan to secure operations and reduce the impact of an incident. This plan guides how your firm will identify, respond, and report a breach, as well as how to restore operations and return to business. Your plan should be reviewed and tested annually.
Partner with a Trusted Cybersecurity Expert
Working with a trusted and reliable IT partner is key to strengthening your law firm’s cybersecurity.
Tabush Group is a leading provider of cloud and managed IT solutions with an emphasis on cybersecurity. Contact us to learn more about how our state-of-the-art IT solutions can make your firm’s operations more efficient and secure.