Cybersecurity firm **Mandiant** has shed new light on the aggressive campaigns waged by the **Silent Ransom Group**, an extortion gang actively targeting U.S. law firms and other professional services organizations. The group, also tracked as **UNC3753**, **Luna Moth**, and **Chatty Spider**, has demonstrated its capability to steal sensitive data within hours of initial contact. This report expands on a recent **FBI** FLASH advisory, which previously warned of the **Silent Ransom Group**'s focus on U.S. law firms, including in-person data theft attempts. **Mandiant**'s findings provide crucial technical details on the group's intrusion methods. ### Why Law Firms Are Prime Targets Between January and May 2026, dozens of organizations in the legal, financial, and professional services sectors fell victim to these attacks. Legal firms are particularly attractive targets due to the vast repositories of highly sensitive client data they hold, including transaction files, merger and acquisition plans, trade secrets, and corporate regulatory reports. Threat actors recognize that legal entities face significant reputational and regulatory risks, making them highly motivated to resolve extortion demands quietly to protect their professional standing and client trust. ### The Social Engineering Playbook Attacks typically commence with invoice-themed phishing emails sent from consumer accounts. These initial emails are benign, containing no malicious links or attachments, serving merely as a precursor for follow-up phone calls. In these calls, attackers impersonate corporate IT staff, tricking employees into joining remote support sessions via platforms like **Microsoft Teams**, **Zoom**, **Quick Assist**, or **Microsoft Terminal Services**. This callback phishing technique has been a staple for these threat actors for years, previously seen in **BazarCall** campaigns linked to **Ryuk** and **Conti** ransomware attacks. By prompting victims to call them back, attackers circumvent traditional email security measures. During remote sessions, targets are persuaded to install legitimate remote monitoring and management tools such as **AnyDesk**, **Zoho Assist**, **Bomgar**, or **SuperOps**, thereby granting the attackers initial access to the corporate network.  ### Infiltration and Exfiltration Tactics **Mandiant** also identified phishing domains designed to mimic internal IT portals, using naming conventions such as: * `<organization>-itdesk[.]com` * `<organization>-it[.]com` * `<organization>-helpdesk[.]com` To further evade detection, the threat actors use `privnote[.]com`, a self-destructing messaging service, to share installation links and commands during remote support sessions. This minimizes forensic artifacts in browser histories or corporate chat logs. Once inside the network, the group meticulously searches for sensitive legal and financial documents, including contracts, tax records, Social Security numbers, and M&A files. They commonly target document management platforms and cloud storage repositories, exfiltrating data using tools like **WinSCP** or **Rclone**. ### Aggressive Extortion and Evolving Tactics The **Silent Ransom Group**'s extortion operations are notably aggressive, with ransom demands often arriving within 30 minutes of the attackers exiting the victim's environment. These demands typically impose a three-day deadline for negotiations. Failure to comply results in threats to contact target employees and external clients directly, exposing the data breach and emphasizing the potential for reputational damage, regulatory fines, and client lawsuits. While forensic evidence is limited, **Mandiant** believes the **FBI**'s warnings of in-person data theft attacks are likely linked to **UNC3753** due to similarities in targeting, timelines, and operational behavior. The **Silent Ransom Group** has been active since at least 2022, initially as part of the **Ryuk** and **Conti** cybercrime syndicate. Following the shutdown of the **Conti** syndicate, the group transitioned to standalone data theft and extortion, abandoning traditional ransomware encryption in favor of pure data exfiltration and pressure tactics. In a separate report, **Resecurity** revealed that the gang is also employing fast-flux infrastructure to conceal and protect its data-leak platforms. This method involves constantly rotating a domain's IP addresses through a large pool of compromised residential devices across multiple countries and ISPs, making takedowns and blocking significantly more challenging. **Resecurity** linked the group's `business-data-leaks[.]com` leak site to such infrastructure, operating via residential proxy networks across Latin America, Eastern Europe, Central Asia, the Middle East, and Asia. ### Defense Recommendations To mitigate these threats, both **Mandiant** and the **FBI** recommend robust security measures: * Implement strict verification procedures for all IT support interactions. * Limit the use of remote access tools. * Enforce multi-factor authentication (MFA) across all systems. * Restrict the use of USB storage devices. * Conduct regular employee training to recognize and report voice phishing (vishing) attempts.