Silent Ransom Group: FBI Issues Warning as Ex-Conti Operators Target Law Firms with Sophisticated Callback Phishing Campaigns

FBI warns that the notorious extortion group is ramping up attacks against legal and financial institutions with "malware-free" social engineering tactics that bypass traditional security measures.

The FBI has issued an urgent warning about the Silent Ransom Group (SRG), also known as Luna Moth, Chatty Spider, and UNC3753, as the cybercriminal organization intensifies its targeting of U.S. law firms through sophisticated callback phishing campaigns. In a Private Industry Notification released May 23, 2025, the Bureau detailed how this former Conti ransomware affiliate has evolved into one of the most dangerous data extortion groups currently operating.

From Conti's Ashes: The Rise of Silent Ransom Group

Silent Ransom Group emerged from the wreckage of the infamous Conti ransomware operation in March 2022. As Conti began shutting down following Russia's invasion of Ukraine, BazarCall threat actors who had previously provided initial access for Ryuk and Conti ransomware attacks separated from the syndicate to form their own operation.

Starting in April 2022, these experienced operators formed Silent Ransom Group and began targeting organizations with a focus solely on data theft and extortion rather than traditional ransomware encryption. This transition marked a significant evolution in the cybercriminal landscape, as SRG pioneered a "malware-free" approach that has proven highly effective at evading detection.

Silent Ransom Group, along with Quantum and Roy/Zero gangs, filled the void left by Conti's collapse and were linked to callback phishing attacks within months of being established. However, SRG distinguished itself through its sophisticated social engineering capabilities and substantial investment in call center infrastructure.

Justice Department Disrupts Major Malware Operation: The LummaC2 Takedown

A Coordinated Strike Against Cybercrime Infrastructure On May 21, 2025, the U.S. Department of Justice announced a significant victory in the ongoing battle against cybercrime: the successful disruption of LummaC2, one of the most prolific information-stealing malware operations targeting millions of victims worldwide. Through a coordinated effort involving federal

Breached CompanyBreached Company

Current Threat Landscape: Law Firms Under Siege

The FBI's latest warning comes amid a dramatic escalation in SRG's activities throughout 2025. As of March 2025, EclecticIQ assesses with high confidence that Luna Moth has likely registered at least 37 domains through GoDaddy to support its callback-phishing campaigns, with most impersonating IT helpdesk or support portals for major U.S. law firms and financial services firms.

The targeting of law firms appears to be a strategic choice. According to the FBI notification, while SRG has historically targeted companies across multiple sectors including medical and insurance industries, between April 2024 and 2025, nearly 40% of known Luna Moth victims were from the legal sector, followed by financial services (23.6%) and accounting (13.9%).

This focus on legal institutions makes sense from an attacker's perspective. Law firms handle some of the most sensitive data imaginable—client privileged communications, intellectual property, merger and acquisition details, and litigation strategies. The potential for reputational damage and regulatory consequences makes these targets particularly vulnerable to extortion attempts.

Evolution of Attack Methods: From BazarCall to IT Impersonation

SRG's attack methodology has undergone significant evolution since its inception. Initially, the group relied heavily on callback phishing emails masquerading as subscription services, continuing the BazarCall tradition from their Conti days. However, recent FBI observations reveal a concerning tactical shift.

Traditional Callback Phishing (2022-Early 2025)

In earlier campaigns, SRG used phishing emails with attached invoices for fake subscription services, typically charging small amounts under $1,000 to avoid immediate suspicion. These emails contained unique phone numbers that victims were instructed to call to cancel the supposed subscription.

When recipients called the number, they were routed to a threat actor-controlled call center and connected to a live agent who would guide them through downloading and running a remote support tool.

New IT Impersonation Tactics (March 2025 - Present)

The FBI's May 2025 notification reveals that SRG has significantly evolved its approach. As of March 2025, the group began calling individuals directly, posing as employees from their company's IT department. This represents a more aggressive and targeted approach that eliminates the need for victims to initiate contact.

According to the FBI, SRG operators will contact employees and direct them to join a remote access session, either through an email or by navigating to a web page. Once access is granted, the attackers inform victims that "work needs to be done overnight," providing cover for their malicious activities during off-hours when detection is less likely.

Global Cybercrime Takedowns in 2025: A Year of Unprecedented Law Enforcement Action

Sustaining Momentum from 2024’s Banner Year The cybersecurity landscape in 2025 has been marked by an extraordinary acceleration of international law enforcement cooperation, building on the remarkable successes of 2024. Law enforcement actions in 2024 had already disrupted the activity of some of the most prolific cybercriminal groups, from those

Breached CompanyBreached Company

Technical Operations: Legitimate Tools, Malicious Intent

One of SRG's most sophisticated aspects is their exclusive use of legitimate tools, making their operations extremely difficult to detect through traditional security measures.

Initial Access Tools:

• Zoho Assist
• Syncro
• AnyDesk
• Splashtop
• Atera

Data Exfiltration Methods:

• WinSCP (Windows Secure Copy) for SFTP transfers
• Rclone for cloud synchronization
• Hidden or renamed versions of legitimate file transfer utilities

This approach allows Luna Moth to ensure the activity isn't detected as malicious and hence unlikely to be flagged by traditional security products. The FBI notes that because SRG uses legitimate system management tools, their activities are unlikely to be flagged by traditional antivirus products.

Financial Impact: Million-Dollar Extortion Demands

The financial stakes in SRG attacks are substantial. According to EclecticIQ, ransom demands sent by the Silent Ransom Group range between one and eight million USD, depending on the breached company's size. This represents a significant escalation from earlier reports that documented demands ranging from 2 to 78 Bitcoin.

In many attacks, the adversary called out the victim's largest clients by name and threatened to contact them if the victim organization did not pay the demanded ransom. This psychological pressure tactic has proven highly effective, particularly against law firms where client confidentiality is paramount.

The group operates a dedicated data leak site at business-data-leaks[.]com, though the FBI notes that SRG is inconsistent in following through on their threats to publish stolen data. Despite this inconsistency, the mere threat of exposure often proves sufficient to compel payment.

Operational Sophistication: Call Centers and Custom Infrastructure

What sets SRG apart from many cybercriminal groups is their significant investment in operational infrastructure. Unit 42 researchers note that Luna Moth has significantly invested in call centers and infrastructure that's unique to each victim.

The group employs native English speakers in their call centers, enhancing the credibility of their social engineering attempts. Early incidents used a logo from one of the spoofed businesses, but later cases replaced this with simpler headers to reduce complexity while maintaining believability.

Additionally, early iterations of the extortion campaign recycled phone numbers, but later attacks either used a unique phone number per victim, or victims would be presented with a large pool of available phone numbers in the invoice.

Industry Impact and Response

The cybersecurity community has taken notice of SRG's sophisticated approach. Based on an Agari research, hybrid phishing cases where the target interacts on the phone with an actual human being increased by 625% in volume in Q2 2022 compared to Q1 2021.

Researchers expect callback phishing attacks to increase in popularity because of low per-target cost, low risk of detection and fast monetization factors. This trend suggests that SRG's success may inspire imitators, potentially leading to a broader adoption of similar tactics across the cybercriminal ecosystem.

The Legal Services Information Sharing and Analysis Organization (LS-ISAO) has been actively working with the FBI to share threat intelligence about Luna Moth attacks specifically targeting law firms, recognizing the unique vulnerabilities and high-value data present in legal organizations.

Detection Challenges: A Security Blind Spot

SRG's approach exploits what researchers describe as a critical blind spot in modern security architectures. EclecticIQ warned that Luna Moth's activities can be hard to spot as no malicious links or attachments appear in the phishing emails, victims are installing signed legitimate software themselves, and few security tools can handle voice interactions.

The FBI notes that recent SRG campaigns leave few artifacts on compromised machines and are unlikely to be flagged by traditional antivirus products because they use legitimate system management tools. This "living off the land" approach makes detection extremely challenging for traditional security tools that rely on signature-based or behavioral analysis.

Indicators of Compromise

The FBI has provided several indicators that organizations should monitor for potential SRG activity:

Network Indicators:

• New unauthorized downloads of remote access tools (Zoho Assist, Syncro, AnyDesk, Splashtop, Atera)
• WinSCP or Rclone connections to external IP addresses
• Unusual outbound file transfer activity during off-hours

Social Engineering Indicators:

• Emails regarding subscription services with phone numbers requiring calls to remove charges
• Employees receiving unsolicited calls from individuals claiming to work in IT
• Emails from unnamed groups claiming data was stolen
• Unexpected voicemails claiming data theft

Domain Infrastructure: Typical typosquatted domain examples include [company_name]-helpdesk.com and [company_name]helpdesk.com, primarily registered through GoDaddy.

FBI Recommendations and Defense Strategies

The FBI has outlined several critical recommendations for organizations to defend against SRG attacks:

Basic Cyber Hygiene:

• Implement robust passwords and multifactor authentication
• Conduct regular staff training on resisting phishing attempts
• Maintain regular backups of company data
• Install and maintain updated antivirus tools

Specific Anti-SRG Measures:

• Develop and communicate policies for IT authentication with employees
• Implement allowlisting policies for remote access solutions
• Restrict execution of RMM tools not explicitly approved for organizational use
• Monitor for anomalous file transfer activity

Advanced Detection:

• Deploy endpoint detection and response (EDR) solutions capable of monitoring legitimate tool misuse
• Implement network monitoring for unusual outbound connections
• Establish baseline behavior for normal RMM tool usage

Looking Forward: The Evolution Continues

As organizations adapt their defenses, SRG continues to evolve their tactics. The transition from email-initiated callback phishing to direct IT impersonation calls represents a significant escalation in their social engineering capabilities. This evolution suggests that the group is actively monitoring defense strategies and adapting accordingly.

The success of SRG's approach has not gone unnoticed in the cybercriminal ecosystem. Security researchers warn that the effectiveness of callback phishing combined with legitimate tool abuse may inspire other groups to adopt similar tactics, potentially leading to a broader trend toward social engineering-based attacks.

Conclusion

The Silent Ransom Group represents a new evolution in cybercriminal operations—one that prioritizes sophisticated social engineering over technical exploits and leverages legitimate tools to evade detection. Their targeting of law firms, combined with million-dollar ransom demands and psychological pressure tactics, makes them one of the most dangerous extortion groups currently operating.

The FBI's warning serves as a critical reminder that modern cybersecurity must address not just technical vulnerabilities, but also the human element that remains the weakest link in organizational security. As SRG continues to refine their tactics, organizations—particularly in the legal, financial, and healthcare sectors—must adapt their defense strategies to address this evolving threat landscape.

For law firms and other high-value targets, the message is clear: traditional security measures alone are insufficient against groups like SRG. A comprehensive approach that combines technical controls, employee training, and robust incident response capabilities is essential to defend against these sophisticated social engineering attacks.

The FBI encourages any organization that believes they may have been targeted by Silent Ransom Group to contact their local FBI field office. Information about SRG attacks, including ransom notes, communications, and cryptocurrency wallet information, can assist in ongoing investigations and help protect other potential victims.