Silent Ransom Group Actively Targeting Law Firms via Fake IT Support Calls

An Active Campaign Reaching Data Theft in Hours

A new Mandiant report covered by BleepingComputer documents an ongoing campaign by Silent Ransom Group (SRG) — also tracked as Luna Moth and UNC3753 — specifically targeting U.S. law firms and professional services organizations. The key detail that makes this a now-problem: attackers are achieving data exfiltration within hours of first contact.

What Is Happening

SRG has refined a callback phishing (vishing) playbook that bypasses nearly every technical control your stack has. The sequence is simple and devastatingly effective:

1. Target receives a convincing email — fake invoice, IT alert, or subscription notice — containing only a phone number and no links or attachments.
2. Target calls the number. Attacker poses as IT support or a vendor help desk.
3. Attacker talks the target through installing a legitimate remote monitoring and management (RMM) tool — AnyDesk, Zoho Assist, or similar.
4. With remote access established, the attackers exfiltrate files rapidly, then demand ransom to suppress publication. There is no encryption, no ransomware binary — it's pure extortion.

The legal sector is a deliberate target. Law firms hold privileged communications, litigation strategy, client PII, and financial records — all of which carry outsized extortion value. Confidentiality obligations and bar association reporting requirements create strong pressure to pay quietly and quickly.

Why Your Standard Defenses Don't Help

This campaign has no malware dropper, no phishing link, no weaponized attachment. Email gateways, URL filters, and sandboxing are irrelevant. EDR platforms see a legitimate signed RMM binary being installed by the user. The attack surface is exclusively your help desk procedures and your users' judgment. Hours-to-exfiltration means detection must happen at or before the RMM installation — post-exfiltration response is damage control.

What to Do Right Now

1. Alert all staff today — especially legal assistants, paralegals, and executive assistants. One paragraph is enough: unexpected invoice email with a phone number → someone claiming to be IT support asking for remote access = hang up and report to IT. This pattern is the entire attack.

2. Harden help desk verification immediately. Any inbound caller requesting remote access must be verified via a callback to a directory-listed number or an open ticket in your ITSM system. The number they called from proves nothing.

3. Audit and block unapproved RMM tools. If AnyDesk or Zoho Assist are not sanctioned tools in your environment, block their installers via application control or your EDR's blocking policy. This stops the attack at the access-establishment phase.

4. Add SIEM or EDR detections for first-run RMM binaries. Alert on first-time execution of common RMM process names. SRG depends on these installs being invisible.

5. Update your IR playbook for data extortion. This is not a ransomware-recovery event — there are no encrypted systems to restore. Response is legal (attorney-client privilege breach), regulatory (state bar notification obligations in many jurisdictions), and communications-focused. Know your obligations before the call comes.

If your organization serves the legal or professional services sector, this is an active threat requiring action this week — not a future agenda item.