Silent Ransom Group Callback Phishing Targets US Law Firms

Overview of Silent Ransom Group Callback Phishing

A recent intelligence report from Mandiant, as reported by Bleeping Computer, highlights a sophisticated social engineering campaign orchestrated by the Silent Ransom Group (SRG). Also identified by researchers as Luna Moth, this threat actor has transitioned from traditional Ransomware tactics to a model focused exclusively on data theft and extortion.

By targeting U.S.-based law firms and professional services organizations, SRG exploits the high-pressure environment of these sectors. The group utilizes a specific Phishing variant known as ‘callback phishing’ or ‘vishing’ (voice phishing). Unlike automated attacks, this method involves human-to-human interaction, making it more difficult for automated security filters to detect. The objective is not to deploy file-encrypting malware but to gain persistent access to sensitive legal documents and financial records for extortion purposes.

Technical Analysis of the SRG Attack Lifecycle

The Silent Ransom Group callback phishing tactics begin with an email masquerading as a legitimate subscription invoice or renewal notice. Common lures include services such as Zoho, MasterClass, or Duolingo. These emails do not contain malicious attachments or links, which allows them to bypass many EDR and email gateway solutions. Instead, they provide a phone number for the victim to call if they wish to ‘cancel’ the fraudulent subscription.

Initial Access and Tool Deployment

When a victim calls the provided number, they are connected to a human operator who guides them through the installation of legitimate Remote Monitoring and Management (RMM) tools. According to Bleeping Computer, the actors frequently use software such as ScreenConnect, AnyDesk, Syncro, or Splashtop. Because these are signed, legitimate applications, they often do not trigger alerts within a SOC.

Once the attacker gains a foothold, they quickly move to establish a secondary C2 channel. This often involves installing additional RMM tools to ensure redundancy if the primary tool is discovered and removed. The speed of these operations is notable; researchers have observed data exfiltration occurring within just two hours of the initial phone call.

Data Exfiltration and Extortion

Once access is secured, the actor performs Lateral Movement to identify high-value data. SRG prioritizes document repositories and file shares. They utilize legitimate file transfer tools like Rclone or WinSCP to exfiltrate the stolen data to actor-controlled infrastructure. By avoiding the use of custom malware or Ransomware payloads, the group minimizes the IoC footprint left on the system. After the data is stolen, the group contacts the victim with a ransom demand, threatening to publish the sensitive information unless payment is made.

Mitigating ScreenConnect Abuse in Law Firms

Defenders must recognize that these attacks capitalize on the misuse of trusted software. Therefore, the primary defense strategy must shift toward behavioral monitoring and strict software control. One of the most effective methods for mitigating ScreenConnect abuse in law firms is implementing an application allow-list that prevents the execution of unauthorized remote access tools.

How to Detect Luna Moth Data Exfiltration

Security teams should focus on the following detection and prevention strategies to combat this TTP:

• Network Monitoring: Monitor for outbound connections to known RMM tool domains (e.g., *.screenconnect.com, *.anydesk.com) from workstations that do not require these tools for business operations.
• Host-Based Analysis: Use your SIEM to alert on the installation of new RMM services or the execution of Rclone and WinSCP by non-administrative users.
• User Awareness: Conduct targeted training for employees in finance and legal departments regarding the risks of callback phishing. Emphasize that legitimate vendors will never ask a customer to install remote access software via a phone call for a billing dispute.
• Endpoint Controls: Configure EDR policies to block or flag the use of unauthorized remote desktop protocols and tools. Map these behaviors against the MITRE ATT&CK framework, specifically focusing on External Remote Services (T1133) and User Execution (T1204.001).