Law firms across the US are being targeted by increasingly sophisticated threat actors who are moving beyond traditional phishing tactics, now posing as trusted IT staff in both phone calls and face-to-face encounters to infiltrate corporate systems.

In a recent FBI Flash Alert, the Bureau said that the Silent Ransom Group (SRG), also known as Luna Moth, Chatty Spider and UNC3753, said the group has consistently targeted US-based law firms since 2023.

SRG has victimized companies in other sectors including insurance, finance and healthcare.

The FBI noted that historically the threat actor sent phishing emails purportedly to charge small “subscription fees” to gain access to victim networks. To cancel the fake subscription, the victim was instructed to call the threat actor who then emailed a link which would lead the victim to download remote access software.

This tactic, known as callback and telephone-oriented attack delivery (TOAD), was detailed by Palo Alto Networks Unit 42 back in 2022. At the time, Unit 42 said that the campaign had already cost victims hundreds of thousands of dollars.

SRG Escalates with IT Impersonation and Physical Access Tactics

The group has now evolved its social engineering campaign and the FBI said as of spring 2026 it had been observed impersonating staff from the victim’s IT department.

The scam involves SRG actors either directly calling or sending phishing emails to the target urging employees to call the SRG actor posing as IT support.

Once on the phone, employees are directed to grant access to a remote desktop session. If this fails, the SRG actor sends a threat actor to the victim’s physical location to gain access to insert a storage device into the victim’s computer.

In this scheme, the threat actor tells the victim they need to image the device or create a backup file to address potential impacts from the phishing email.

Once access is gained, the SRG actor minimally escalate privileges and quickly pivot to data exfiltration without encryption.

 Windows Secure Copy (WinSCP) or a hidden or renamed version of “Rclone” is used to exfiltrate data. SRG actors also exfiltrate data to internal filesharing platforms such as Google Drive or Microsoft OneDrive.

If a threat actor is sent in-person SRG actors exfiltrate data to an external hard drive or USB drive.

The FBI notice said that traditional antivirus products are also unlikely to flag the intrusion because SRG generally uses legitimate system management or remote access tools to carry out the attack.

Strengthening Cyber Hygiene Against Ransomware Threats

Cybersecurity leaders should enforce strong cyber hygiene by requiring robust passwords, multi-factor authentication and up-to-date antivirus tools, while following FBI guidance to protect against SRG-related ransomware threats.

• Verify the credentials of all individuals accessing company spaces, including obtaining copies of each visitor’s ID cards
• Limit access to sensitive data from less secure networks, such as home or public internet
• Develop and communicate policies regarding when and how IT support will communicate and authenticate themselves to employees
• Conduct staff training on identifying, resisting, and reporting phishing attempts
• Require phishing-resistant MFA for as many services as possible
• If possible, block access to port 22, which enables encrypted remote access, file transfers, and secure command execution on network devices
• If possible, disable remote access and external drive installation permissions on company computers with access to sensitive or confidential data