GoKawiilThe Silent Ransom Group extortion gang is actively targeting U.S. law firms and professional services organizations in social engineering attacks that often lead to data theft within hours of initial contact, according to a new report by cybersecurity firm Mandiant.
The report follows an FBI FLASH advisory published last week warning that the Silent Ransom Group was targeting U.S. law firms in social engineering and even in-person data theft attacks, with Mandiant now providing additional technical details about how the intrusions are conducted.
Mandiant says the threat group, tracked as UNC3753, Luna Moth, and Chatty Spider, targeted dozens of organizations across the legal, financial, and professional services sectors between January and May 2026.
Mandiant warned that legal firms remain especially attractive targets because they store large volumes of highly sensitive client information and may feel pressured to resolve extortion incidents to avoid reputational and regulatory damage.
"Legal services firms represent high-value targets for extortion actors. They maintain concentrated repositories of extremely sensitive client transaction files, merger and acquisition plans, client trade secrets, and corporate regulatory reports," explains Mandiant.
"Threat groups recognize that legal entities are subject to heavy reputational and regulatory exposure and may be highly motivated to resolve extortion situations quietly to protect their professional standing."
The researchers say the attacks begin with invoice-themed phishing emails from consumer email accounts. These emails do not contain malicious links or attachments and instead serve as a precursor for follow-up phone calls from attackers impersonating corporate IT staff.
Conducting attacks via voice calls has been an ongoing tactic by these threat actors for years, which they previously used in BazarCall social engineering campaigns tied to Ryuk and Conti ransomware attacks. A callback phishing attack is when threat actors send benign-looking phishing emails containing alarming or IT-related lures that prompt the recipient to call them back at an enclosed phone number.
In the current campaign, the Silent Ransom Group impersonates IT help desks and convinces employees to join remote support sessions via Microsoft Teams, Zoom, Quick Assist, or Microsoft Terminal Services.
During these sessions, the threat actors trick the target into installing remote monitoring and management tools such as AnyDesk, Zoho Assist, Bomgar, or SuperOps, thereby granting them initial access to the corporate network.
... continue reading