Silent Ransom Group steals data without dropping malware. There is no loader to detect, no encryptor to trip an alert. The intrusion arrives as a phone call, runs on software the victim installs themselves, and exfiltrates client files with tools a sysadmin would recognize. In late May 2026 the FBI issued a FLASH advisory on the group, and Mandiant's Google Threat Intelligence Group followed with a technical report. The pattern is worth understanding, because it sidesteps most of the controls organizations spent the last decade buying.
Context
Silent Ransom Group (SRG) goes by several names: Luna Moth, Chatty Spider, and the Mandiant designation UNC3753. The operators are not new. They came out of the Conti and Ryuk ecosystem and ran BazarCall campaigns, the callback-phishing operation that fed initial access to those ransomware crews. After Conti wound down in 2022, the group split off and went independent as a pure data-theft extortion shop. They do not encrypt. They take files and threaten to leak them.
Since spring 2023 the consistent target has been U.S. law firms, with collateral hits across insurance, finance, healthcare, and hospitality. The logic is straightforward. Law firms hold concentrated, high-sensitivity material: M&A plans, trade secrets, tax records, privileged client files. They also carry heavy reputational and regulatory exposure, which makes quiet payment attractive. Mandiant tracked the group hitting dozens of legal, financial, and professional-services organizations between January and May 2026.
Approach
The current playbook has two front doors.
The original is callback phishing. The victim receives an invoice- or data-migration-themed email from a consumer email account, usually flagging a small charge, often under fifty dollars, to keep suspicion low. The email carries no malicious link and no attachment, which is exactly why it clears most mail filters. It asks the recipient to call a number to dispute the charge. The call center is the attacker.
The newer variant skips the pretext and impersonates internal IT directly, using contact details pulled from corporate directories. The actor calls or emails an employee posing as the help desk and moves them onto a remote-support session over Microsoft Teams, Zoom, Quick Assist, or Terminal Services. From there the script is the same in both variants: talk the employee into installing a remote monitoring and management (RMM) tool. Reported tools include AnyDesk, Zoho Assist, Bomgar, and a SuperOps agent. Install links are passed through privnote[.]com, a self-destructing note service, so the instructions leave little trace in browser history or chat logs.
What follows is quiet and quick. In several cases the operator pivoted from the employee's own device into corporate virtual desktop infrastructure over Windows 365 or Citrix, then enumerated OneDrive and mapped drives and ran keyword searches against iManage document repositories for contracts, tax records, Social Security numbers, and audit files. Exfiltration runs through legitimate admin tooling: WinSCP over SFTP, Rclone to cloud storage, or direct browser uploads to attacker-controlled Google Drive. In one Mandiant-investigated incident the group moved 1.7 GB out via Google Drive before switching to WinSCP for another 14.4 GB. The gap between initial contact and data theft is often a single business day, and in some cases staging began in under an hour. The extortion letter can land within thirty minutes of the attacker leaving.
The FBI's May 2026 advisory adds a detail that should make every defender uncomfortable: when remote access fails, the group has sent a person to the victim's office to image machines or insert a storage device in the building. The social-engineering loop now closes in the physical world.
The interesting part
Strip away the labels and what is left is an intrusion with almost nothing for endpoint security to catch. Every binary in the chain is signed, legitimate, and frequently already present in enterprise environments. AnyDesk, WinSCP, and Rclone are not malware. EDR sees approved software behaving within normal parameters, operated by an authenticated user who clicked through every prompt voluntarily. The malicious element is the context, not the code.
Three tradecraft choices stand out.
First, patience. This is not a smash-and-grab. In one documented case the operator held five separate calls with the same target across three days to build trust before moving. The pretext is the product.
Second, anti-forensics by design. The privnote links keep payload instructions out of browser history and corporate chat, so an investigator arriving after the fact finds a gap where the lure should be. The phishing domains follow a tidy pattern built to pass a glance: <organization>-itdesk[.]com, <organization>-it[.]com, <organization>-helpdesk[.]com.
Third, resilient infrastructure. Resecurity reported the group running DNS fast-flux for its leak sites (business-data-leaks[.]com and ep6pheij[.]com), rotating through residential proxy IPs across roughly two dozen ISPs in many countries to frustrate takedown and blocklisting. This is built to persist.
The takeaway for detection is uncomfortable but clarifying. The signal is not a file hash. It is an unsanctioned RMM agent appearing on a workstation, an outbound SFTP, Rclone, or Google Drive session to a destination nobody recognizes, and a help-desk interaction that never opened a ticket. The detection surface moved from the disk to the process tree and the phone line.
The WRAVEN read
We have watched this pattern before. When we tracked Scattered Spider, the through-line was the same: the fastest way into a hardened network was not an exploit, it was a help desk. Silent Ransom Group is the extortion-only version of that lesson. The common thread is uncomfortable for anyone who measures security by license count. These crews walk in through process gaps, not software gaps, and an organization can pass every audit and still lose its files because one person trusted a phone call.
The good news for small teams, including student SOCs like the one we run, is that malware-free does not mean signal-free. You do not need a six-figure EDR to catch most of this. Free tooling gets you a long way: Sysmon for process and parent-process telemetry, feeding something like Wazuh or Security Onion, carries a handful of cheap detections that cover the chain. A remote-access agent such as AnyDesk, Zoho Assist, or Bomgar spawning for the first time on a host, especially shortly after a Teams, Zoom, or Quick Assist session, is worth an alert. So is WinSCP or Rclone executing on an endpoint that has never run them, or an outbound transfer to consumer cloud storage or an unfamiliar SFTP host. None of these are exotic. They are first-seen and behavioral rules, the kind of thing a defender with more attention than budget can stand up in an afternoon.
The strongest control here costs almost nothing. The entire chain depends on an employee starting a remote session from an inbound contact, so breaking that one habit collapses the rest. The drill is simple: no software install or screen-share ever begins from a call or email you received. You hang up, you look up the help desk through a channel you already trust, and you call them. Train that until it is reflex, and the most expensive part of the attacker's playbook, the patient and convincing human on the phone, stops working.
Takeaway
Silent Ransom Group is a reminder that the cheapest initial-access vector is still a convincing human on the phone, and that "malware-free" does not mean "harmless." The controls that matter here are procedural as much as technical. An organization can have current EDR, patched systems, and MFA, and still lose a client roster because one employee installed AnyDesk for someone claiming to be IT.
Defensive guidance
The FBI and Mandiant guidance is consistent and worth restating plainly:
Verify IT contact out of band. No remote-support session or software install should start from an inbound call or email. Train staff to hang up and reach the help desk through a known internal channel. A real help desk will not mind.
Control RMM tools. Inventory which remote-access tools are sanctioned and use application allowlisting to block the rest. An AnyDesk or Zoho Assist install on a workstation that has no business running one is a high-value alert.
Watch the exfil paths. WinSCP and Rclone executing on endpoints that never use them, or unusual bulk uploads to consumer Google Drive, are strong signals. Egress monitoring earns its keep here.
Restrict USB storage. The in-person variant relies on plugging in a drive. Endpoint USB policy and physical-access discipline both matter now.
Enforce MFA and least privilege, including on document repositories. It will not stop the install, but it limits how far the operator reaches once inside.
Run the drill. Vishing is the entry point. Brief, repeated training on "IT will never call you to install software" does more than another appliance.
If you suspect contact, preserve the email headers and the phone number, do not call back, and route it to your security contact. The number and the sending account are the most useful artifacts you have, and the privnote tradecraft means the rest may already be gone.
Sources:
FBI IC3 / Cyber FLASH advisory, Silent Ransom Group targeting law firms (May 26, 2026): https://www.ic3.gov/CSA/2026/260526.pdf
Mandiant / Google Threat Intelligence Group, "Seeking Counsel: Ongoing Targeted Campaign Against US Law Firms": https://cloud.google.com/blog/topics/threat-intelligence/targeted-campaign-us-law-firms
BleepingComputer, "Silent Ransom Group targets law firms with fake IT support calls" (June 7, 2026): https://www.bleepingcomputer.com/news/security/silent-ransom-group-targets-law-firms-with-fake-it-support-calls/
Resecurity, "Silent Ransom Group (SRG): Uncovering DNS Fast Flux Infrastructure": https://www.resecurity.com/blog/article/silent-ransom-group-srg-uncovering-dns-fast-flux-infrastructure
AI disclosure: This writeup was drafted with AI assistance (Claude Opus 4.8) from public reporting; the thumbnail was generated with ChatGPT (Images 2.0). WRAVEN manually reviewed the cited sources, directed the analysis, and is responsible for the final post.