Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: luna-moth (2 articles)Clear

Silent Ransom Group hits law firms with fake IT support calls

Mandiant has detailed how the extortion crew Silent Ransom Group (also tracked as Luna Moth and UNC3753) is breaking into US law firms and other professional-services companies through phone calls rather than malware. Attackers send a harmless-looking invoice or data-migration email, then call the target pretending to be internal IT support, talk them into starting a screen-share, and get them to install a remote management tool that hands over access. From there, Mandiant has seen data located, staged, and stolen in under an hour. The group skips encryption entirely, instead threatening to leak stolen files unless paid. A recent FBI alert added in-person office visits to the playbook.

Check
Review RMM and remote-access tool installs from the past month tied to inbound IT support calls, and flag invoice or data-migration emails sent from consumer addresses.
Affected
US law firms and financial and professional-services organizations whose staff can be phoned and talked into screen-sharing or installing remote management software.
Fix
Require staff to verify any IT support contact through a known internal channel before granting access, restrict who can install RMM tools, and enforce phishing-resistant MFA.

FBI flash alert: Silent Ransom Group (Luna Moth/UNC3753) sends operatives in person to plug USB drives into US law firm computers

The FBI has issued a flash alert warning that the Silent Ransom Group (also tracked as Luna Moth, Chatty Spider, and UNC3753) is now sending operatives physically to US law firms to steal data. SRG actors first pose as internal IT over phone or phishing email and try to get an employee to grant a remote-desktop session; if that fails, they dispatch someone in person to plug a USB drive or external hard drive into the target's computer. The group, formed from Conti/BazarCall operators after the 2022 Conti shutdown, has targeted US legal and financial firms since 2023, extorting victims via its leak site.

Check
Brief reception and staff at law/finance firms: verify any in-person 'IT support' visit through a known internal channel before granting access. Alert SOC to unexpected USB-storage mounts.
Affected
US law firms and financial-services organizations. SRG poses as internal IT via phone/phishing, escalating to physical USB-drive theft if remote-access social engineering fails.
Fix
Enforce device-control policy blocking unauthorized USB mass storage. Require multi-channel verification for IT-support remote-access requests. Lock workstations and restrict physical access. Run callback-phishing awareness training.