Silent Ransom Group Uses Fake IT Support Calls to Pressure Law Firms

Fake help desks put law-firm data at the center of the attack

Silent Ransom Group is using fake IT support calls to target U.S. law firms and professional services organizations, with Mandiant warning that data theft can follow within hours of the first contact.

The campaign is significant because the group is not relying on a conventional ransomware detonation.

Its pressure point is the legal sector’s concentration of sensitive client files and the reputational cost of a public data leak.

Mandiant tracks the actor as UNC3753 and also links it to the names Luna Moth and Chatty Spider.

The activity described in the report spans January to May 2026 and includes dozens of organizations across legal, financial and professional services.

The FBI also issued a FLASH advisory last week warning that U.S. law firms were being targeted through social engineering and in-person data theft attempts.

The intrusion starts with a benign-looking email and a voice call

The initial lure is deliberately low on malware indicators.

Attackers send invoice-themed phishing emails from consumer email accounts, but the messages do not carry malicious links or attachments.

Their role is to prepare the victim for a follow-up phone call in which the attacker impersonates corporate IT staff.

That callback model is familiar from BazarCall campaigns previously tied to Ryuk and Conti ransomware operations.

In this campaign, the attacker pushes the employee into a remote support session through Microsoft Teams, Zoom, Quick Assist or Microsoft Terminal Services.

During the session, the attacker steers the employee toward installing legitimate remote administration software.

The named tools include AnyDesk, Zoho Assist, Bomgar and SuperOps, and the installation gives the actor initial access without needing to defeat endpoint defenses through a malicious attachment.

Remote support tools become the path to legal files

Once inside, the group looks for sensitive legal and financial material.

The source lists contracts, tax records, Social Security numbers, merger and acquisition files, document management platforms and cloud storage repositories as targets.

Exfiltration is commonly performed with tools such as WinSCP or Rclone.

Mandiant also found phishing domains that imitate internal IT portals and use naming patterns designed to look like corporate help-desk infrastructure.

The group uses privnote[.]com to pass installation links and commands during support sessions.

Because the service destroys messages, the method can reduce evidence left in browser histories or corporate chat logs.

Extortion moves quickly after the theft

The operational tempo is one of the clearest warnings for law firms.

Mandiant says ransom demands often arrive within 30 minutes after the attackers leave a victim environment.

The letters give the organization a three-day deadline to respond and start negotiations.

If the victim does not engage, the actor threatens to contact employees and external clients directly.

The letters emphasize client trust, regulatory exposure and the possibility that clients could sue over data mishandling.

That pressure is tailored to legal services, where client confidentiality and deal files can be more damaging than downtime.

In-person theft remains an unresolved but connected risk

The FBI advisory adds another route: attackers impersonating IT staff by phone or email may try to visit offices physically to image computers or create backups while stealing files.

Mandiant said forensic evidence is limited, but it views the in-person activity as likely connected to UNC3753 because the targeting, timelines and behavior match.

Silent Ransom Group has been active since at least 2022, after earlier links to the Ryuk and Conti cybercrime ecosystem.

The group later shifted toward standalone data-theft extortion, where stolen information becomes the leverage instead of encrypted systems.

A separate Resecurity report says the gang is also using fast-flux infrastructure and residential IP addresses across multiple regions to protect data-leak platforms.

Defenses focus on verification and remote-access control

The practical response is not limited to email filtering.

Mandiant and the FBI recommend strict verification for IT support interactions, tighter control over remote access tools, MFA enforcement, USB storage restrictions and employee training against voice phishing.

For law firms and professional services organizations, the watchpoint is whether support workflows can prove the caller’s identity before a remote session begins.

The source does not confirm every in-person case as UNC3753, but it does show that the group’s current playbook combines voice-led social engineering, legitimate remote tools, rapid file theft and pressure tactics designed for high-value client data.