FBI Warns Cyber Extortion Group Is Targeting Law Firms

A cyber extortion group is targeting U.S. law firms by impersonating IT workers, stealing sensitive files, and threatening to publish the data if the firms do not pay, the FBI warned in a recent alert .

The so-called Silent Ransom Group, or SRG, has also been tracked under the names Luna Moth, Chatty Spider, and UNC3753. Unlike traditional ransomware gangs, which often encrypt victims’ systems and demand payment to unlock them, SRG focuses on stealing data and using the threat of public exposure as leverage, according to the FBI.

Law firms are especially attractive targets because they often hold confidential client files, legal strategies, financial records, intellectual property, and privileged communications. A breach can therefore affect not only the firm itself, but also clients whose information may be exposed..

The FBI said SRG has been targeting U.S.-based law firms since spring 2023 with phishing emails and phone calls in which attackers pose as IT support staff and persuade employees to give them access to computers or remote-management tools.

In some cases SRG actors have sent people in person to law firm offices, pretending to be IT staff, to gain access to computers and copy data onto external hard drives or USB devices, according to the FBI.

A recent report by Google Threat Intelligence Group and Mandiant also described the ongoing campaign against U.S. legal, professional, and financial services organizations, saying attackers have used voice phishing, fake IT support scenarios, and, in some cases, in-person access to steal data quickly.

Although the FBI alert focused on U.S. law firms, European cybersecurity officials say the underlying threat — stealing data from trusted service providers and using it for extortion or follow-up attacks — is not limited to the United States. Europe’s cybersecurity agency, ENISA, told OCCRP on Monday that cybercriminals have increasingly relied on data exfiltration to monetize stolen information or use it as leverage in later attacks. Even ransomware operators are now encrypting less as a result, the agency said.

ENISA also warned that stolen data can be bought or used by other threat actors, including state-aligned groups or hacktivists, blurring the lines between different types of cyber threats. The agency also pointed to third-party and supply-chain risks, saying attackers are increasingly using indirect pathways through service providers and other dependencies.

Cybersecurity firm Resecurity said in a June report that SRG also uses public data-leak sites to pressure victims. These sites can be used to post stolen files or threaten publication if a ransom is not paid.

Resecurity told OCCRP it had downloaded more than 1.6 million files from leak sites it links to SRG, and said some affected law firms may not be aware that their data was exposed. The company also said the sites remained accessible through clearnet domains registered via WebNIC, an ICANN-accredited domain registrar.

OCCRP has not independently reviewed the full dataset, verified the authenticity of the leaked files, or confirmed Resecurity’s technical findings.

The FBI urged organizations to train employees to verify unexpected IT requests, restrict remote access tools, monitor unusual logins, and report suspected incidents to law enforcement.