Silent Ransom Group Uses In‑Person IT Impersonation to Extort Law Firms
What Happened – The criminal outfit known as Silent Ransom Group (aka Luna Moth, Chatty Spider, UNC‑3753) has escalated its social‑engineering campaign against law firms. After phishing emails and phone calls that masquerade as internal IT support, the group sometimes sends a person to the victim’s office claiming to be IT staff, gains physical or remote desktop access, copies data, and then threatens ransom.
Why It Matters for TPRM –
- Physical‑plus‑digital intrusion bypasses many traditional network‑only controls.
- Data exfiltration from legal practices can expose privileged client information, creating regulatory and reputational risk for both the firm and its service providers.
- The tactic highlights the need for robust verification of any IT assistance request, whether remote or on‑site.
Who Is Affected – Professional services, specifically law firms; the group has also hit insurance, finance, and healthcare firms in the past.
Recommended Actions –
- Verify the identity of anyone claiming to be internal IT before granting remote or physical access.
- Enforce MFA for all privileged accounts and restrict the use of unmanaged remote‑access tools.
- Conduct regular employee training on callback phishing and on‑site impersonation scenarios.
- Review and harden help‑desk procedures for password resets and access requests.
Technical Notes – Attack vector combines phishing, phone‑based social engineering, and physical impersonation. No known malware signatures; attackers rely on legitimate system‑management tools. Data stolen includes emails, documents, and client records, later used for extortion. Source: Help Net Security