Back to Insights
Threats5 min read7 June 2026

Silent Ransom Group Calls Law Firms Directly — Then Drains Files Within Hours

A financially motivated extortion crew is impersonating IT staff over the phone, tricking employees into handing over remote access, and exfiltrating privileged client files before most firms even open a help ticket.

EF
Elena FischerThreat Intelligence Analyst
A photoreal editorial scene inside a quiet law firm office at dusk: a professional in business attire sits at a desk spe

A threat actor known as Silent Ransom Group — also tracked as Luna Moth and Chatty Spider — is running an active, targeted voice-phishing campaign against U.S. law firms and professional services organizations, with some intrusions completing the full cycle from first phone call to data exfiltration within a single business day.

What the Attack Looks Like

The group has abandoned the callback-phishing emails that defined its earlier operations. The current method is simpler and faster: a live phone call. Operators impersonate internal IT support staff and instruct employees to install a legitimate remote management tool — Zoho Assist, Syncro, AnyDesk, Splashtop, or Atera among them. These are real, trusted applications. They raise no antivirus alerts. The employee believes they are cooperating with their own help desk.

Once the attacker has remote access, they move quickly. They enumerate file shares, stage documents of interest, and exfiltrate data using WinSCP or the command-line tool Rclone. No ransomware payload is deployed. The extortion pressure is reputational: pay, or the stolen files go public.

Mandiant attributes the shift away from email lures to one practical reason — live phone contact converts faster. A real voice, an urgent tone, and a plausible pretext short-circuit the skepticism that security awareness training has built around suspicious links. Victims have included firms handling mergers and acquisitions, litigation holds, and regulated client data, which compounds every downstream disclosure question.

Why Law Firms Are the Target

Law firms sit at an unusually dense intersection of sensitive data types. Attorney-client privilege covers communications that clients have a reasonable expectation will never surface. M&A matters carry material non-public information. Employment and healthcare litigation files contain categories of personal data that trigger the most aggressive state notification statutes.

The FBI flagged Silent Ransom Group's targeting of the U.S. legal sector in a March 2025 FLASH advisory, noting extortion demands and credible threats to publish client files. That advisory predates the most recent acceleration in vishing-led intrusions Mandiant has now documented.

For general counsel and CISOs, the regulatory exposure is layered. The SEC's Form 8-K Item 1.05 cyber disclosure rule, which took effect December 18, 2023, requires public companies to disclose a material cybersecurity incident without unreasonable delay — not after forensics wraps. That creates a problem when exfiltration and an extortion demand arrive the same afternoon. The materiality clock starts before most firms have confirmed what was taken. New York and California attorneys general have both signaled aggressive review of law firm breaches involving client personally identifiable information. And ABA Model Rule 1.6(c) imposes an independent professional obligation to make reasonable efforts to prevent unauthorized disclosure of client information — a standard plaintiffs' counsel have already begun citing in civil filings against breached firms.

Timing is the thread connecting every one of those pressure points. When initial access, exfiltration, and extortion demand can occur inside a single business day, the internal escalation path — legal, executive, board — has almost no runway. Firms that have not run a tabletop exercise against a same-day exfiltration scenario should assume their disclosure clock will start before their forensics vendor arrives on site.

The Control That Failed

This campaign does not exploit an unpatched CVE. It exploits a gap in human verification behavior — specifically, the absence of any callback-verification procedure for inbound IT support requests. When an employee receives a call from someone claiming to be from the help desk, most organizations have no standardized process for the employee to confirm that identity independently before granting remote access. The attacker's voice fills that procedural vacuum.

The Verizon 2024 Data Breach Investigations Report found that the human element was a factor in 68 percent of breaches analyzed — a figure that has remained stubbornly consistent across years, because technical controls alone cannot close a gap that lives in human decision-making. Silent Ransom Group's pivot to voice phishing is a direct exploitation of that statistic.

Application allowlisting is one technical mitigation: if employees cannot run unsanctioned remote management binaries, the attacker's instruction fails at execution. Conditional access policies that restrict remote tool installation to managed, enrolled endpoints add a second layer. But neither control helps if an administrator with broader rights is the target of the call — which is frequently the case, since attackers prefer to impersonate IT and call non-technical staff who are less likely to question the request.

This is exactly where security awareness training closes a gap that firewalls cannot: employees who have practiced vishing scenarios — who have been taught what a fake IT call sounds like and how to independently verify a support request — are the last and most reliable control in this attack chain.

What Defenders Should Do Now

Mandiant's recommended mitigations are operationally concrete. Implement application allowlisting that blocks unsanctioned remote monitoring and management (RMM) binaries from executing. Enforce conditional access policies so that remote tool execution is restricted to managed endpoints. Establish and rehearse a mandatory call-back verification procedure: any employee who receives an inbound IT support request should hang up and call back through a number sourced from the company directory, not from the caller.

Beyond those technical and procedural controls, firms should audit which employees have access to file shares containing privileged client material and whether those permissions have been scoped to the minimum necessary. Rclone and WinSCP are legitimate tools; their presence in process execution logs on endpoints that have no business reason to run them is a detection signal worth building an alert around.

For firms subject to Form 8-K Item 1.05, the practical preparation step is a tabletop exercise built around a same-day exfiltration scenario. Walk the legal, security, and executive team through the decision tree: at what point is materiality determined, who makes that call, and what does notification look like when the forensics picture is still incomplete? Rehearsing that conversation in advance is far cheaper than improvising it under extortion pressure.

Review compliance frameworks relevant to your organization now, before an incident forces the conversation. The existing 8-K rule, state notification statutes, and ABA ethics obligations already apply. No new rulemaking is needed to create liability — the framework is in place.

How this attack could have been stopped before the first file moved

  • Train every employee to recognize vishing tactics and practice independent callback-verification before granting any remote access.
  • Block unsanctioned remote management binaries through application allowlisting and restrict RMM execution to managed endpoints via conditional access policies.
  • Run a same-day exfiltration tabletop exercise so legal, security, and executive teams know exactly when and how to make a materiality determination under the SEC's Form 8-K rule.

Train2Secure's scenario-based awareness modules include live vishing simulations that give employees hands-on practice identifying and deflecting exactly this type of call.

Start free — no card required

Frequently asked questions

How does Silent Ransom Group get employees to install remote access tools?

Attackers call employees directly and impersonate internal IT support staff. They create urgency around a fake technical problem and instruct the employee to install a legitimate remote monitoring tool such as AnyDesk or Zoho Assist. Because the tools are real and the caller sounds credible, many employees comply without questioning the request.

Does this attack use ransomware?

No. Silent Ransom Group does not deploy a ransomware payload. The extortion pressure comes entirely from threatening to publish stolen client files publicly. The group exfiltrates data using tools like WinSCP or Rclone, then demands payment to suppress release.

When does the SEC Form 8-K Item 1.05 disclosure clock start after this type of incident?

The SEC rule requires disclosure without unreasonable delay after a company determines an incident is material — not after forensics concludes. Because Silent Ransom Group can complete exfiltration the same day as initial contact, firms may need to make a materiality determination while the incident is still unfolding, which is why pre-incident tabletop exercises are critical.

What is the single most effective control to stop a vishing-based intrusion?

A mandatory callback verification procedure. Any employee who receives an unsolicited inbound IT support call should be trained to hang up and call back using a number from the official company directory. Combined with application allowlisting to block unsanctioned RMM tools, this breaks the attack chain before remote access is ever granted.

Ready to Reduce Your Human Cyber Risk?

Sign up and start training your team in minutes. No sales calls, no demos — just pick a plan and go. Phishing simulations, video courses, and certificates from day one.

train2secure analytics dashboard showing training completion stats and user progress