The Cyber Division of the Federal Bureau of Investigation (FBI) has released an alert to U.S. law firms regarding targeted attacks conducted by the Silent Ransom Group. From Spring 2023, the Silent Ransom group has been constantly targeting U.S. law offices, though it also executed attacks in several industries, such as healthcare.
The Silent Ransom Group appeared in 2022 and performs data theft and extortion, accessing organization networks, extracting sensitive information, and issuing ransom notes. The threat group poses to sell the stolen information or post it on its dark web data leak site if no ransom is paid. The group contacts staff members at the attacked organization to force them into doing ransom deals. Law offices are targeted as they handle substantial volumes of highly sensitive information, and are considered apt to pay a ransom to stop the sale or publishing of stolen information.
The Silent Ransom group mainly acquires access to victims’ systems via callback phishing attacks that double as organizations like Duolingo and Masterclass, and others that provide a subscription for services. The email messages notify recipients that the subscription service will bear a charge. To stop the subscription charge, the customer service staff should be contacted through the number given in the email message. The subscription fees are fairly small, therefore the emails are not likely to prompt serious suspicion, and considering that the emails do not include malicious links or attachments, they are not likely to be flagged or blocked by email security tools.
When the user contacts the number, social engineering tactics are utilized to persuade the user to install a remote access tool like Zoho Assist or AnyDesk to remove the software. The user is informed that this is the only means to stop the subscription fee. If the user installs the tool, Silent Ransom gets complete control of their device. The user is informed that the uninstall is successful, and they won’t pay the subscription fee. After acquiring control, Silent Ransom looks for sensitive information, extracts files to private servers, and sends a ransom note through email.
The FBI has noticed Silent Ransom using new strategies since March 2025. Instead of callback phishing, the group began vishing attacks posing as a staff member of the organization’s IT team. Just like the callback phishing attacks, Silent Ransom wants to set up a remote access session to correct a make-believe IT issue. Once the staff member has given access, they are informed that the work to fix the issue must be done overnight. These attacks involve little privilege escalation, followed by data extraction via “WinSCP” (Windows Secure Copy) or a secret or renamed variant of “Rclone.” Because living-of-the-land techniques are employed, the threat actor’s actions are rarely flagged by security tools.
The FBI has disclosed indicators of attacks, which include unauthorized downloading of remote monitoring applications, connecting WinSCP and Rclone to external IP addresses, receiving unwanted calls from persons saying they work in the IT team, and getting email messages concerning subscription services requiring a phone call to resolve. Due to the problem of stopping the initial emails, it is important to cover this type of attack in HIPAA security awareness training. Additional recommendations consist of creating and implementing policies concerning how staff members are contacted by the IT division, and implementing two-factor authentication for all staff members. In case of an attack, the FBI advises giving all the available details concerning the attack to the FBI.