Silent Ransom Group
Silent Ransom Group (SRG) is a financially motivated data-theft and extortion threat actor active since at least 2022. It is also tracked as Luna Moth, Chatty Spider, UNC3753, and Storm-0252. The group conducts extortion operations centered on stealing sensitive data and threatening to publish or sell it, rather than relying on traditional ransomware encryption. Content also associates the group with the post-Conti ecosystem and states it emerged after the March 2022 Conti shutdown; some reporting in the content describes it as likely operating from Russia. SRG has targeted multiple sectors including legal, financial, insurance, and healthcare, but the content consistently identifies U.S.-based law firms as its primary and sustained focus since spring or early 2023, likely because of the sensitivity of legal data. The group has been reported targeting major law firms including Jones Day, Orrick, and Wood Smith Henning & Berman. Its tradecraft relies heavily on social engineering and legitimate tools. Historically, SRG used callback-phishing emails themed as fake subscription charges, instructing victims to call to cancel and then directing them to install remote access software. More recent activity described in the content involves impersonating internal IT staff via phishing emails and phone calls, persuading employees to grant remote desktop access. If remote access attempts fail, SRG has in some cases sent an individual in person to victim offices while posing as IT support, claiming a need to image or back up a device, then inserting a USB drive or external hard drive to steal data. After access, SRG is described as performing minimal privilege escalation and pivoting quickly to exfiltration. Tools and services directly mentioned in the content include WinSCP, hidden or renamed Rclone, Zoho Assist, Quick Assist, AnyDesk, RustDesk, Syncro, Splashtop, Atera, and in earlier reporting Atera, Splashtop, Syncro, AnyDesk, SoftPerfect Network Scanner, and SharpShares. Exfiltration destinations mentioned include Google Drive, Microsoft OneDrive, external hard drives, and USB media. The group pressures victims through ransom emails, threats to leak data on business-data-leaks[.]com, and direct calls to employees or clients to force negotiations. The content notes that SRG campaigns often leave few artifacts and may evade traditional antivirus because the actors abuse legitimate remote administration and system management tools. Known aliases and related tracking names in the content are Silent Ransom Group, SRG, Luna Moth, Chatty Spider, UNC3753, and Storm-0252.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- Financial Services
- Commercial & Professional Services
- Real Estate Management & Development
- Software & Services
Where they target
Geographies tied to known operations.
- 🇺🇸 United States
- 🇨🇦 Canada
- 🇫🇷 France
- 🇩🇪 Germany
Tradecraft
28 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
5 malware families attributed to this actor across reporting.
Observables
3 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Conducting social-engineering-driven extortion against organizations, especially US-based law firms, by posing as IT support via phone calls and phishing emails, obtaining remote or physical access, exfiltrating data, and threatening to leak or sell it without deploying encryption.
Data-theft and extortion group targeting US-based law firms and also operating against insurance, finance, and healthcare organizations. Rather than encrypting systems, it steals sensitive data and threatens to publish or sell it unless victims pay.
Conducting data theft and extortion operations against U.S.-based legal and financial organizations, including posing as IT support via phone calls or phishing emails to obtain remote desktop access and, if unsuccessful, sending individuals in person to insert USB or external hard drives for data exfiltration.
Data extortion operation focused on U.S.-based law firms, using fake IT support calls/phishing and, when remote access fails, in-person visits to gain physical access and steal data rather than deploy encryption.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.