Silent Ransom Group Targets Law Firms with Fake IT Support Calls

by Emma Davis
2 minutes ago

Mandiant and the FBI warn that Silent Ransom Group is using fake IT support calls, remote access tools, and even in-person impostors to steal law firm data.

Silent Ransom Group, also tracked as UNC3753, Luna Moth, and Chatty Spider, is targeting U.S. law firms and other professional-service organizations with fake IT support calls, remote-support sessions, and in some cases in-person impostors. Mandiant says it observed a January-May 2026 data-theft extortion campaign against dozens of organizations in legal, financial, and professional services, while an FBI FLASH alert dated May 26 warns that the group has consistently targeted U.S.-based law firms since spring 2023.[1][2]

Editorial cartoon showing a fake IT support visitor stopped before accessing a law firm computer
When the “urgent IT visit” forgets the work order, the front desk becomes the best firewall.

The story is not a normal ransomware-encryption alert. The risk is faster and quieter: someone posing as helpdesk staff gets an employee onto a phone call, screen-sharing session, or remote access tool, then searches document stores and moves files out before the organization realizes the “support” interaction was the intrusion. Mandiant says recent activity can move from first contact to data theft and extortion in a single business day, with some searches and theft beginning in under an hour.[1]

How the fake IT support attack works

The entry point is usually a believable business pretext, such as an invoice-themed email or a direct phone call from someone claiming to be internal IT. The lure may contain no malware link at all; its job is to make the target expect a follow-up call. During that call, the attacker asks the employee to join a screen-sharing session or install a legitimate remote monitoring and management tool. The FBI names tools such as Zoho Assist, Quick Assist, AnyDesk, RustDesk, Syncro, Splashtop, and Atera as examples seen in SRG activity.[2]

That detail matters for defenders because legitimate software will not always trip antivirus. If an unexpected support call leads to an AnyDesk-style install, treat it as a possible incident rather than routine helpdesk noise; HowToFix has a related detector explainer for Behavior:Win32/SuspAnydesk.A. The same human-trust problem also appears in broader phishing work, including recent AiTM phishing campaigns against Microsoft users and older voice-phishing malware operations.

Once the attacker has interactive access, Mandiant says UNC3753 looks for sensitive legal and document-management repositories, including iManage, SharePoint, OneDrive, email, mapped drives, and VDI-accessible file systems. The group has used portable WinSCP, Rclone, browser uploads to consumer file-sharing accounts, and victim mailboxes to exfiltrate data. In one Mandiant case, 1.7 GB was moved from a local OneDrive folder to Google Drive before the actor pivoted to VDI and exfiltrated another 14.4 GB through WinSCP.[1]

The physical-access angle makes this campaign stand out. The FBI says that when remote social engineering fails, SRG may send someone to the victim’s location claiming they need to image a device or create a backup, then attempt to insert a USB drive or external hard drive. Mandiant says similar physical attempts are likely associated with UNC3753 based on timing, targeting, and operational overlap.[1][2]

What should organizations check now? Start with logs for new or unauthorized RMM installs, Quick Assist sessions, AnyDesk/RustDesk/Splashtop/Atera activity, WinSCP or Rclone connections to external destinations, large browser uploads to consumer cloud storage, new USB mass-storage events, and unusually rapid searches or downloads from document stores. Mandiant also lists infrastructure patterns such as organization-themed helpdesk domains like <organization>-itdesk[.]com, <organization>-it[.]com, and <organization>-helpdesk[.]com, plus the leak site business-data-leaks[.]com.[1]

For prevention, the practical control is not only “train users.” Firms should publish a clear rule for how internal IT proves identity, require out-of-band verification for unexpected support sessions, block unapproved RMM tools, restrict USB storage on sensitive endpoints, log visitor identity before any office technical visit, and make sure reception staff can verify technician work orders directly with the known helpdesk channel. The FBI also recommends phishing-resistant MFA where possible and limiting access to sensitive data from home or public networks.[2]

References

  1. Mandiant / Google Threat Intelligence Group. “Seeking Counsel: Ongoing Targeted Campaign Against US Law Firms.” June 5, 2026.
  2. FBI Internet Crime Complaint Center. FLASH-20260526-01: “Silent Ransom Group Impersonating IT Personnel through Social Engineering.” May 26, 2026.
  3. BleepingComputer. “Silent Ransom Group targets law firms with fake IT support calls.” June 7, 2026.

About the author

Emma Davis

Content editor and security writer focused on making malware-removal and scam-prevention guides easier to understand. Emma reviews structure, clarity, and source consistency before articles are published.

View all posts

Leave a Comment