Law Firms Under Siege: Evolving Cyber Threats
Law firms throughout the United States are increasingly finding themselves under the threat of sophisticated cyber-attacks. These attacks have moved beyond traditional phishing methods. Cybercriminals are now impersonating trusted IT personnel in both phone calls and face-to-face interactions to gain unauthorized access to corporate systems.
In a recent warning issued by the FBI, termed a Flash Alert, the Bureau disclosed that a notorious hacking group—known as the Silent Ransom Group (SRG)—has been actively targeting law firms since early 2023. This group is also referred to by several aliases, including Luna Moth, Chatty Spider, and UNC3753. The FBI has indicated that SRG has extended its malicious activities beyond the legal sector, affecting companies in other fields such as insurance, finance, and healthcare as well.
Historically, SRG has relied on phishing emails that masquerade as legitimate correspondence, often claiming to collect small "subscription fees" to facilitate access to victim networks. The narrative usually involves victims being instructed to call the supposed IT support to cancel their subscription. During this interaction, the perpetrator typically sends a malicious link, prompting the victim to download remote access software unwittingly. This tactic, referred to as “callback and telephone-oriented attack delivery” (TOAD), was first detailed by Palo Alto Networks’ Unit 42 back in 2022. Alarmingly, it was reported that the campaign had already resulted in financial losses amounting to hundreds of thousands of dollars for the victims.
Escalation of Tactics: IT Impersonation and In-Person Intrusions
As the threat landscape evolves, the SRG has escalated its strategies to include impersonation and physical infiltration. According to the FBI, by the spring of 2026, SRG operatives were observed masquerading as members of the victim’s IT department. This scheme consists of direct phone calls or phishing emails that encourage employees to contact someone posing as IT support.
During these calls, employees are misled into granting remote access to their systems. If this approach fails, the threat actors may send operatives to the victim’s physical workspace to insert storage devices directly into the company’s computers. In this scenario, the intruder typically fabricates a situation requiring the victim to create a backup or image their device to mitigate supposed threats stemming from the phishing email.
Once access to the victim’s system is achieved, SRG operatives often escalate their privileges minimally, allowing them to swiftly pivot toward data exfiltration. Tools such as Windows Secure Copy (WinSCP) or a disguised version of “Rclone” are employed to siphon off sensitive data. They may also utilize internal file-sharing platforms like Google Drive or Microsoft OneDrive for data transfer. In cases involving physical infiltration, data is typically exfiltrated onto external hard drives or USB devices.
Disturbingly, the FBI has noted that conventional antivirus products are likely to fail in identifying these intrusions, as SRG typically employs legitimate system management tools to execute their attacks.
Strengthening Cyber Hygiene: A Necessity
In light of these escalating threats, cybersecurity experts are urging law firms to enhance their cyber hygiene practices. They advise implementing strong passwords and multi-factor authentication, as well as keeping antivirus tools up to date. The FBI’s guidelines serve as essential measures to counteract SRG-related ransomware threats.
Key recommendations include:
-
Verification of Credentials: Organizations should thoroughly verify the identities of individuals accessing company premises, ensuring they collect copies of ID cards.
-
Data Access Limitations: Sensitive data access should be restricted from less secure networks, like home or public internet.
-
Clear IT Communication Policies: Firms should develop and disseminate clear policies regarding how IT support will authenticate themselves to employees and the channels through which they will communicate.
-
Staff Training Programs: Training sessions should be held to empower employees to identify, resist, and report phishing attempts effectively.
-
Phishing-Resistant Multi-Factor Authentication: Companies should implement MFA for as many services as possible to add an additional layer of security.
-
Blocking Specific Ports: If feasible, organizations should block port 22 to hinder encrypted remote access and secure command executions on network devices.
- Disabling Remote Access: Whenever possible, firms should consider disabling RDP (Remote Desktop Protocol) and restricting external drive installation permissions on computers that can access sensitive data.
By adopting these best practices, organizations can significantly strengthen their defenses against the growing sophistication of threats like those posed by the Silent Ransom Group. As cyber threats evolve, vigilance and proactive measures are crucial in safeguarding sensitive information and ensuring the integrity of corporate systems.