The Silent Ransom Group (SRG) is intensifying its cyber attacks against U.S. law firms in 2025, using social engineering tactics such as callback phishing and fake IT support calls to gain unauthorized remote access and exfiltrate sensitive data. Victims face ransom demands under threats of public exposure, emphasizing the critical need for enhanced employee training and strict IT authentication protocols. #SilentRansomGroup #CallbackPhishing #WinSCP #Rclone
Keypoints
- Silent Ransom Group (SRG), active since 2022, shifted in 2025 from callback phishing emails to direct phone-based social engineering impersonating IT staff.
- SRG targets U.S. law firms due to their possession of sensitive intellectual property and highly confidential information.
- The group uses legitimate remote management tools like Zoho Assist, AnyDesk, and Syncro to silently establish persistent access.
- Data exfiltration is performed quickly and stealthily using tools such as WinSCP and a stealthy variant of Rclone, often without requiring admin privileges.
- Ransom demands can reach up to $800,000, accompanied by threats of public data exposure and harassment phone calls.
- Indicators of Compromise include unauthorized use of remote access tools, subscription-related callback phishing emails, and suspicious calls from fake IT support.
- Recommended defenses include employee awareness training, strict IT authentication protocols, limiting remote access privileges, monitoring tool usage, and implementing multifactor authentication.
MITRE Techniques
- [T1598] Phishing – SRG uses callback phishing emails to deceive victims into calling a fake support number under the guise of resolving unauthorized subscription charges (“…callback phishing campaigns without using malware or encryption”).
- [T1076] Remote Desktop Protocol – Attackers use legitimate remote management tools such as Zoho Assist, AnyDesk, and Syncro to gain remote access (“…they trick employees into installing legitimate RMM tools to gain access…”).
- [T1114] Email Collection – SRG sends phishing emails that impersonate legitimate vendors as part of their social engineering tactics (“…emails, often appearing to be from legitimate vendors, claim small unauthorized charges…”).
- [T1041] Exfiltration Over C2 Channel – Data exfiltration is conducted using tools like WinSCP and Rclone to silently transfer data out of compromised systems (“…Data exfiltration tools like WinSCP or a stealthy version of Rclone are used immediately…”).
- [T1078] Valid Accounts – SRG establishes persistent access by impersonating IT staff and using legitimate credentials or sessions (“…impersonating IT staff within the victim’s company…”).
Indicators of Compromise
- [Remote Access Tools] unauthorized downloads or installations of Zoho Assist, AnyDesk, Syncro, Splashtop, or Atera detected during incidents.
- [Data Exfiltration Tools] suspicious usage of WinSCP and stealthy versions of Rclone associated with unknown external IP addresses.
- [Phishing Emails] subscription-related phishing emails urging callback actions regarding small unauthorized charges.
- [Suspicious Communications] employees receiving suspicious calls or voicemails from fake IT support claiming to perform routine maintenance.
Read more: https://cyble.com/blog/fbi-warns-silent-ransom-targeting-us-law-firms/