FBI warns US-based law firms to be on the lookout for cybercrime group that steals data in person

Summary

The FBI has warned U.S.-based law firms about Silent Ransom Group, a data extortion operation that combines social engineering with in-person visits to steal data directly from workstations. The group, which likely operates from Russia and emerged in 2022 after Conti disbanded, has claimed over 100 attacks with a particular focus on the legal sector since mid-2023. This dual-method approach—impersonating IT support and physically accessing computers when remote tactics fail—is extraordinarily rare in the cybercrime ecosystem and has proven highly effective against law firms.

Full text

Silent Ransom Group, a long-running data extortion operation, continues to hit U.S.-based law firms by impersonating IT support and, in some cases, visiting victims in person to gain physical access to computers, the FBI said in an alert Tuesday. The closed group, which likely operates from Russia and emerged in 2022 after Conti disbanded, has claimed responsibility for more than 100 attacks with activity surging during the past few months, according to researchers. The FBI’s warning comes exactly one year after the agency released a previous alert about Silent Ransom Group consistently targeting law firms since mid-2023. The group doesn’t deploy encryption, but its dual use of social engineering and in-person visits for data theft is extremely rare with no known parallels across the vast cybercrime ecosystem, multiple experts told CyberScoop. “There were probably a lot of times that this failed before it started succeeding because there’s a lot of trial-and-error involved,” said Allan Liska, field chief information security officer at Recorded Future. Whereas other ransomware groups would rather move on to other tactics or targets, “Silent Ransom Group has seen the value especially in going after law firms, and so they’re willing to put the extra effort into it,” he added. The data extortion group, which is also tracked as Chatty Spider, UNC3753 and Storm-0252, isn’t as prolific as more high-tempo ransomware groups. Yet, it’s having a noticeable impact due to its proven knack for attacking organizations in the legal sector. Halcyon tracked 134 ransomware incidents against law firms and legal services during the first quarter of this year, making it the fourth-most targeted industry accounting for more than 6% of all ransomware attacks the company tracked during the period. Silent Ransom Group and Inc, a ransomware-as-a-service operation dating back to mid-2023, are largely responsible for that uptick, said Cynthia Kaiser, senior vice president at Halycon’s Ransomware Research Center. “Silent was the first group to really just be targeting law firms, and they’ve targeted major law firms” with a clear understanding of what’s most problematic for organizations in that segment, she added. “The theft of data in and of itself is the biggest issue for the law firms, so they’re tailoring a lot of their operations around what they know about the sector.” Law firms are a rich target because data theft creates huge privilege and reputational problems, which creates the perception they might be more willing to pay high extortion demands, Kaiser said. Silent Ransom Group’s social engineering scheme involves phone calls or phishing emails that urge employees to call one of the group’s associates posing as IT support, the FBI said. If the group’s attempt to gain access to the employee’s computer via remote access tools fails, it sends an associate to the victim’s location to physically attach a storage device to the victim’s workstation. This extra step is unique and places Silent Ransom Group in a completely different mode of operation than its peers in ransomware and data theft extortion. Some aggressive data theft extortion groups have harassed and threatened executives and employees with physical violence, but in-person visits for data theft are extraordinary. “While Flashpoint has observed threat actors soliciting or co-opting both witting and unwitting insiders, we have not observed them physically sending attackers to victim locations. This tactic carries significant risk, as threat actors are able to use technology to obscure their real-world identities,” said Ian Gray, vice president of cyber threat intelligence operations at Flashpoint. Joe Slowik, director of cybersecurity alerting strategy at Dataminr, said it’s easy to question why potential victims would fall for this tactic. “However, humans in the workplace need to implicitly trust others to get their jobs done,” he said. “Questioning everything, while seemingly desirable, introduces significant friction and distrust in workplace environments and limits productivity in arbitrary ways,” Slowik added. “Criminal entities will continue to prey on human weaknesses and dependencies for success, and placing the burden solely on employees to defend against this is unfair and unreasonable.” The FBI did not provide details about the people Silent Ransom Group uses to initiate the fake IT support calls or visit victims in person. Yet, with the group’s operators based in Russia, researchers speculate gig workers or subcontractors are playing a critical role by placing voice-based phishing calls in a common language and visiting victims at their workplace. Liska said he’s under the impression the group is using freelance taskers that don’t necessarily know they are committing a crime. “They may be suspicious, but you know, they need the money,” he said. “It’s kind of like a Doordash person that delivers Arby’s,” Liska said. “You know you’re doing really bad things to people, but you know what, they’re paying you to deliver.” Share Facebook LinkedIn Twitter Copy Link

Entities