The Silent Ransom Group (SRG), also tracked as Luna Moth, Chatty Spider, and UNC3753, is a cybercriminal syndicate specializing in data exfiltration extortion. Emerging from the remnants of the Conti ransomware group in March 2022, SRG has refined its focus on social engineering, callback phishing, and legitimate tool abuse to steal sensitive data from high-value targets, primarily U.S. law firms and financial institutions.
Unlike traditional ransomware actors, SRG avoids encryption, instead leveraging stolen data for multi-million-dollar extortion demands ($1M–$8M). This report provides an exhaustive analysis of SRG’s tactics, operational infrastructure, and actionable defense strategies.
Background and Evolution
Origins and Splintering from Conti
- Conti Syndicate Roots: SRG members originated from the Conti ransomware operation, a prolific Russian-aligned group linked to BazarCall campaigns and Ryuk/Conti ransomware deployments.
- Post-Conti Shutdown (March 2022): After Conti disbanded due to internal leaks and law enforcement pressure, SRG formed as an independent entity, retaining Conti’s social engineering expertise but pivoting to pure data extortion.
Campaign Timeline
- 2022: Initial campaigns focused on BazarCall-style callback phishing to deploy ransomware.
- 2023: Shift to data theft extortion, targeting legal/financial sectors.
- 2024: Expansion of typosquatted domain registrations and RMM tool abuse.
Operational Framework
Core Objectives
- Data Exfiltration: Steal sensitive documents (client contracts, financial records, litigation details).
- Psychological Extortion: Pressure victims via phone calls, emails, and threats of data leaks.
- Profit Maximization: Tailor ransom demands to victim revenue (1–8% of annual income).
Tactics, Techniques, and Procedures (TTPs)
Aligned with MITRE ATT&CK Framework:
| Phase | Tactics | Tools/Techniques |
|---|
| Initial Access | Callback phishing, typosquatted domains, fake IT support impersonation | Spoofed emails, fake helpdesk portals, VoIP calls |
| Execution | Social engineering to install RMM software (e.g., AnyDesk, TeamViewer) | Malicious links to fake IT support sites, PowerShell scripts |
| Persistence | Minimal; focuses on rapid data exfiltration | Legitimate RMM tools, scheduled tasks |
|
Attack Lifecycle Deep Dive
Stage 1: Reconnaissance and Impersonation
- Typosquatting Domains: Registrations mimicking major U.S. law firms (e.g., `sullivancromwell-support[.]com` vs. legitimate `sullivancromwell.com`).
- Phishing Lures: Emails impersonating IT departments with urgent requests (e.g., “Your account will be locked within 24 hours – call [spoofed number]”).
Stage 2: Callback Phishing and RMM Deployment
- Social Engineering Playbook:
- Victim calls fake helpdesk number provided in phishing email.
- Attackers pose as IT staff, convincing target to visit a typosquatted domain.
- Victim downloads “critical security updates,” which are disguised RMM tools.
- RMM Abuse: Tools like Splashtop or ScreenConnect grant persistent remote access.
Stage 3: Data Hunting and Exfiltration
- Rapid Triage: Attackers spend 2–4 hours per compromised device:
- Search for keywords: “confidential,” “merger,” “tax,” “client.”
- Target shared drives (e.g., `\\NAS\legal_docs`).
- Exfiltration Methods:
- WinSCP: Uploads to attacker-controlled SFTP servers.
- Rclone: Syncs data to cloud storage (Mega.nz, Dropbox).
Stage 4: Extortion and Negotiation
- Ransom Notes: Sent via email/Tor payment portals, threatening to:
- Auction data on dark web forums.
- Contact clients/partners with stolen documents.
- Call-Based Pressure: Attackers phone employees directly, impersonating executives or legal advisors to accelerate payments.
Target Analysis
Sector Focus
- Law Firms: High-value due to sensitive case files, client privileged communications, and financial transaction records.
- Financial Services: Targets include hedge funds, accounting firms, and investment banks.
Victimology
- Geographic Focus: 85% of victims in the U.S., with clusters in New York, Washington D.C., and California.
- Size: Mid-sized firms (50–500 employees) lacking mature SOC capabilities.
Mitigation Strategies
Technical Controls
- Block RMM and Unauthorized Tools:
- Use application allowlisting to block unauthorized RMM software.
- Monitor for processes like `winscp.exe` or `rclone.exe` in non-admin contexts.
- Network Segmentation:
- Isolate sensitive data repositories (e.g., legal case files) with strict access controls.
- Deploy microsegmentation to limit lateral movement.
- Detect Exfiltration Signatures:
- Flag large outbound transfers (>10GB) via SFTP/HTTPS.
- Use DLP solutions to block unauthorized uploads to cloud storage.
Human-Centric Defenses
- Phishing Simulations: Train employees to:
- Recognize typosquatted domains (e.g., “sullivancromwel.com”).
- Verify IT requests via secondary channels (e.g., Slack, in-person).
- Callback Phishing Response Protocol:
- Mandate that all IT support requests originate from internal ticketing systems.
- Use VoIP call filtering to block spoofed numbers.
Incident Response Preparation
- Pre-Negotiation Planning: Designate legal/cyber insurance teams to handle extortion communications.
- Backup and Recovery:
- Maintain air-gapped, encrypted backups tested quarterly.
- Implement versioning to recover from data corruption.
SRG Attack on a U.S. Law Firm
Attack Timeline
- Day 1: Phishing email sent to paralegal: “Urgent: Your Microsoft 365 license has expired.”
- Day 2: The paralegal calls a fake helpdesk and installs AnyDesk.
- Day 3: Attackers exfiltrate 2TB of merger/acquisition documents via Rclone.
- Day 5: Ransom note demands $5.2 million.
Lessons Learned
- Failure Points: Lack of MFA on RMM tools, no network segmentation for client data.
- Post-Incident Actions: Implemented Zero Trust access controls and quarterly phishing drills.
Legal and Regulatory Implications
- GDPR/CCPA Compliance: Breached firms face fines for failing to protect client data.
- Ethical Obligations: Law firms are required to disclose breaches to clients under the ABA Model Rules.