Social Engineering
Callback
Silent Ransom Group (Luna Moth) targets US law firms via social engineering, dat...
The **Silent Ransom Group (SRG)**, also tracked as **Luna Moth**, **Chatty Spider**, and **UNC3753**, is a cybercriminal syndicate specializing in **data exfiltration extortion**. Emerging from the remnants of the [Conti ransomware](https://www.secureblink.com/cyber-security-news/lock-bit-ransomware-new-encryptor-and-impact-on-the-derivatives-trading-market) group in March 2022, SRG has refined its focus on **social engineering**, **callback phishing**, and **legitimate tool abuse** to steal sensitive data from high-value targets, primarily U.S. law firms and financial institutions.
Unlike traditional ransomware actors, SRG avoids encryption, instead leveraging stolen data for **multi-million-dollar extortion demands** ($1M–$8M). This report provides an exhaustive analysis of SRG’s tactics, operational infrastructure, and actionable defense strategies.
## **Background and Evolution**
### **Origins and Splintering from Conti**
- **Conti Syndicate Roots**: SRG members originated from the Conti ransomware operation, a prolific Russian-aligned group linked to **BazarCall** campaigns and **Ryuk/Conti** ransomware deployments.
- **Post-Conti Shutdown (March 2022)**: After Conti disbanded due to internal leaks and law enforcement pressure, SRG formed as an independent entity, retaining Conti’s social engineering expertise but pivoting to **pure data extortion**.
### **Campaign Timeline**
- **2022**: Initial campaigns focused on **BazarCall**-style callback phishing to deploy ransomware.
- **2023**: Shift to **data theft extortion**, targeting legal/financial sectors.
- **2024**: Expansion of **typosquatted domain registrations** and RMM tool abuse.
## **Operational Framework**
### **Core Objectives**
- **Data Exfiltration**: Steal sensitive documents (client contracts, financial records, litigation details).
- **Psychological Extortion**: Pressure victims via phone calls, emails, and threats of data leaks.
- **Profit Maximization**: Tailor ransom demands to victim revenue (1–8% of annual income).
### **Tactics, Techniques, and Procedures (TTPs)**
Aligned with **MITRE ATT&CK Framework**:
| **Phase** | **Tactics** | **Tools/Techniques** |
|-------------------------|-----------------------------------------------------------------------------|-------------------------------------------------------------------------------------|
| **Initial Access** | Callback phishing, typosquatted domains, fake IT support impersonation | Spoofed emails, fake helpdesk portals, VoIP calls |
| **Execution** | Social engineering to install RMM software (e.g., AnyDesk, TeamViewer) | Malicious links to fake IT support sites, PowerShell scripts |
| **Persistence** | Minimal; focuses on rapid data exfiltration | Legitimate RMM tools, scheduled tasks |
| **Privilege Escalation**| Limited; exploits default user permissions | Credential harvesting via keyloggers, browser data extraction |
| **Exfiltration** | Uses WinSCP (SFTP) and Rclone (cloud sync) | Data staged in compressed archives, exfiltrated via HTTPS/SSH |
| **Impact** | Extortion via threats to leak/sell data, direct phone calls to executives | Dedicated leak site (rarely updated), follow-up harassment |
## **Attack Lifecycle Deep Dive**
### **Stage 1: Reconnaissance and Impersonation**
- **Typosquatting Domains**: Registrations mimicking major U.S. law firms (e.g., `sullivancromwell-support[.]com` vs. legitimate `sullivancromwell.com`).
- **Phishing Lures**: Emails impersonating IT departments with urgent requests (e.g., “Your account will be locked within 24 hours – call [spoofed number]”).
### **Stage 2: Callback Phishing and RMM Deployment**
- **Social Engineering Playbook**:
1. Victim calls fake helpdesk number provided in phishing email.
2. Attackers pose as IT staff, convincing target to visit a typosquatted domain.
3. Victim downloads “critical security updates,” which are disguised RMM tools.
- **RMM Abuse**: Tools like **Splashtop** or **ScreenConnect** grant persistent remote access.
### **Stage 3: Data Hunting and Exfiltration**
- **Rapid Triage**: Attackers spend 2–4 hours per compromised device:
- Search for keywords: “confidential,” “merger,” “tax,” “client.”
- Target shared drives (e.g., `\\NAS\legal_docs`).
- **Exfiltration Methods**:
- **WinSCP**: Uploads to attacker-controlled SFTP servers.
- **Rclone**: Syncs data to cloud storage (Mega.nz, Dropbox).
### **Stage 4: Extortion and Negotiation**
- **Ransom Notes**: Sent via email/Tor payment portals, threatening to:
- Auction data on dark web forums.
- Contact clients/partners with stolen documents.
- **Call-Based Pressure**: Attackers phone employees directly, impersonating executives or legal advisors to accelerate payments.
## **Target Analysis**
### **Sector Focus**
- **Law Firms**: High-value due to sensitive case files, client privileged communications, and financial transaction records.
- **Financial Services**: Targets include hedge funds, accounting firms, and investment banks.
### **Victimology**
- **Geographic Focus**: 85% of victims in the U.S., with clusters in New York, Washington D.C., and California.
- **Size**: Mid-sized firms (50–500 employees) lacking mature SOC capabilities.
## **Mitigation Strategies**
### **Technical Controls**
- **Block RMM and Unauthorized Tools**:
- Use application allowlisting to block unauthorized RMM software.
- Monitor for processes like `winscp.exe` or `rclone.exe` in non-admin contexts.
- **Network Segmentation**:
- Isolate sensitive data repositories (e.g., legal case files) with strict access controls.
- Deploy microsegmentation to limit lateral movement.
- **Detect Exfiltration Signatures**:
- Flag large outbound transfers (>10GB) via SFTP/HTTPS.
- Use DLP solutions to block unauthorized uploads to cloud storage.
### **Human-Centric Defenses**
- **Phishing Simulations**: Train employees to:
- Recognize typosquatted domains (e.g., “sullivancromwel.com”).
- Verify IT requests via secondary channels (e.g., Slack, in-person).
- **Callback Phishing Response Protocol**:
- Mandate that all IT support requests originate from internal ticketing systems.
- Use VoIP call filtering to block spoofed numbers.
### **Incident Response Preparation**
- **Pre-Negotiation Planning**: Designate legal/cyber insurance teams to handle extortion communications.
- **Backup and Recovery**:
- Maintain air-gapped, encrypted backups tested quarterly.
- Implement versioning to recover from data corruption.
## **SRG Attack on a U.S. Law Firm**
### **Attack Timeline**
- **Day 1**: Phishing email sent to paralegal: “Urgent: Your Microsoft 365 license has expired.”
- **Day 2**: The paralegal calls a fake helpdesk and installs AnyDesk.
- **Day 3**: Attackers exfiltrate 2TB of merger/acquisition documents via Rclone.
- **Day 5**: Ransom note demands $5.2 million.
### **Lessons Learned**
- **Failure Points**: Lack of MFA on RMM tools, no network segmentation for client data.
- **Post-Incident Actions**: Implemented Zero Trust access controls and quarterly phishing drills.
## **Legal and Regulatory Implications**
- **GDPR/CCPA Compliance**: Breached firms face fines for failing to protect client data.
- **Ethical Obligations**: Law firms are required to disclose breaches to clients under the ABA Model Rules.
