THE Silent Ransom Group, also tracked as UNC3753, has launched a wave of vishing attacks against US law firms, professional services and financial organisations, posing as IT staff to trick employees into handing over access to sensitive data, according to research from Google Cloud. The campaign has been observed since January 2026 and relies on phone‑based deception rather than software vulnerabilities.
Initial contact begins with an innocuous email that prompts the recipient to expect a follow‑up call, during which the attacker convinces the victim to launch a legitimate screen‑sharing or remote‑desktop session. Once the connection is established the intruders move laterally, harvest credentials and exfiltrate files using tools such as WinSCP or Rclone, avoiding traditional malware detection.
In some cases the group escalates to physical visits or direct phone calls, inserting a USB device to run a script that establishes a foothold without triggering antivirus alerts. The FBI advisory outlines these tactics and notes that the attackers often demand payment shortly after acquiring valuable client data or internal correspondence.
Between January and May 2026 the group carried out numerous intrusions, stealing billable hour records, merger documents and confidential communications before issuing ransom notes. The activity is linked to the threat cluster tracked as Luna Moth, which has been financially motivated since at least 2023 and focuses on data theft for extortion.
Defenders should train staff to verify unexpected IT support calls by calling back on a known number and to question any request for remote access that was not pre‑arranged. Organisations are advised to disable or tightly control screen‑sharing applications, enforce multi‑factor authentication on all remote services and monitor for unusual outbound transfers of large files.
Network segmentation can limit an intruder’s ability to move from a compromised workstation to file servers, while endpoint detection and response tools should be tuned to flag the use of WinSCP or Rclone by non‑admin accounts. Additionally, blocking unauthorized USB devices and reviewing login logs for atypical geographic locations helps catch the technique early.
Keeping incident response plans up to date and sharing indicators of compromise with peers and ISACs improves the chance of spotting a vishing‑based intrusion before data is lost.
Law firms hold privileged information such as intellectual property, litigation strategies and personal data of high‑net‑worth clients, making the stolen material especially valuable on underground markets. Ransom notes frequently threaten to release the data unless payment is made in cryptocurrency within a tight deadline.