SYS::ONLINE
Wasteland.
Briefs968
Issues16
SinceFeb 2026
LIVE
█ Ransomware LUNA-MOTH-LAW 2026-06-23

US Law Firms: Luna Moth Social-Engineering Extortion

"More than 100 US law firms have been hit by the Silent Ransom Group, also tracked as Luna Moth and UNC3753, in a sustained extortion campaign spanning 2025 and 2026. One victim paid a $20 million ransom in May 2026. The…"

More than 100 US law firms have been hit by the Silent Ransom Group, also tracked as Luna Moth and UNC3753, in a sustained extortion campaign spanning 2025 and 2026. One victim paid a $20 million ransom in May 2026. The FBI has issued two separate FLASH alerts in a 13-month window, and Mandiant documented dozens of organizations breached between January and May 2026 alone. The most alarming detail: the group has claimed over 100 attacks since 2022 without deploying a single line of ransomware code.

What Happened

Silent Ransom Group (SRG) is a financially motivated cybercrime operation that emerged in March 2022 following the collapse of the Conti ransomware syndicate. Researchers track it under four aliases: Luna Moth, Chatty Spider, UNC3753, and LeakedData. Its infrastructure and operational patterns suggest a Russia-based origin, though attribution remains presumed rather than legally confirmed.

In 2025 and 2026, operators escalated from remote intrusions to physical office visits, walking into US law firm locations while posing as IT technicians and plugging USB devices directly into workstations. This in-person social engineering ran in parallel with a high-volume vishing operation. The FBI has confirmed SRG runs a professional, English-speaking call center dating to at least 2022, enabling phone-based pretexting that is effectively indistinguishable from legitimate IT support. The campaign culminated in a confirmed $20 million payment from a single victim in May 2026, prompting the FBI's repeat FLASH advisories.

What Was Taken

SRG does not encrypt files. It steals highly sensitive data and demands payment under threat of publishing or selling it on a dark web leak site. For law firms, the stolen material is uniquely coercive: attorney-client privileged communications, litigation strategy documents, merger and acquisition details, regulatory findings, and personally identifiable information spanning thousands of client matters.

That data is worth far more under extortion threat than encrypted files would generate in a traditional ransom. As researchers at Halcyon noted in their June 2026 analysis, "Law firm data is a uniquely coercive asset. Clients, opposing parties, regulators, and the bar itself all become potential vectors of reputational and legal exposure the moment a threat actor holds that data." SRG also targets insurance, healthcare, and financial services entities, but US law firms remain its primary and most consistent focus.

Why It Matters

This campaign breaks the assumptions baked into most defensive tooling. Traditional endpoint detection built around ransomware encryption behaviors simply does not fire against SRG, because there is nothing to encrypt and no malicious binary to flag. The group relies almost exclusively on legitimate remote access and data transfer tools, a technique known as "living off the land" (LOTL): no custom malware, no suspicious binaries, no behavioral signatures that signature-based antivirus can catch.

The shift to physical office intrusions raises the stakes further. A threat actor standing at a workstation in a law firm lobby bypasses perimeter controls, email filtering, and most network monitoring in a single move. Combined with a professional call center and a four-year track record of tactical evolution, SRG represents a mature, patient adversary that has industrialized social engineering against a high-value sector.

The Attack Technique

SRG's access path is human, not technical. The group has run three distinct attack phases since 2022, evolving from phishing emails to high-volume vishing to, most recently, in-person impersonation. In the 2025-2026 wave, operators presented themselves as IT technicians, gained physical access to firm offices, and inserted USB devices into employee workstations to establish a foothold.

From there, they pivot to legitimate remote access and data exfiltration utilities rather than malware, blending into normal administrative activity. The reliance on LOTL tooling and trusted human pretexts means the entire intrusion can complete without tripping endpoint or antivirus alerts. The result is quiet, persistent access used purely for bulk data theft and subsequent extortion.

What Organizations Should Do

  1. Treat unscheduled "IT support" contact as a threat vector. Establish a verified callback procedure and a known internal number for any technician request, whether by phone or in person.
  2. Lock down physical access and USB ports. Enforce visitor escort policies, badge controls, and device control policies that block unauthorized USB mass-storage and HID devices at the endpoint.
  3. Monitor for data exfiltration, not just encryption. Deploy data loss prevention and egress monitoring tuned to detect large or unusual outbound transfers via legitimate remote access and file-transfer tools.
  4. Inventory and restrict remote access tooling. Allowlist approved remote support software and alert on the installation or execution of any unsanctioned remote access utility.
  5. Train staff on vishing and impersonation. Run targeted awareness drills covering phone pretexting and on-site technician impersonation, with clear escalation paths for suspicious contact.
  6. Review the FBI FLASH alerts and apply the published indicators. Map detections to SRG's LOTL behavior and assume signature-based antivirus alone will not catch this actor.

Sources: Luna Moth Targets US Law Firms: $20M Ransom, 100+ Attacks [2026]