Cyber Threats

SIlent Ransom Group Targets Organizations Through social engineering

By Daniel Lopez

Silent Ransom Group is conducting a social engineering campaign that impersonates IT support staff to gain access to organizational systems and exfiltrate sensitive data from targeted organizations.

Silent Ransom Group, also known as Luna Moth, Chatty Spider, and UNC3753, is a financially motivated threat group that targets law firms, healthcare organizations, insurance companies, and finance organizations. The group conducts data theft and extortion operations by infiltrating networks, extracting sensitive information, and demanding payment to prevent the stolen data from being leaked publicly or sold.

The group does not use ransomware to encrypt files. Its operations focus on obtaining access to systems, collecting data, and using the threat of public disclosure or sale of that data as leverage.

Silent Ransom Group has shown a pattern of targeting U.S. law firms. Attacks have also been conducted against insurance, finance, and healthcare organizations. The group has previously relied on phishing campaigns that use social engineering techniques to persuade employees to install remote access software.

One previously reported campaign involved phishing emails that informed recipients about a subscription service that was allegedly about to generate a charge. Recipients were instructed to call a telephone number to avoid the charge. During the call, victims were persuaded to download remote access software. The software provided persistent access to systems, allowing the threat actor to identify and exfiltrate data before issuing an extortion demand.

Latest Campaign

The latest campaign has been active since at least Spring 2026, according to a recent Federal Bureau of Investigation Cyber Alert.

In this campaign, a Silent Ransom Group actor pretends to be a member of the victim organization’s IT department. Contact is initiated by telephone. In some cases, email messages are used to request that the victim contact the individual by phone.

During the phone conversation, the victim is instructed to provide access to a remote desktop session under the pretense of resolving an IT-related problem. If remote access cannot be obtained, the threat actor may arrange an in-person visit to address the purported issue.

During an in-person visit, the threat actor inserts a storage device into the victim’s computer. The victim is informed that the device must be imaged or that a backup file must be created to address potential effects from a phishing email.

Data Exfiltration Methods

After obtaining access through either a remote session or physical access to a device, privileges are escalated minimally and data is rapidly exfiltrated. Data may be transferred to internal file-sharing platforms including Google Drive or Microsoft OneDrive. Data may also be exfiltrated using WinSCP or Rclone. For attacks involving in-person visits, data is copied to an external hard drive or USB drive.

Defensive Measures

Employee HIPAA training and awareness are essential components of defense against data breach campaigns. Verification of the identity of individuals requesting physical access to company facilities is also recommended.

Image credit: 1644277579 Rosi, AdobeStock

Twitter Facebook LinkedIn Reddit Link copied to clipboard

Posted by

Daniel Lopez

Daniel Lopez is the HIPAA trainer behind HIPAA Coach and the HIPAA subject matter expert for NetSec.news. Daniel has over 10 years experience as a HIPAA coach. Daniel provides his HIPAA expertise on several publications including Healthcare IT Journal and The HIPAA Guide. Daniel has studied Health Information Management before focusing his career on HIPAA compliance and protecting patient privacy. You can follow Daniel on Twitter / X https://twitter.com/DanielLHIPAA

Related News

Oglethorpe Data Breach Lawsuit Settlement Receives Preliminary Court Approval