Silent Ransom Group

Silent Ransom Group is a financially motivated cyber extortion actor, also tracked as UNC3753, Luna Moth, and Chatty Spider, active since at least 2022, with reporting also stating activity since at least March 2022. The group focuses on data theft and extortion rather than file encryption, and has been described as shifting away from ransomware deployment to extortion-only operations. Reporting in the provided content links the actor to the broader Conti ecosystem and notes tactical overlaps with UNC2686; the content also states UNC3753 deployed LOCKBIT.BLACK in 2022 before prioritizing data-theft extortion. The actor heavily relies on social engineering rather than malware-first intrusion tradecraft. Its campaigns use callback phishing, voice phishing, and impersonation of internal IT help desk or support staff. Common lures include invoice-themed emails, data migration pretexts, and earlier subscription-themed billing emails. Victims are persuaded to join screen-sharing sessions via Zoom, Microsoft Teams, Quick Assist, Terminal Services, or similar tools, and then to install legitimate remote monitoring and management software including AnyDesk, Bomgar, Zoho Assist, and SuperOps RMM. The content also states the group has used privnote.com to share installation links and instructions. After gaining access, Silent Ransom Group rapidly searches for and stages sensitive data, including legal agreements, tax forms, audit files, Social Security numbers, personally identifiable information, financial records, and other high-value corporate documents. The content specifically notes targeting of document repositories and cloud platforms such as iManage, OneDrive, SharePoint, and mapped network drives. Exfiltration methods directly mentioned include WinSCP, Rclone, FTP, browser-based uploads to attacker-controlled cloud storage, and email forwarding from victim accounts. Multiple reports in the content state the group often moves from initial contact to data theft within a single business day, and in some cases in under an hour, with extortion emails often sent within about 30 minutes after leaving the environment. Extortion threats include notifying employees, clients, partners, journalists, regulators, or customers and publishing stolen data on the group’s LEAKEDDATA or business-data-leaks.com leak site. The content consistently identifies U.S. law firms as a primary target, with additional targeting of legal, financial, professional services, insurance, healthcare, hospitality, accounting, and related organizations. Multiple reports describe active campaigns from January through May 2026 affecting dozens of U.S.-based organizations, especially law firms and financial or professional services firms. A notable escalation described in the content is the use of in-person social engineering. If remote social engineering fails, individuals linked to the group have reportedly appeared at victim offices posing as IT technicians or support staff, claiming they need to image devices or create backups, then attempting to steal data directly to USB or other external drives. The content attributes these physical intrusion incidents as likely associated with UNC3753 based on structural, timeline, and targeting overlaps, while also noting limited forensic evidence prevented formal attribution in some cases. The content also states that Silent Ransom Group uses phishing domains following patterns such as <organization>-itdesk[.]com, <organization>-it[.]com, and <organization>-helpdesk[.]com. Separate reporting in the content says the group operates leak infrastructure at business-data-leaks.com and has used fast-flux infrastructure backed by rotating residential IP addresses across multiple countries and ISPs to make takedown more difficult.