FBI Warns of Ongoing SRG Campaigns Exploiting Remote Access Tools
FBI Warns of Ongoing SRG Campaigns Exploiting Remote Access Tools
Silent Ransom Group (SRG) (aka. Luna Moth, Chatty Spider, and UNC3753) continues to exploit social engineering tactics in campaigns targeting U.S.-based law firms. The FBI reports, “starting Spring 2023, the group has consistently targeted US-based law firms, likely due to the highly sensitive nature of legal industry data.” SRG’s activity dates back to 2022 and has previously affected medical and insurance companies, though law firms are now the primary focus. The group's techniques include callback phishing emails and phone-based impersonation schemes to gain remote access to employee systems. One common approach involves fake subscription notifications prompting victims to call a fraudulent support line, which results in the deployment of remote access software. More recently, as of March 2025, SRG was observed posing as internal IT staff: “SRG will then direct the employee to join a remote access session, either through an email sent to them, or navigating to a web page. Once the employee grants access to their device, they are told that work needs to be done overnight.”
Once access is established, SRG actors initiate privilege escalation and shift to exfiltrating data. Tools used to facilitate outbound data transfer include WinSCP and Rclone, which are used to move sensitive files to attacker-controlled infrastructure. If the compromised system lacks administrative privileges, the group uses portable versions of these tools to avoid detection. The FBI notes that SRG “leave few artifacts on compromised machines,” complicating detection and forensic response, and heightening the need for monitoring unauthorized downloads or remote connections involving these tools. Victims are then extorted through ransom emails and phone calls, with threats to release the stolen data unless payment is made. Although SRG maintains a public site to leak compromised data, their use of this platform is inconsistent.
The observed behavior reinforces the critical role of monitoring remote access and file transfer activity in defending against this actor. Focus on these detections is valuable, as the use of remote monitoring and management tools has been a recurring attack pattern. The FBI encourages organizations to look for indicators such as unapproved installations of remote management tools and outbound connections involving WinSCP or Rclone. Additionally, the group’s reliance on social engineering over malware-based delivery increases the importance of user education and clear, verifiable communication procedures between IT teams and employees.