Silent Ransom Group targets law firms with fake IT support calls

Silent Ransom Group, a financially motivated extortion gang, is systematically targeting U.S. law firms and professional services organizations through social engineering campaigns that compromise networks within hours of initial contact, Mandiant researchers report.

The threat actors execute a straightforward but effective attack chain. They call targets impersonating IT support staff, claiming urgent system updates or security issues require immediate action. Once victims grant remote access or credentials, attackers rapidly deploy credential-stealing tools and reconnaissance malware to map network architecture and locate sensitive data. Law firms prove particularly attractive targets because they hold privileged client communications, litigation materials, and financial records with high extortion value.

Mandiant identified a critical timing pattern in Silent Ransom Group operations. Initial compromise to data exfiltration occurs within 24 to 72 hours, leaving minimal window for detection and response. The group typically establishes persistence through legitimate remote access tools like TeamViewer or AnyDesk, making activity blend with normal business operations. Once data theft completes, operators demand payment to prevent public disclosure.

The targeting strategy reflects operational intelligence. Silent Ransom Group prioritizes firms handling sensitive matters, government contracts, or high-net-worth clients. Successful breaches yield both direct extortion leverage and secondary monetization through data sales to competing law firms or other threat actors.

Organizations should implement strict remote access protocols including multi-factor authentication requirements before granting any external support access. Verify support requests independently through established IT contacts rather than using phone numbers provided by callers. Deploy endpoint detection tools to identify anomalous credential usage patterns and unexpected administrative access.

Law firms specifically should assume they remain priority targets. Network segmentation isolates sensitive data from general business systems. Incident response plans should address rapid threat actor engagement and law enforcement notification timelines. Employee training on social engineering tactics reduces click-through rates on phishing and credential-harvesting schemes that precede