FBI Issues Alert on Luna Moth Ransomware Attacks Targeting Legal Firms

The FBI has issued a warning regarding an extortion group known as the Silent Ransom Group, which has been actively targeting law firms across the United States for the past two years through sophisticated callback phishing and social engineering tactics.

Referred to interchangeably as Luna Moth, Chatty Spider, and UNC3753, this cyber threat actor has been operational since 2022. They have previously been involved in BazarCall campaigns that provided initial access to corporate networks, facilitating ransomware attacks from notorious groups such as Ryuk and Conti.

In March 2022, following the dissolution of the Conti ransomware operation, this actor distanced itself from the prior syndicate and established its own entity, the Silent Ransom Group (SRG).

In recent operations, SRG has been known to impersonate the IT support teams of their targets through emails, fraudulent websites, and phone calls, using social engineering techniques to penetrate target networks. Unlike many ransomware groups, SRG does not encrypt the systems of its victims. Instead, it demands ransoms to prevent the leakage of sensitive information acquired from compromised devices.

The FBI’s advisory highlights a typical SRG attack process, wherein they instruct the victim’s employees to join a remote access session. This is often facilitated through an email invitation or by navigating to a fraudulent webpage. As soon as access is granted, the attackers typically escalate privileges minimally before swiftly initiating data extraction using tools such as ‘WinSCP’ or a modified version of ‘Rclone’.

Post-exfiltration, the attackers leverage ransom emails to threaten victims with the sale or public disclosure of the stolen data. SRG representatives may also contact employees of affected organizations to exert further pressure regarding ransom negotiations. Although they maintain a dedicated website for leaking stolen data, the FBI notes that SRG does not consistently act on their threats of information disclosure.

To raise awareness about the scope of SRG’s activities, data indicates that the group has targeted various organizations over the past year, notably in the legal and financial sectors. Recent assessments have shown that they often register domains that mimic IT helpdesk portals for prominent law firms and financial services, utilizing subtle variations in domain names to trick employees.

Malicious emails are dispatched to victims, containing false helpdesk contact information, urging them to resolve non-existent issues. Unfortunately, Luna Moth operatives impersonating IT personnel use these calls to persuade employees into installing remote monitoring and management (RMM) tools from bogus support sites.

Once these RMM tools are operational, the threat actors gain direct access to the network, enabling them to search for sensitive documents stored on compromised devices and shared drives, which can then be exfiltrated using Rclone or WinSCP. Reports indicate that ransom demands from the Silent Ransom Group can vary significantly, ranging from one million to eight million USD, depending on the size of the targeted organization.

In light of these threats, the FBI recommends several proactive measures for organizations, including the implementation of robust password policies, enforcing two-factor authentication for all personnel, regular data backups, and conducting training sessions for staff to improve their ability to recognize phishing attempts.