RansomwareEDP  /  Threat Actor Library
Developed by Reno  •  Analytical profiles compiled from open-source intelligence
Threat Actor Profile — Last updated May 2026
Luna Moth / SRG
Data Extortion (No Encryption)  •  Callback Phishing  •  Conti Diaspora  •  Law Firm Targeting
Active Threat Fully Operational No Encryption Closed Crew
First Observed
Mar 2022
Active 4+ years
DLS Victims Claimed
41+
LeakedData DLS, as of May 2026
Legal Services 2025
24
Law firms claimed in 2025
Demand Range
$1M–$8M
Per victim, USD
LE Disruptions
None
No arrests, no sanctions
Decryptor Available
N/A
No encryption deployed
Lineage
Conti
BazarCall operator cluster
Victims (Live)
--
via ransomware.live
01

Executive Summary and Group Overview

Silent Ransom Group (SRG), also tracked as Luna Moth, is a post-Conti data extortion operation that first emerged in March 2022 following the fragmentation of the Conti ransomware syndicate. The group is a closed or semi-closed criminal crew, not a conventional ransomware-as-a-service (RaaS) platform with an open affiliate program. It deliberately avoids deploying encryption ransomware, relying entirely on social engineering, data theft, and extortion to generate revenue.

The group's defining characteristic is its socio-technical initial access model: callback phishing emails, direct vishing calls impersonating IT support, and, since April 2025, physical in-person impersonation of IT technicians. Once access is established using legitimate remote management tools, the group exfiltrates data and demands ransoms ranging from $1 million to $8 million, threatening to post stolen data on its clearnet leak site. No encryption or file-locking payload is involved.

Since spring 2023, SRG has concentrated almost exclusively on U.S. law firms, assessed as a deliberate targeting shift to exploit the high extortion leverage of privileged legal data. As of April 2026, confirmed victims include Jones Day and Orrick, Herrington and Sutcliffe, two of the largest U.S. law firms by revenue. The group rebranded its data leak site infrastructure in December 2024 under the "LeakedData" label. No law enforcement arrest, indictment, or infrastructure takedown has been publicly confirmed as of May 2026.

Analyst Assessment: SRG represents a structurally distinct threat from encryption-based ransomware. Its absence of malware deployment, reliance on living-off-the-land techniques, and use of legitimate remote access tools make it resistant to traditional signature-based detection. The escalation to physical office intrusions (April 2025) signals a group willing to increase operational risk in pursuit of higher-yield compromises.
AttributeDetail
Primary designationSilent Ransom Group (SRG)
Alternate namesLuna Moth, LeakedData, Chatty Spider, UNC3753, Storm-0252, TG2729
CrowdStrike trackingChatty Spider (group-specific; not Wizard Spider, which describes the Conti parent entity)
Microsoft trackingStorm-0252 (group-specific)
Mandiant/Google trackingUNC3753 (unclassified cluster designation)
Sygnia trackingLuna Moth / TG2729
Halcyon trackingSilent (threat group profile)
FBI/IC3 designationSilent Ransom Group (SRG), a.k.a. Luna Moth, Chatty Spider, UNC3753
Operational modelData extortion only; no encryption ransomware; closed or semi-closed crew
Extortion mechanicData theft and threatened publication; no double extortion in the classic sense
DLS infrastructureClearnet site "business-data-leaks[.]com" (LeakedData branding, active since Dec 2024); prior TOR-accessible site also used
Assessed jurisdictionRussia / CIS (CREDIBLE)
LE disruption statusNone confirmed as of May 2026
Primary sector targetedU.S. law firms (legal services, approx. 40% of documented victims)
Data Leak Site & Branding
02

Lineage and Organizational Heritage

Emergence Context

SRG emerged in March 2022, the same period in which the Conti ransomware syndicate publicly fragmented following internal chat leaks and blowback from Conti leadership's public endorsement of Russia's invasion of Ukraine. SOCRadar's analysis confirms the oldest documented SRG compromise dates to June 7, 2022, approximately three months after Conti's implosion. This timing is consistent with the broader pattern of Conti diaspora groups spinning out into successor operations in the same period (Black Basta, Karakurt, Royal/BlackSuit, Akira, SRG).

Vendor Designation Note
Vendor Designation Disambiguation: Wizard Spider (CrowdStrike) and Gold Ulrick (Secureworks) are tracking designations for the parent Conti organization, not for SRG/Luna Moth. SRG is tracked separately: Chatty Spider (CrowdStrike), Storm-0252 (Microsoft), UNC3753 (Mandiant), TG2729 (Sygnia), and Silent (Halcyon). These are group-specific designations and must not be conflated with the parent entity designations.
Conti Lineage: Evidentiary Assessment

Multiple independent vendors assess SRG as having emerged from the Conti ecosystem's BazarCall operator cluster. The confidence level varies by evidence type and vendor. No single piece of evidence is universally confirmed; the strongest indicators are TTP continuity and timing.

Pillar 1 — Credible
TTP Continuity: BazarCall Heritage
SRG's callback phishing methodology is functionally identical to BazarCall campaigns previously run by Conti-affiliated operators. BazarCall was a Conti-era initial access technique in which victims were directed to call fake support lines, leading to malware installation. SRG adapted this pattern for data extortion without a malware payload. Multiple independent vendors (ADVIntel, Unit 42, Sygnia, Halcyon) note the overlap. Confidence: CREDIBLE (behavioral, not technical code-level evidence).
Pillar 2 — Credible
Emergence Timing
SRG/Luna Moth's operational debut in March 2022 coincides precisely with Conti's public collapse. ADVIntel, which had insider visibility into Conti, explicitly attributed early SRG campaigns to a "Silent Ransom" cluster with ties to Conti operators. Halcyon describes SRG as "former Conti ransomware syndicate operators" who pivoted to data extortion. Confidence: CREDIBLE (circumstantial-temporal plus source-based attribution).
Pillar 3 — Analyst Inference
Personnel Continuity
No public reporting has named specific former Conti operators as SRG principals. Attribution to former Conti personnel is inferred from behavioral continuity, timing, and ADVIntel's source-based claims. Unit 42 explicitly notes it is "monitoring attribution closely" without fully endorsing the Conti lineage. Confidence: ANALYST INFERENCE (extrapolated from confirmed facts; not directly evidenced with named individuals or handles).
Pillar 4 — Analyst Inference
Blockchain/Code Overlap
Unlike Akira (which has documented on-chain Bitcoin transfers linking back to Conti wallets), SRG/Luna Moth has not produced publicly available blockchain forensics evidence of wallet-level continuity with Conti. Because SRG does not deploy a ransomware binary, there is also no code overlap. Confidence: ANALYST INFERENCE (plausible given ecosystem context; not directly evidenced in open-source blockchain analysis).
Connected Group Cluster Assessment

SRG is most directly connected to the Conti parent entity through the BazarCall operator cluster. The anchor relationship (SRG <—> Conti/BazarCall) is assessed as Credible based on multi-vendor TTP corroboration, timing, and ADVIntel source-based attribution.

Extension claims (SRG sharing infrastructure or personnel with other active ransomware groups beyond the Conti heritage) are Analyst Inference only. No public reporting documents operational infrastructure overlap between SRG and other currently active ransomware groups. Functional categorizations grouping SRG with other "extortion-only" outfits are descriptive, not evidentiary.

Note: Mandiant has not published a formal named-group assessment for SRG as of May 2026 (UNC3753 remains an unclassified cluster). Recorded Future has not published a formal APT designation. CrowdStrike's Chatty Spider designation is the most formally published group-specific tracking name available in open sources.

03

Operational Model

Crew Structure
Credible

SRG operates as a closed or semi-closed criminal crew rather than an open RaaS platform. Public reporting has not documented a formal affiliate recruitment program, revenue-sharing tiers, or public affiliate forum postings of the kind associated with LockBit, ALPHV, or Akira. The group appears to run end-to-end operations with a small, trusted operator circle. This structure reduces internal instability risk compared to large RaaS platforms but also limits scalability. No formal revenue split (e.g., 70/30) has been documented.

Initial Access: Three-Stage Evolution

SRG's initial access methodology has evolved significantly from 2022 to 2025, with each iteration increasing operational sophistication and physical risk to the operators.

1
Callback Phishing Emails (2022–2024)
The foundational technique: mass or targeted emails impersonating subscription services (Zoho MasterClass, Duolingo, McAfee, Norton) claiming a recurring charge. Victims are instructed to call a phone number to cancel. On the call, SRG operators socially engineer the victim into installing legitimate remote monitoring and management (RMM) software via a malicious link, granting remote access. This technique mirrors the BazarCall playbook attributed to Conti-era operators. [1, 3, 5]
2
IT Helpdesk Vishing with Fake Domains (2023–2025)
SRG shifted to proactively calling targets while impersonating internal IT support or external IT vendors. Operators registered spoofed helpdesk domains (pattern: [targetcompany]-helpdesk.com or [targetcompany]-help.com) through GoDaddy, using domaincontrol[.]com nameservers. EclecticIQ documented this infrastructure evolution starting in March 2025, identifying at least 37 such domains. Silent Push identified over 50 unique domains targeting major law firms. Named examples confirmed in reporting include duanemorris-helpdesk.com, perkinscoie-helpdesk.com, and millermartin-helpdesk.com. [5, 14]
3
In-Person Physical Intrusion (April 2025, CONFIRMED)
The FBI's May 2025 PIN and May 2026 FLASH document a confirmed tactic evolution: SRG operators first call a law firm's staff posing as IT support, then send an individual physically to the office claiming to be an IT technician. Per FBI FLASH-20260526-01, the in-person actor specifically tells the victim they need to "image the device or create a backup file to address potential impacts from the phishing email" — a social engineering pretext designed to justify inserting a physical storage device into a network-connected computer for direct data exfiltration. The FBI confirmed this tactic "has been highly effective and resulted in multiple compromises." This is the highest-risk and most novel element of SRG's tradecraft as of May 2026. [1, 16]
Extortion Model and Negotiation Behavior

SRG's extortion is data-only: they do not encrypt files and therefore cannot offer a decryption key. Their leverage rests entirely on the sensitivity of stolen data and the threat of publication. This creates a distinctive negotiation dynamic.

ParameterAssessmentConfidence
Initial demand range$1 million to $8 million USD per victimCREDIBLE (multiple vendor sources)
Payment currencyCryptocurrency (Bitcoin reported; per-victim wallet assignment likely)CREDIBLE (FBI solicits wallet info from victims)
DLS publication behaviorInconsistent; SRG does not always follow through on publication threats (FBI PIN assessment); at least 38 confirmed non-payer publications on clearnet DLS as of April 2026CONFIRMED (FBI, DataBreaches)
Victim communication channelsRansom emails with data samples; follow-up phone calls to staff; occasional in-session messaging via RMM toolsCONFIRMED (multiple IR cases)
Negotiation reduction behaviorDemands can be reduced but typically remain in the hundreds of thousands of dollars; specific reduction percentages are not consistently publishedCREDIBLE (anecdotal; limited public negotiation transcripts)
Published negotiation transcriptSRG shared chat logs with DataBreaches following failed Orrick, Herrington and Sutcliffe negotiations (January–February 2026)CONFIRMED (DataBreaches reporting, April 2026)

The Orrick negotiations are the most detailed publicly documented SRG negotiation. Access was gained approximately January 20, 2026; the firm appeared in negotiation chat on February 6, 2026. Negotiations failed and data was subsequently published on the LeakedData DLS. [12]

04

Technical Capabilities

Key Distinction: SRG does not deploy a ransomware binary, does not encrypt files, and has no known CVE exploitation history. Its technical capability is built on social engineering proficiency, not novel exploit development. The group's primary defensive advantage is deliberate use of legitimate tools to blend into normal IT operations.
Initial Access Vectors
Confirmed

Initial access is via social engineering only: callback phishing emails, direct vishing calls, and in-person physical intrusion. There is no documented exploitation of specific CVEs for initial access. SRG does not rely on unpatched internet-facing services as an entry point. This makes traditional patch-management defenses largely irrelevant against this group.

Tooling and TTPs
Tool/TechniqueRoleNotes
AnyDeskRemote access / persistenceLegitimate commercial RMM; installed by victim under social engineering
Zoho AssistRemote access / persistenceLegitimate commercial RMM; used in callback phishing campaigns
Quick AssistRemote access / persistenceMicrosoft built-in remote support tool; added to FBI FLASH-20260526-01 indicator list [16]
RustDeskRemote access / persistenceOpen-source RMM; added to FBI FLASH-20260526-01 indicator list [16]
SplashtopRemote access / persistenceListed in FBI indicators (PIN May 2025, FLASH May 2026)
SyncroRemote access / persistenceListed in FBI indicators (PIN May 2025, FLASH May 2026)
AteraRemote access / persistenceListed in FBI indicators (PIN May 2025, FLASH May 2026)
WinSCPData exfiltrationSFTP-based file transfer; outbound port 22; WinSCP portable used on systems without admin privileges
RcloneData exfiltrationUsed in hidden or renamed form to evade detection [1, 16]
Microsoft OneDriveData exfiltrationFLASH-20260526-01 confirms SRG exfiltrates to internal filesharing platforms including OneDrive [16]
Google DriveData exfiltrationFLASH-20260526-01 confirms SRG exfiltrates to internal filesharing platforms including Google Drive [16]
Valid credentialsLateral movementObtained during RMM sessions (admin credential capture); network share browsing via SMB/RDP
Helpdesk domain spoofingPhishing infrastructurePattern: [target]-helpdesk.com / [target]-help.com; registered via GoDaddy with domaincontrol[.]com nameservers
Physical storage deviceDirect data exfiltrationUSB or external hard drive inserted by in-person actor; FLASH confirms actor uses "imaging the device / creating a backup file" pretext [16]
MITRE ATT&CK Mapping (FBI FLASH-20260526-01)
Confirmed

The following MITRE ATT&CK technique mapping is drawn directly from FBI FLASH-20260526-01 (May 26, 2026). [16]

ATT&CK TacticTechniqueSRG Relevance
Initial AccessT1566 – PhishingCallback phishing emails using invoice, billing, subscription, or IT-themed lures
Resource Development / Social EngineeringT1598.004 – Voice PhishingThreat actors direct victims to initiate phone contact or impersonate internal IT support
ExecutionT1219 – Remote Access SoftwareLegitimate remote administration tools used to establish interactive access
Credential AccessT1078 – Valid AccountsThreat actors leverage victim credentials to access email or cloud services
CollectionT1560 – Archive Collected DataData may be staged or compressed prior to exfiltration
CollectionT1530 – Data from Cloud StorageTheft of data from Microsoft 365, OneDrive, Google Drive, or similar platforms
ExfiltrationT1567 – Exfiltration Over Web ServiceUpload of stolen data to cloud storage or web-accessible platforms
ExfiltrationT1052.001 – Exfiltration to Removable MediaIn-person intrusion scenarios involving USB or external hard drive data theft
ImpactT1657 – Financial Theft / ExtortionThreatened publication or sale of stolen victim data
Encryption and Malware Footprint
Confirmed

SRG deploys no encryption ransomware binary. Reports from Sygnia, Unit 42, the FBI, and others are explicit that the group "does away with the malware portion" of a typical ransomware attack. There are no known custom malware families, no file encryption routines, no C2 infrastructure dependent on custom implants, and no Linux or VMware/ESXi variants. Because no encryption is involved, there is no CIS-region kill switch behavior to analyze, no decryption tool available or needed, and no relevant No More Ransom project entry for SRG. [1, 2, 3, 5]

Detection Indicators (FBI PIN May 2025 / FLASH May 2026)
  • Unauthorized downloads of: Zoho Assist, Quick Assist, AnyDesk, RustDesk, Syncro, Splashtop, or Atera on systems not previously running these tools [1, 16]
  • Unidentified or unauthorized individuals attempting physical access to computers while claiming IT support role [1, 16]
  • WinSCP or Rclone outbound connections to external IP addresses (port 22 for SFTP) [1, 16]
  • Exfiltration of data to Microsoft OneDrive, Google Drive, or external servers [16]
  • Alerts that data was exfiltrated from the company environment [16]
  • Emails, phone calls, or voicemails from an unnamed group claiming data was stolen [1, 16]
  • Emails or phone calls to the victim's clients claiming their data was stolen (third-party pressure tactic) [16]
  • Employees receiving unsolicited phone calls from individuals falsely claiming to be internal IT staff [1, 16]
05

Financial Infrastructure

Payment Model
Credible

SRG demands ransoms denominated in cryptocurrency. Bitcoin is referenced in multiple reports as the primary payment vehicle. The FBI's May 2025 PIN explicitly solicits "cryptocurrency wallet information" from SRG victims, confirming cryptocurrency-based payment. Individual per-victim wallet assignment is standard for extortion groups to complicate blockchain attribution; this is assessed as the likely SRG practice though not explicitly confirmed in open sources.

Demand range is $1 million to $8 million USD per victim, targeting organizations assessed capable of paying at scale. Confirmed victim costs are described as "hundreds of thousands of dollars" in some cases, indicating negotiated settlements below initial demands.

On-Chain Analysis: Open Source Gaps
Analyst Inference

As of May 2026, TRM Labs, Chainalysis, and Elliptic have not published formal, open-source blockchain analyses specifically attributing wallet clusters to SRG/Luna Moth. This contrasts with more established ransomware groups (Akira, LockBit, ALPHV) where dedicated blockchain forensics reports are available. The absence of published analysis does not indicate the absence of on-chain attribution work by these firms; it may reflect ongoing law enforcement investigations, non-disclosure by victim organizations, or the relatively fragmented nature of SRG's payment model.

OFAC has not issued sanctions designations against SRG, its operators, or its financial infrastructure as of May 2026. No SDN list entries are documented.

Assessed Laundering Pattern
Analyst Inference

Given SRG's assessed Conti lineage and Russia-based operator environment, laundering patterns similar to other Russia-linked extortion groups are plausible: layered nested wallets, mixer/tumbler use, and cash-out via high-risk exchanges with limited KYC enforcement. However, this assessment is extrapolated from ecosystem-level knowledge and not supported by direct wallet-level evidence in public reporting. It should be treated as a working hypothesis, not a confirmed fact.

06

Victim Profile and Targeting

Sector Breakdown
Confirmed
Legal Services
~40%
Primary target since Spring 2023
Financial Services
~24%
Insurance, accounting, banking
Accounting
~14%
CPA firms, tax practices
Other Sectors
~22%
Healthcare, retail, corporate services

The legal sector concentration reflects a deliberate targeting logic: law firms hold privileged client communications, M&A data, litigation strategy, and regulatory filings. The combination of reputational risk, client confidentiality obligations, and the legal sector's historically underdeveloped cybersecurity posture creates high extortion leverage. The FBI's May 2025 advisory explicitly confirms this as the group's primary current focus.

Geographic Focus
Confirmed

Approximately 80%+ of documented victims are U.S.-based, with a specific concentration in U.S. law firms. A small number of victims have been identified in Germany, Canada, and Poland (per SOCRadar DLS analysis). SRG has not publicized explicit geographic exclusions (i.e., no CIS country carve-out has been stated), though their de facto targeting bias is toward U.S. and Western organizations.

Target Size

SRG targets mid-market to large enterprises, with a preference for larger law firms and financial institutions managing high volumes of sensitive client data. Demand ranges of $1 million to $8 million indicate targeting of organizations assessed to have the financial capacity to pay. The inclusion of Jones Day (ranked top-5 U.S. law firms by revenue) and Orrick, Herrington and Sutcliffe (AmLaw 100) confirms pursuit of marquee-name targets. [11, 12]

Notable Confirmed Victims
VictimSectorCountryApprox. DateOutcome
Jones DayLegal (AmLaw top 5 by revenue)USAMarch–April 2026Breach confirmed by firm; limited number of client files accessed; data published on DLS [11]
Orrick, Herrington & SutcliffeLegal (AmLaw 100)USAJanuary–February 2026Access Jan 20, 2026; negotiations failed; chat logs shared with DataBreaches; data published [12]
38 unnamed law firmsLegalUSA (majority)2022–2025Non-payers; data published on clearnet LeakedData DLS [13]
24 legal services orgsLegalUSA (majority)2025Claimed on DLS during 2025 [search results]

High-profile victim names are frequently withheld due to confidentiality obligations and ongoing legal proceedings. The confirmed naming of Jones Day and Orrick in 2026 is consistent with SRG's increased willingness to publicly disclose major victims when negotiations fail.

CIS Targeting Behavior

Because SRG does not deploy a malware binary, there is no executable-level CIS kill switch to analyze. Their victimology is overwhelmingly U.S.-centric but this alone is insufficient to confirm deliberate CIS avoidance. No public statement by SRG explicitly exempts CIS countries from targeting. The absence of documented CIS victims is consistent with either deliberate avoidance (standard for Russia-based cybercriminal groups) or a narrowly focused targeting strategy. Analyst Inference

07

Law Enforcement and Regulatory Response

FBI FLASH-20260526-01 (May 2026)
Confirmed

The FBI issued FLASH-20260526-01 (TLP:CLEAR) on May 26, 2026, titled "Silent Ransom Group Impersonating IT Personnel through Social Engineering." This is the most current law enforcement publication on SRG. Key additions over the May 2025 PIN:

  • Confirms the specific in-person pretext: actors tell victims they need to "image the device or create a backup file to address potential impacts from the phishing email"
  • Adds Quick Assist and RustDesk to the confirmed RMM tool list
  • Confirms Microsoft OneDrive and Google Drive as exfiltration destinations alongside WinSCP and Rclone
  • Documents third-party pressure tactic: SRG contacts the victim's own clients to claim their data was stolen, increasing leverage
  • Provides MITRE ATT&CK mapping across 9 techniques (T1566, T1598.004, T1219, T1078, T1560, T1530, T1567, T1052.001, T1657)
  • Solicits reports of suspicious RMM installations, unauthorized physical access attempts, and cloud exfiltration events

The FLASH was issued less than one week after the confirmed Jones Day and Orrick disclosures reached public reporting, suggesting continued active FBI investigation of the group. [16]

FBI Private Industry Notification (May 2025)
Confirmed

The FBI's Internet Crime Complaint Center (IC3) issued PIN 20250523-001 on May 23, 2025 (TLP:CLEAR), titled "Silent Ransom Group Targeting Law Firms." This was the primary law enforcement public document on SRG prior to the May 2026 FLASH. Key content:

  • Formally identifies SRG, also known as Luna Moth, Chatty Spider, and UNC3753
  • Confirms the April 2025 escalation to in-person physical office intrusion as a new confirmed tactic
  • Lists specific RMM tools used for initial access: Zoho Assist, Syncro, AnyDesk, Splashtop, Atera
  • Confirms WinSCP and Rclone as primary exfiltration tools; notes use of hidden/renamed Rclone
  • Notes SRG is "inconsistent" in following through on DLS publication threats
  • Solicits cryptocurrency wallet information, ransom notes, and phone numbers from victim organizations
  • Was coordinated with DHS/CISA prior to release

FBI field office social media posts (including FBI Albuquerque) echoed the PIN's warnings in the weeks following release, indicating a deliberate outreach campaign to the legal sector. [1, 8]

Prior Law Enforcement Communications

An earlier FBI/IC3 advisory from November 2023 also addressed SRG callback phishing campaigns, indicating law enforcement awareness predates the 2025 PIN by approximately 18 months. Industry advisories from managed security providers closely mirrored these warnings throughout 2024–2025. [5, 6]

Enforcement Actions: Current Status
Confirmed (negative finding)
Action TypeStatus
Arrests of SRG principals or operatorsNone publicly confirmed as of May 2026
Criminal indictmentsNone publicly confirmed as of May 2026
OFAC sanctions (operators or wallets)None confirmed as of May 2026
Infrastructure seizures / DLS takedownNone confirmed as of May 2026
Named individuals attributed publicly by LENone confirmed as of May 2026

The law enforcement posture toward SRG as of May 2026 is characterized by awareness, public warning campaigns, and victim solicitation for intelligence collection. No disruption operations have been publicly announced. Halcyon's analysis notes SRG's "continuing activity and no reported takedowns." The absence of disruption is consistent with either ongoing covert investigations or insufficient attribution confidence to support prosecution. [5]

08

Attribution and State Nexus

Jurisdictional Assessment
Credible

Multiple vendors assess SRG as operating from Russia or the broader CIS cybercriminal ecosystem. Halcyon explicitly notes "former Conti ransomware syndicate operators likely operating from Russia-based locations." General intelligence reports describing SRG as presumed Russia-based or Russia-aligned are consistent with the broader pattern of Conti-derived groups operating with a Russian safe harbor.

Indicators supporting Russia/CIS jurisdiction assessment include inferred language environment (Russian-speaking ecosystem), operational time zone patterns consistent with Russian business hours (anecdotal, not formally published for SRG specifically), historical Conti origins in Russia, and absence of CIS victim targeting.

Indicators limiting confidence: Sygnia's technical analysis focuses on tradecraft and does not make an explicit Russia attribution. Unit 42 maintains cautious attribution language. The FBI advisory treats SRG as a financially motivated criminal group without geographic attribution.

Russian Intelligence Services (RIS) Nexus
Analyst Inference

No public government advisory attributes SRG to Russian intelligence services (FSB, SVR, GRU) or describes a state-direction role. The FBI's PIN does not allege state sponsorship. Halcyon's and other vendors' assessments treat SRG as a financially motivated criminal group. The Russia safe-harbor thesis (tolerance without direction) is analytically plausible given established patterns in Russia's relationship with cybercriminal groups, but is not confirmed by open-source evidence for SRG specifically.

Assessed analytic line: SRG is a financially motivated Russia-based or Russia-tolerated criminal group operating under a permissive jurisdictional environment. No confirmed, direct nexus to Russian intelligence services. This assessment should be revisited if indictments or classified assessments provide additional evidence.

Named Individuals
Confirmed (negative finding)

As of May 2026, no public law enforcement indictment, government advisory, or credible vendor report has publicly named a specific individual as an SRG operator, principal, or affiliate. This contrasts with groups such as LockBit (Dmitry Khoroshev indicted, May 2024) and Conti/Ryuk (multiple named defendants). The absence of named individuals may reflect early-stage investigation, limited human intelligence access, or operational security by SRG operators.

09

Trajectory Assessment

Stability and Operational Continuity
Confirmed

SRG has maintained uninterrupted operations since March 2022, with no documented major internal schisms, affiliate disputes, or operational hiatuses. The group's closed crew structure reduces the internal instability risks associated with large affiliate programs. The absence of a data leak comparable to Conti's February 2022 chat dump, and the absence of operator arrests through 2026, indicates a degree of operational security discipline exceeding many contemporaneous ransomware groups.

Tactical Evolution Indicators
PeriodDevelopmentSignificance
March 2022Group emerges with BazarCall-style callback phishingFoundation of operational model; Conti heritage confirmed via TTP overlap
Spring 2023Sector targeting narrows to U.S. law firmsDeliberate refinement: legal data carries higher extortion value per incident
2023–2024Transition to IT helpdesk vishing with fake domainsIncreased tailoring; higher resource investment per target; harder to block with email filtering alone
December 2024LeakedData rebranding of DLS infrastructurePossible evasion of prior DLS-level tracking; clearnet hosting maximizes victim pressure
March 2025EclecticIQ documents 37+ fake helpdesk domain campaignInfrastructure-level documentation of systematic targeting of named law firms
April 2025In-person physical office intrusion confirmed by FBIEscalation to physical operations is a significant threshold crossing; substantially raises stakes for victims and operators
April 2026Jones Day and Orrick breaches confirmed and publishedSuccessful targeting of top-tier AmLaw firms signals continued capability escalation
Rebranding and Connected Group Signals

The December 2024 LeakedData rebranding is assessed as infrastructure evolution rather than a genuine group rebrand. The underlying operational model, targeting focus, and social engineering TTPs are continuous with prior SRG activity. SOCRadar's analysis confirmed the LeakedData DLS is the operational front of SRG based on victim overlap, breach disclosure records, and the oldest confirmed incident dating to June 2022. Confirmed

No evidence of SRG merging with or absorbing another ransomware group is available. No spin-off operations from SRG have been documented in open-source reporting as of May 2026.

Key Analytic Gaps
Intelligence Gaps: (1) Financial infrastructure: Wallet-level attribution and laundering path documentation are absent from open-source reporting, limiting assessment of financial leverage points. (2) Personnel attribution: No named operators have been publicly confirmed; Conti lineage rests on behavioral inference rather than human intelligence confirmation. (3) State nexus: Evidence supports "Russia-based/tolerated" but cannot distinguish between pure criminality and informal FSB/SVR tolerance with potential intelligence-sharing. (4) Scale of unreported victimization: Many law firm victims do not publicly disclose incidents; true victim count likely substantially exceeds the DLS-documented number.
Trajectory Indicators
  • Expanding: Victim profile is escalating in prestige (AmLaw top firms targeted in 2026)
  • Innovating: Physical intrusion capability demonstrated April 2025; no other ransomware-adjacent group has deployed this tactic at confirmed scale
  • Undisrupted: No law enforcement action has degraded operations as of May 2026; FBI warning campaign suggests active investigation but no imminent operational impact
  • Focused: Sector concentration (legal) is strategic, not opportunistic; unlikely to revert to broad cross-sector targeting given the demonstrated revenue model
  • Risk: Physical operations increase operator exposure significantly; if LE identifies an in-person actor, attribution to the broader network becomes more likely
10

Recent Reporting

Loading recent intelligence reporting…

Sources