Executive Summary and Group Overview
Silent Ransom Group (SRG), also tracked as Luna Moth, is a post-Conti data extortion operation that first emerged in March 2022 following the fragmentation of the Conti ransomware syndicate. The group is a closed or semi-closed criminal crew, not a conventional ransomware-as-a-service (RaaS) platform with an open affiliate program. It deliberately avoids deploying encryption ransomware, relying entirely on social engineering, data theft, and extortion to generate revenue.
The group's defining characteristic is its socio-technical initial access model: callback phishing emails, direct vishing calls impersonating IT support, and, since April 2025, physical in-person impersonation of IT technicians. Once access is established using legitimate remote management tools, the group exfiltrates data and demands ransoms ranging from $1 million to $8 million, threatening to post stolen data on its clearnet leak site. No encryption or file-locking payload is involved.
Since spring 2023, SRG has concentrated almost exclusively on U.S. law firms, assessed as a deliberate targeting shift to exploit the high extortion leverage of privileged legal data. As of April 2026, confirmed victims include Jones Day and Orrick, Herrington and Sutcliffe, two of the largest U.S. law firms by revenue. The group rebranded its data leak site infrastructure in December 2024 under the "LeakedData" label. No law enforcement arrest, indictment, or infrastructure takedown has been publicly confirmed as of May 2026.
| Attribute | Detail |
|---|---|
| Primary designation | Silent Ransom Group (SRG) |
| Alternate names | Luna Moth, LeakedData, Chatty Spider, UNC3753, Storm-0252, TG2729 |
| CrowdStrike tracking | Chatty Spider (group-specific; not Wizard Spider, which describes the Conti parent entity) |
| Microsoft tracking | Storm-0252 (group-specific) |
| Mandiant/Google tracking | UNC3753 (unclassified cluster designation) |
| Sygnia tracking | Luna Moth / TG2729 |
| Halcyon tracking | Silent (threat group profile) |
| FBI/IC3 designation | Silent Ransom Group (SRG), a.k.a. Luna Moth, Chatty Spider, UNC3753 |
| Operational model | Data extortion only; no encryption ransomware; closed or semi-closed crew |
| Extortion mechanic | Data theft and threatened publication; no double extortion in the classic sense |
| DLS infrastructure | Clearnet site "business-data-leaks[.]com" (LeakedData branding, active since Dec 2024); prior TOR-accessible site also used |
| Assessed jurisdiction | Russia / CIS (CREDIBLE) |
| LE disruption status | None confirmed as of May 2026 |
| Primary sector targeted | U.S. law firms (legal services, approx. 40% of documented victims) |
Lineage and Organizational Heritage
SRG emerged in March 2022, the same period in which the Conti ransomware syndicate publicly fragmented following internal chat leaks and blowback from Conti leadership's public endorsement of Russia's invasion of Ukraine. SOCRadar's analysis confirms the oldest documented SRG compromise dates to June 7, 2022, approximately three months after Conti's implosion. This timing is consistent with the broader pattern of Conti diaspora groups spinning out into successor operations in the same period (Black Basta, Karakurt, Royal/BlackSuit, Akira, SRG).
Multiple independent vendors assess SRG as having emerged from the Conti ecosystem's BazarCall operator cluster. The confidence level varies by evidence type and vendor. No single piece of evidence is universally confirmed; the strongest indicators are TTP continuity and timing.
SRG is most directly connected to the Conti parent entity through the BazarCall operator cluster. The anchor relationship (SRG <—> Conti/BazarCall) is assessed as Credible based on multi-vendor TTP corroboration, timing, and ADVIntel source-based attribution.
Extension claims (SRG sharing infrastructure or personnel with other active ransomware groups beyond the Conti heritage) are Analyst Inference only. No public reporting documents operational infrastructure overlap between SRG and other currently active ransomware groups. Functional categorizations grouping SRG with other "extortion-only" outfits are descriptive, not evidentiary.
Note: Mandiant has not published a formal named-group assessment for SRG as of May 2026 (UNC3753 remains an unclassified cluster). Recorded Future has not published a formal APT designation. CrowdStrike's Chatty Spider designation is the most formally published group-specific tracking name available in open sources.
Operational Model
SRG operates as a closed or semi-closed criminal crew rather than an open RaaS platform. Public reporting has not documented a formal affiliate recruitment program, revenue-sharing tiers, or public affiliate forum postings of the kind associated with LockBit, ALPHV, or Akira. The group appears to run end-to-end operations with a small, trusted operator circle. This structure reduces internal instability risk compared to large RaaS platforms but also limits scalability. No formal revenue split (e.g., 70/30) has been documented.
SRG's initial access methodology has evolved significantly from 2022 to 2025, with each iteration increasing operational sophistication and physical risk to the operators.
SRG's extortion is data-only: they do not encrypt files and therefore cannot offer a decryption key. Their leverage rests entirely on the sensitivity of stolen data and the threat of publication. This creates a distinctive negotiation dynamic.
| Parameter | Assessment | Confidence |
|---|---|---|
| Initial demand range | $1 million to $8 million USD per victim | CREDIBLE (multiple vendor sources) |
| Payment currency | Cryptocurrency (Bitcoin reported; per-victim wallet assignment likely) | CREDIBLE (FBI solicits wallet info from victims) |
| DLS publication behavior | Inconsistent; SRG does not always follow through on publication threats (FBI PIN assessment); at least 38 confirmed non-payer publications on clearnet DLS as of April 2026 | CONFIRMED (FBI, DataBreaches) |
| Victim communication channels | Ransom emails with data samples; follow-up phone calls to staff; occasional in-session messaging via RMM tools | CONFIRMED (multiple IR cases) |
| Negotiation reduction behavior | Demands can be reduced but typically remain in the hundreds of thousands of dollars; specific reduction percentages are not consistently published | CREDIBLE (anecdotal; limited public negotiation transcripts) |
| Published negotiation transcript | SRG shared chat logs with DataBreaches following failed Orrick, Herrington and Sutcliffe negotiations (January–February 2026) | CONFIRMED (DataBreaches reporting, April 2026) |
The Orrick negotiations are the most detailed publicly documented SRG negotiation. Access was gained approximately January 20, 2026; the firm appeared in negotiation chat on February 6, 2026. Negotiations failed and data was subsequently published on the LeakedData DLS. [12]
Technical Capabilities
Initial access is via social engineering only: callback phishing emails, direct vishing calls, and in-person physical intrusion. There is no documented exploitation of specific CVEs for initial access. SRG does not rely on unpatched internet-facing services as an entry point. This makes traditional patch-management defenses largely irrelevant against this group.
| Tool/Technique | Role | Notes |
|---|---|---|
| AnyDesk | Remote access / persistence | Legitimate commercial RMM; installed by victim under social engineering |
| Zoho Assist | Remote access / persistence | Legitimate commercial RMM; used in callback phishing campaigns |
| Quick Assist | Remote access / persistence | Microsoft built-in remote support tool; added to FBI FLASH-20260526-01 indicator list [16] |
| RustDesk | Remote access / persistence | Open-source RMM; added to FBI FLASH-20260526-01 indicator list [16] |
| Splashtop | Remote access / persistence | Listed in FBI indicators (PIN May 2025, FLASH May 2026) |
| Syncro | Remote access / persistence | Listed in FBI indicators (PIN May 2025, FLASH May 2026) |
| Atera | Remote access / persistence | Listed in FBI indicators (PIN May 2025, FLASH May 2026) |
| WinSCP | Data exfiltration | SFTP-based file transfer; outbound port 22; WinSCP portable used on systems without admin privileges |
| Rclone | Data exfiltration | Used in hidden or renamed form to evade detection [1, 16] |
| Microsoft OneDrive | Data exfiltration | FLASH-20260526-01 confirms SRG exfiltrates to internal filesharing platforms including OneDrive [16] |
| Google Drive | Data exfiltration | FLASH-20260526-01 confirms SRG exfiltrates to internal filesharing platforms including Google Drive [16] |
| Valid credentials | Lateral movement | Obtained during RMM sessions (admin credential capture); network share browsing via SMB/RDP |
| Helpdesk domain spoofing | Phishing infrastructure | Pattern: [target]-helpdesk.com / [target]-help.com; registered via GoDaddy with domaincontrol[.]com nameservers |
| Physical storage device | Direct data exfiltration | USB or external hard drive inserted by in-person actor; FLASH confirms actor uses "imaging the device / creating a backup file" pretext [16] |
The following MITRE ATT&CK technique mapping is drawn directly from FBI FLASH-20260526-01 (May 26, 2026). [16]
| ATT&CK Tactic | Technique | SRG Relevance |
|---|---|---|
| Initial Access | T1566 – Phishing | Callback phishing emails using invoice, billing, subscription, or IT-themed lures |
| Resource Development / Social Engineering | T1598.004 – Voice Phishing | Threat actors direct victims to initiate phone contact or impersonate internal IT support |
| Execution | T1219 – Remote Access Software | Legitimate remote administration tools used to establish interactive access |
| Credential Access | T1078 – Valid Accounts | Threat actors leverage victim credentials to access email or cloud services |
| Collection | T1560 – Archive Collected Data | Data may be staged or compressed prior to exfiltration |
| Collection | T1530 – Data from Cloud Storage | Theft of data from Microsoft 365, OneDrive, Google Drive, or similar platforms |
| Exfiltration | T1567 – Exfiltration Over Web Service | Upload of stolen data to cloud storage or web-accessible platforms |
| Exfiltration | T1052.001 – Exfiltration to Removable Media | In-person intrusion scenarios involving USB or external hard drive data theft |
| Impact | T1657 – Financial Theft / Extortion | Threatened publication or sale of stolen victim data |
SRG deploys no encryption ransomware binary. Reports from Sygnia, Unit 42, the FBI, and others are explicit that the group "does away with the malware portion" of a typical ransomware attack. There are no known custom malware families, no file encryption routines, no C2 infrastructure dependent on custom implants, and no Linux or VMware/ESXi variants. Because no encryption is involved, there is no CIS-region kill switch behavior to analyze, no decryption tool available or needed, and no relevant No More Ransom project entry for SRG. [1, 2, 3, 5]
- Unauthorized downloads of: Zoho Assist, Quick Assist, AnyDesk, RustDesk, Syncro, Splashtop, or Atera on systems not previously running these tools [1, 16]
- Unidentified or unauthorized individuals attempting physical access to computers while claiming IT support role [1, 16]
- WinSCP or Rclone outbound connections to external IP addresses (port 22 for SFTP) [1, 16]
- Exfiltration of data to Microsoft OneDrive, Google Drive, or external servers [16]
- Alerts that data was exfiltrated from the company environment [16]
- Emails, phone calls, or voicemails from an unnamed group claiming data was stolen [1, 16]
- Emails or phone calls to the victim's clients claiming their data was stolen (third-party pressure tactic) [16]
- Employees receiving unsolicited phone calls from individuals falsely claiming to be internal IT staff [1, 16]
Financial Infrastructure
SRG demands ransoms denominated in cryptocurrency. Bitcoin is referenced in multiple reports as the primary payment vehicle. The FBI's May 2025 PIN explicitly solicits "cryptocurrency wallet information" from SRG victims, confirming cryptocurrency-based payment. Individual per-victim wallet assignment is standard for extortion groups to complicate blockchain attribution; this is assessed as the likely SRG practice though not explicitly confirmed in open sources.
Demand range is $1 million to $8 million USD per victim, targeting organizations assessed capable of paying at scale. Confirmed victim costs are described as "hundreds of thousands of dollars" in some cases, indicating negotiated settlements below initial demands.
As of May 2026, TRM Labs, Chainalysis, and Elliptic have not published formal, open-source blockchain analyses specifically attributing wallet clusters to SRG/Luna Moth. This contrasts with more established ransomware groups (Akira, LockBit, ALPHV) where dedicated blockchain forensics reports are available. The absence of published analysis does not indicate the absence of on-chain attribution work by these firms; it may reflect ongoing law enforcement investigations, non-disclosure by victim organizations, or the relatively fragmented nature of SRG's payment model.
OFAC has not issued sanctions designations against SRG, its operators, or its financial infrastructure as of May 2026. No SDN list entries are documented.
Given SRG's assessed Conti lineage and Russia-based operator environment, laundering patterns similar to other Russia-linked extortion groups are plausible: layered nested wallets, mixer/tumbler use, and cash-out via high-risk exchanges with limited KYC enforcement. However, this assessment is extrapolated from ecosystem-level knowledge and not supported by direct wallet-level evidence in public reporting. It should be treated as a working hypothesis, not a confirmed fact.
Victim Profile and Targeting
The legal sector concentration reflects a deliberate targeting logic: law firms hold privileged client communications, M&A data, litigation strategy, and regulatory filings. The combination of reputational risk, client confidentiality obligations, and the legal sector's historically underdeveloped cybersecurity posture creates high extortion leverage. The FBI's May 2025 advisory explicitly confirms this as the group's primary current focus.
Approximately 80%+ of documented victims are U.S.-based, with a specific concentration in U.S. law firms. A small number of victims have been identified in Germany, Canada, and Poland (per SOCRadar DLS analysis). SRG has not publicized explicit geographic exclusions (i.e., no CIS country carve-out has been stated), though their de facto targeting bias is toward U.S. and Western organizations.
SRG targets mid-market to large enterprises, with a preference for larger law firms and financial institutions managing high volumes of sensitive client data. Demand ranges of $1 million to $8 million indicate targeting of organizations assessed to have the financial capacity to pay. The inclusion of Jones Day (ranked top-5 U.S. law firms by revenue) and Orrick, Herrington and Sutcliffe (AmLaw 100) confirms pursuit of marquee-name targets. [11, 12]
| Victim | Sector | Country | Approx. Date | Outcome |
|---|---|---|---|---|
| Jones Day | Legal (AmLaw top 5 by revenue) | USA | March–April 2026 | Breach confirmed by firm; limited number of client files accessed; data published on DLS [11] |
| Orrick, Herrington & Sutcliffe | Legal (AmLaw 100) | USA | January–February 2026 | Access Jan 20, 2026; negotiations failed; chat logs shared with DataBreaches; data published [12] |
| 38 unnamed law firms | Legal | USA (majority) | 2022–2025 | Non-payers; data published on clearnet LeakedData DLS [13] |
| 24 legal services orgs | Legal | USA (majority) | 2025 | Claimed on DLS during 2025 [search results] |
High-profile victim names are frequently withheld due to confidentiality obligations and ongoing legal proceedings. The confirmed naming of Jones Day and Orrick in 2026 is consistent with SRG's increased willingness to publicly disclose major victims when negotiations fail.
Because SRG does not deploy a malware binary, there is no executable-level CIS kill switch to analyze. Their victimology is overwhelmingly U.S.-centric but this alone is insufficient to confirm deliberate CIS avoidance. No public statement by SRG explicitly exempts CIS countries from targeting. The absence of documented CIS victims is consistent with either deliberate avoidance (standard for Russia-based cybercriminal groups) or a narrowly focused targeting strategy. Analyst Inference
Law Enforcement and Regulatory Response
The FBI issued FLASH-20260526-01 (TLP:CLEAR) on May 26, 2026, titled "Silent Ransom Group Impersonating IT Personnel through Social Engineering." This is the most current law enforcement publication on SRG. Key additions over the May 2025 PIN:
- Confirms the specific in-person pretext: actors tell victims they need to "image the device or create a backup file to address potential impacts from the phishing email"
- Adds Quick Assist and RustDesk to the confirmed RMM tool list
- Confirms Microsoft OneDrive and Google Drive as exfiltration destinations alongside WinSCP and Rclone
- Documents third-party pressure tactic: SRG contacts the victim's own clients to claim their data was stolen, increasing leverage
- Provides MITRE ATT&CK mapping across 9 techniques (T1566, T1598.004, T1219, T1078, T1560, T1530, T1567, T1052.001, T1657)
- Solicits reports of suspicious RMM installations, unauthorized physical access attempts, and cloud exfiltration events
The FLASH was issued less than one week after the confirmed Jones Day and Orrick disclosures reached public reporting, suggesting continued active FBI investigation of the group. [16]
The FBI's Internet Crime Complaint Center (IC3) issued PIN 20250523-001 on May 23, 2025 (TLP:CLEAR), titled "Silent Ransom Group Targeting Law Firms." This was the primary law enforcement public document on SRG prior to the May 2026 FLASH. Key content:
- Formally identifies SRG, also known as Luna Moth, Chatty Spider, and UNC3753
- Confirms the April 2025 escalation to in-person physical office intrusion as a new confirmed tactic
- Lists specific RMM tools used for initial access: Zoho Assist, Syncro, AnyDesk, Splashtop, Atera
- Confirms WinSCP and Rclone as primary exfiltration tools; notes use of hidden/renamed Rclone
- Notes SRG is "inconsistent" in following through on DLS publication threats
- Solicits cryptocurrency wallet information, ransom notes, and phone numbers from victim organizations
- Was coordinated with DHS/CISA prior to release
FBI field office social media posts (including FBI Albuquerque) echoed the PIN's warnings in the weeks following release, indicating a deliberate outreach campaign to the legal sector. [1, 8]
An earlier FBI/IC3 advisory from November 2023 also addressed SRG callback phishing campaigns, indicating law enforcement awareness predates the 2025 PIN by approximately 18 months. Industry advisories from managed security providers closely mirrored these warnings throughout 2024–2025. [5, 6]
| Action Type | Status |
|---|---|
| Arrests of SRG principals or operators | None publicly confirmed as of May 2026 |
| Criminal indictments | None publicly confirmed as of May 2026 |
| OFAC sanctions (operators or wallets) | None confirmed as of May 2026 |
| Infrastructure seizures / DLS takedown | None confirmed as of May 2026 |
| Named individuals attributed publicly by LE | None confirmed as of May 2026 |
The law enforcement posture toward SRG as of May 2026 is characterized by awareness, public warning campaigns, and victim solicitation for intelligence collection. No disruption operations have been publicly announced. Halcyon's analysis notes SRG's "continuing activity and no reported takedowns." The absence of disruption is consistent with either ongoing covert investigations or insufficient attribution confidence to support prosecution. [5]
Attribution and State Nexus
Multiple vendors assess SRG as operating from Russia or the broader CIS cybercriminal ecosystem. Halcyon explicitly notes "former Conti ransomware syndicate operators likely operating from Russia-based locations." General intelligence reports describing SRG as presumed Russia-based or Russia-aligned are consistent with the broader pattern of Conti-derived groups operating with a Russian safe harbor.
Indicators supporting Russia/CIS jurisdiction assessment include inferred language environment (Russian-speaking ecosystem), operational time zone patterns consistent with Russian business hours (anecdotal, not formally published for SRG specifically), historical Conti origins in Russia, and absence of CIS victim targeting.
Indicators limiting confidence: Sygnia's technical analysis focuses on tradecraft and does not make an explicit Russia attribution. Unit 42 maintains cautious attribution language. The FBI advisory treats SRG as a financially motivated criminal group without geographic attribution.
No public government advisory attributes SRG to Russian intelligence services (FSB, SVR, GRU) or describes a state-direction role. The FBI's PIN does not allege state sponsorship. Halcyon's and other vendors' assessments treat SRG as a financially motivated criminal group. The Russia safe-harbor thesis (tolerance without direction) is analytically plausible given established patterns in Russia's relationship with cybercriminal groups, but is not confirmed by open-source evidence for SRG specifically.
Assessed analytic line: SRG is a financially motivated Russia-based or Russia-tolerated criminal group operating under a permissive jurisdictional environment. No confirmed, direct nexus to Russian intelligence services. This assessment should be revisited if indictments or classified assessments provide additional evidence.
As of May 2026, no public law enforcement indictment, government advisory, or credible vendor report has publicly named a specific individual as an SRG operator, principal, or affiliate. This contrasts with groups such as LockBit (Dmitry Khoroshev indicted, May 2024) and Conti/Ryuk (multiple named defendants). The absence of named individuals may reflect early-stage investigation, limited human intelligence access, or operational security by SRG operators.
Trajectory Assessment
SRG has maintained uninterrupted operations since March 2022, with no documented major internal schisms, affiliate disputes, or operational hiatuses. The group's closed crew structure reduces the internal instability risks associated with large affiliate programs. The absence of a data leak comparable to Conti's February 2022 chat dump, and the absence of operator arrests through 2026, indicates a degree of operational security discipline exceeding many contemporaneous ransomware groups.
| Period | Development | Significance |
|---|---|---|
| March 2022 | Group emerges with BazarCall-style callback phishing | Foundation of operational model; Conti heritage confirmed via TTP overlap |
| Spring 2023 | Sector targeting narrows to U.S. law firms | Deliberate refinement: legal data carries higher extortion value per incident |
| 2023–2024 | Transition to IT helpdesk vishing with fake domains | Increased tailoring; higher resource investment per target; harder to block with email filtering alone |
| December 2024 | LeakedData rebranding of DLS infrastructure | Possible evasion of prior DLS-level tracking; clearnet hosting maximizes victim pressure |
| March 2025 | EclecticIQ documents 37+ fake helpdesk domain campaign | Infrastructure-level documentation of systematic targeting of named law firms |
| April 2025 | In-person physical office intrusion confirmed by FBI | Escalation to physical operations is a significant threshold crossing; substantially raises stakes for victims and operators |
| April 2026 | Jones Day and Orrick breaches confirmed and published | Successful targeting of top-tier AmLaw firms signals continued capability escalation |
The December 2024 LeakedData rebranding is assessed as infrastructure evolution rather than a genuine group rebrand. The underlying operational model, targeting focus, and social engineering TTPs are continuous with prior SRG activity. SOCRadar's analysis confirmed the LeakedData DLS is the operational front of SRG based on victim overlap, breach disclosure records, and the oldest confirmed incident dating to June 2022. Confirmed
No evidence of SRG merging with or absorbing another ransomware group is available. No spin-off operations from SRG have been documented in open-source reporting as of May 2026.
- Expanding: Victim profile is escalating in prestige (AmLaw top firms targeted in 2026)
- Innovating: Physical intrusion capability demonstrated April 2025; no other ransomware-adjacent group has deployed this tactic at confirmed scale
- Undisrupted: No law enforcement action has degraded operations as of May 2026; FBI warning campaign suggests active investigation but no imminent operational impact
- Focused: Sector concentration (legal) is strategic, not opportunistic; unlikely to revert to broad cross-sector targeting given the demonstrated revenue model
- Risk: Physical operations increase operator exposure significantly; if LE identifies an in-person actor, attribution to the broader network becomes more likely