FBI Warns: Silent Ransom Group Is Targeting Law Firms. Here's What to Do

The FBI issued an alert this week warning that the Silent Ransom Group — tracked by security researchers as Luna Moth — is actively targeting law firms. This one is worth attention from every small professional-services business on the Central Coast, not just attorneys, because the technique is unusually effective against exactly the kind of organization that thinks it is too small to be a target.

What makes this group notable is what they do not use: malware, exploits, or file encryption. Their primary weapon is a phone call. That changes the defensive playbook in ways worth understanding.

How the attack actually works

The Silent Ransom Group's playbook is built around social engineering, not software. A typical sequence looks like this:

1. A lure arrives, often a low-key email — a fake subscription receipt, a "your account will be charged" notice, or a document-review request — with a phone number to call. There is no malicious attachment for your email filter to catch, just a number.
2. The victim calls, or is called. A polished operator answers, posing as IT support, a vendor's help desk, or a service the firm uses. The conversation is calm and professional, not the broken-English scam caricature.
3. The operator gets the victim to grant remote access, usually by walking them through installing a legitimate remote-access or remote-management tool, the same category of software real IT departments use. Because the tool itself is legitimate, antivirus does not flag it.
4. The attacker quietly copies data. Once on the machine, they locate and exfiltrate sensitive files: client matters, financial records, case files, personal information. There is no ransomware note, no encryption, nothing dramatic.
5. The extortion arrives later. The firm is contacted and told that confidential client data will be published or sold unless a payment is made. For a law firm, the threat of leaking privileged client information is enormous leverage.

If this sounds familiar, it should: it is the same human-targeted social-engineering pattern we wrote about in the MFA fatigue post yesterday, applied to remote access instead of login approval. The common thread across 2026's most effective attacks is that they go after a person on the phone, not a flaw in your software.

Why law firms, and why small ones

The FBI's focus on law firms is not arbitrary. Firms concentrate exactly what an extortion crew wants:

• Highly sensitive data with real leak consequences. Privileged client communications, litigation strategy, M&A details, personal and financial records. The damage from exposure is severe and the reputational stakes are high, which makes firms more likely to pay.
• Time pressure and a culture of responsiveness. Attorneys and staff bill by the hour and move fast. A plausible "your account is about to be charged" lure plays directly into the instinct to resolve it quickly.
• Lighter IT than the data warrants. A small or midsize firm often runs without dedicated security staff or 24/7 monitoring, even though it holds material as sensitive as a large firm does. That mismatch is the target profile.

And it is not only law firms. The same playbook works against any professional-services business that holds sensitive client data and would suffer real harm from a leak: accounting and tax practices, real estate and title offices, insurance agencies, medical and dental practices, wealth managers, and consultancies. If that describes your business, read "law firm" below as "your firm." Our professional-services IT work is built around exactly this risk profile.

Why your backups will not save you here

This is the part that catches people off guard. The standard ransomware safety net is good backups: if your files get encrypted, you restore from a clean copy and refuse to pay. We make that case in the backup and disaster recovery post, and it is still essential.

But Silent Ransom Group usually does not encrypt anything. The leverage is not "you cannot access your data" — it is "we will publish your clients' confidential information." A perfect backup does nothing about that. This is a confidentiality attack, not an availability attack, and it has to be defended differently: by preventing the data from leaving in the first place, and by detecting the access that precedes the theft.

The controls that actually stop this

1. Kill the entry method: no remote access from inbound calls

The entire attack hinges on someone granting remote access. Two controls close that door:

• A firm-wide rule, in writing and trained: nobody installs software or grants a remote-control session because of an inbound phone call, email, or pop-up — no matter how legitimate it sounds. If "IT" calls, you hang up and call your IT provider back on the number you already have. This is the same caller-verification discipline we build into every client's help-desk procedure.
• Application control that blocks unapproved remote-access tools. Your environment should permit exactly one remote-support tool — the one your IT provider actually uses — and block the rest (AnyDesk, TeamViewer, ScreenConnect installs, and the dozens of similar apps) from running at all. Microsoft Defender Application Control and Intune can enforce this. If the tool cannot run, the attacker cannot get in even if they talk their way past a person.

2. Detect the access and the data leaving

• EDR and 24/7 monitoring. A new remote-access session, unusual file-access patterns, or a workstation suddenly reading the entire client-files share at 2 a.m. are detectable signals — if someone is watching. This is the managed detection and response argument again: tooling plus a human who responds.
• Data-egress awareness. Large uploads to unfamiliar cloud-storage or file-transfer services should raise a flag. For Microsoft 365 firms, controls on where data can be shared and alerts on bulk downloads add a real tripwire.

3. Harden identity and limit blast radius

• Phishing-resistant MFA on everything, so a talked-out password does not become full access. See the identity hardening post.
• Least privilege on the document management system. Not every user needs access to every client matter. The less any single compromised account can reach, the less there is to steal.

4. Have a plan before you need it

• A written incident-response plan that names who to call, includes your cyber-insurance incident hotline, and identifies outside counsel for breach-notification obligations. Law firms have bar-association and client-notification duties that make the legal side as important as the technical side.
• Do not improvise the extortion conversation. If contacted, do not respond or pay before involving professionals and counsel. Payment carries no guarantee and can create its own legal exposure.

What to do right now if you think you have been contacted

If an employee may have granted remote access:

1. Disconnect that device from the network immediately — pull the cable or disable Wi-Fi. Do not just close the remote-access app; the session may persist.
2. Call your IT provider and preserve the machine and its logs for investigation.
3. Engage your cyber-insurance carrier's hotline early. Many policies require it, and they can supply an incident-response team.
4. Rotate credentials for the affected user and review what client data that account could reach.
5. Loop in counsel on notification obligations before making statements.

We provide this kind of incident-response support for businesses across Salinas, Monterey, Santa Cruz, and the rest of the Central Coast, and we would rather get the call before the data leaves than after.

Where this fits with the rest of the cluster

• The MFA fatigue post: same human-on-the-phone attack pattern, different target (login approval vs. remote access). The caller-verification habit defends both.
• The ransomware post: the broader picture of how these intrusions begin, and why data-theft extortion is displacing pure encryption.
• The backup and DR post: still essential, but explicitly not the fix for a confidentiality-extortion attack.
• The monitoring / MDR post: the detection layer that catches the data leaving.
• The professional-services IT page: the program we build for firms that hold sensitive client data.

The honest summary: this is a reminder that in 2026 the most dangerous attacks against a small firm do not look like hacking. They look like a helpful phone call. The defense is part technology — block the remote-access tools, watch the data — and part culture: a firm where no one grants access because someone on the phone asked them to.

FAQs about the Silent Ransom Group warning

Who is the Silent Ransom Group?

Silent Ransom Group, also tracked by researchers as Luna Moth, is a financially motivated extortion crew known for callback phishing and phone-based social engineering rather than traditional malware. They trick employees into granting remote access, quietly exfiltrate sensitive data, and then extort the organization with the threat of leaking it. The FBI has warned that they are actively targeting law firms because of the volume of sensitive client data those firms hold.

How is this different from normal ransomware?

Traditional ransomware encrypts your files and demands payment for the key. Silent Ransom Group often does not encrypt anything. They steal the data and threaten to publish it. That means your backups, which are the usual ransomware safety net, do not save you here, because the leverage is exposure of confidential client information, not loss of access to it. It also means the attack can be much quieter, since there is no dramatic encryption event to trigger alarms.

We are a small firm. Are we really a target?

Yes. Small and midsize firms are attractive precisely because they hold the same sensitive client material as large firms but typically have lighter IT and security staffing. A five-to-thirty-attorney firm in Salinas or Monterey holds privileged client files, financial records, and case strategy that are highly damaging if leaked, and is less likely to have 24/7 monitoring or a hardened help desk. That combination is exactly what this group looks for.

What is the single most important defense?

Stopping unauthorized remote-access tools and training staff to recognize fake IT calls. The attack hinges on a person being talked into installing a remote-access application or granting a session. Application control that blocks unapproved remote-access software, combined with a firm-wide rule that nobody installs anything or grants remote access based on an inbound phone call, removes the group's primary entry method. Pair that with phishing-resistant MFA and 24/7 monitoring.

Does this affect non-law professional services like accounting or real estate?

Yes. The law-firm focus is the current FBI warning, but the same playbook works against any professional-services business that holds sensitive client data and bills by the hour: accounting and tax firms, real estate and title offices, insurance agencies, medical and dental practices, and consultancies. If your business would suffer serious harm from client data being leaked, you are in the target profile and the same defenses apply.

What should we do first if we think we have been contacted or compromised?

If someone may have granted remote access, disconnect that device from the network immediately and call your IT provider; do not simply close the remote-access app, because a session may persist. Preserve logs, do not pay or respond to any extortion contact before getting professional and legal advice, and engage your cyber-insurance carrier's incident hotline early since they often require it and can supply an IR team. Then rotate credentials and review what data the account could reach. We provide this incident-response support for clients on the Central Coast.

Prefer to talk first? Email sales@ghosxt.com or call (831) 204-0501.