FBI Warns 'Silent Ransom Group' (Luna Moth) is Sending Operatives In-Person to Steal Data

Executive Summary

The Federal Bureau of Investigation (FBI) has issued a formal alert about the evolving tactics of a cybercrime group known as the Silent Ransom Group (SRG). This group, also tracked as Luna Moth, Chatty Spider, and UNC3753, is blending digital and physical intrusion methods in its data extortion campaigns. While their initial approach involves traditional social engineering via phone calls and phishing to gain remote access, they have demonstrated a willingness to dispatch human operatives to victims' physical locations. These operatives impersonate IT staff to gain hands-on access to workstations and exfiltrate data. This hybrid approach marks a significant escalation and poses a unique challenge for organizations that may have strong digital defenses but weaker physical security controls.

Threat Overview

Silent Ransom Group has been active since at least 2022, primarily targeting organizations for data theft and extortion. Unlike traditional ransomware groups, SRG does not typically encrypt victim data. Instead, their entire model is based on exfiltrating sensitive information and threatening to leak it unless a ransom is paid.

The attack chain is as follows:

Initial Contact: The group initiates contact via phone calls or phishing emails, impersonating the target organization's IT support staff.
Remote Access Attempt: They attempt to trick an employee into installing a remote access tool or granting them direct remote control of their computer.
Physical Escalation: If remote access fails, SRG dispatches an operative to the victim's office. This person, posing as an IT technician, will claim they need to perform a task like creating a system backup or image.
Data Exfiltration: Once they have physical access to a workstation, the operative uses a USB drive or external hard drive to copy and steal sensitive data.
Extortion: After exfiltrating the data, the group contacts the organization to demand a ransom, threatening to publish the stolen information or notify the victim's clients and employees.

The group has consistently targeted law firms since 2023, but has also attacked organizations in the healthcare, insurance, and finance sectors.

Technical Analysis

SRG's methodology is a powerful example of how threat actors adapt and cross the digital-physical divide to achieve their objectives.

MITRE ATT&CK Techniques

T1566.002 - Spearphishing Link: Phishing emails are used as an initial vector to direct victims to malicious sites or remote access software.
T1219 - Remote Access Software: The primary goal of the social engineering phase is to have the victim install legitimate remote access software, which the attackers then use.
T1598.002 - Spearphishing Voice: The use of phone calls (vishing) to impersonate IT support is a key part of their social engineering strategy.
T1078.002 - Domain Accounts: By gaining access to an employee's workstation, they effectively operate within the context of a valid domain account.
T1005 - Data from Local System: The core of the attack involves collecting sensitive data from the local workstation.
T1052.001 - Exfiltration Over Physical Medium: This is the group's unique escalation tactic, using USB drives to physically steal data.

Impact Assessment

The impact of an SRG attack extends beyond financial loss from ransom payments. For targeted industries like law and healthcare, the theft and potential leakage of client or patient data can lead to severe regulatory fines (e.g., under HIPAA or GDPR), loss of client trust, and catastrophic reputational damage. The group's tactic of contacting a victim's clients directly can accelerate this damage. The physical intrusion component also introduces a new layer of risk and liability for organizations, requiring a review of not just cybersecurity policies, but also physical access controls and employee verification procedures.

IOCs — Directly from Articles

No specific digital Indicators of Compromise were mentioned in the source articles.

Cyber Observables — Hunting Hints

Detection for this threat requires correlating digital and physical signals:

Type

log_source

Value

Remote Access Tool Logs

Description

Monitor for connections from remote access tools (e.g., TeamViewer, AnyDesk) initiated by non-IT personnel or to unknown external parties.

Type

log_source

Value

Physical Access Control Logs

Description

Correlate unexpected after-hours entries or visitor logs with help desk ticket data. An 'IT visit' with no corresponding ticket is a red flag.

Type

command_line_pattern

Value

robocopy, xcopy

Description

Monitor for large file copy operations from workstations to newly connected USB storage devices.

Type

event_id

Value

Windows Event ID 4663

Description

Monitor for Event ID 4663 (An attempt was made to access an object) on sensitive file shares, correlated with access from a user account that recently received 'IT support'.

Detection & Response

Multi-Channel Verification: Establish a clear, out-of-band verification process for all IT support requests. If IT calls an employee, that employee should have a trusted number to call back to verify the request's legitimacy. Never trust an inbound call alone.
Physical Security Integration: Ensure your physical security team and SOC are communicating. A physical security alert (e.g., an unbadged visitor) should be a data point for the SOC, and a suspicious remote access session should prompt a check of physical security logs and cameras.
USB Device Control: Implement strict controls on USB device usage. Use endpoint protection software to block all unauthorized USB storage devices by default and only allow company-issued, encrypted devices.
Behavioral Monitoring (D3-UBA): Use User Behavior Analytics to detect anomalies. An employee who never uses a remote access tool suddenly installing one, or a workstation suddenly copying gigabytes of data to a USB drive, are strong indicators of this attack.

Mitigation

Employee Training (M1017): This is the most critical mitigation. Train all employees to be deeply skeptical of unsolicited IT support calls or emails. They must be taught the verification procedure and empowered to refuse requests until they are verified.
Visitor Escort Policy: Enforce a strict policy that all visitors, including those claiming to be IT or maintenance, must be escorted by a verified employee at all times.
Identity Verification: Front desk and security staff must be trained to rigorously verify the identity of any individual seeking access, especially those claiming to be contractors or support personnel. This includes checking government-issued ID and confirming their visit with an internal contact.
Data Loss Prevention (DLP): Deploy DLP solutions on endpoints to monitor and block the unauthorized transfer of sensitive data to removable media like USB drives.

To directly counter the Silent Ransom Group's physical exfiltration tactic, organizations must implement strict IO Port Restriction policies. This should be enforced via an endpoint protection or Data Loss Prevention (DLP) solution. The policy should be configured to block all removable storage devices (USB drives, external hard drives) by default. For users who have a legitimate business need for such devices, a policy of 'allow by exception' should be used, permitting only company-issued, hardware-encrypted USB drives. Furthermore, the endpoint agent should generate a high-priority alert in the SIEM whenever a blocked device is connected or when a large volume of data is copied to an authorized device. This technical control provides a critical last line of defense if an operative successfully bypasses physical security and gains access to a workstation.

FBI Issues Alert on 'Silent Ransom Group' (Luna Moth) Using In-Person Impersonation Tactics for Data Theft