What Is the Silent Ransom Group?

Silent Ransom Group (also known as SRG, Luna Moth, Chatty Spider, Storm-0252, and UNC3753) is a financially-motivated cybercrime gang that has been stealing data from companies and demanding payment.

So, It's a Ransomware Gang Then?

Well, not in the traditional sense. Most people when they think of ransomware still think of malicious hackers breaking into a company's network, encrypting their data and demanding a ransom for the decryption key. In more recent, years more and more ransomware gangs have commonly stolen data from a hacked company's systems and threatened to leak it or sell it to others if a ransom is not paid. Some cybercriminals have even dropped encryption altogether and focused instead of the monetization of exfiltrated data.

Ok, So How Is Silent Ransom Group different?

Here's the funny thing. Despite the name, Silent Ransom Group doesn't actually deploy any ransomware. At least, not anymore. The gang does have its roots in traditional file-encrypting ransomware, but at some point it seems to have decided that doing that was too much effort and focused on data theft instead.

I'm Still Not Clear as to What They're Doing Differently...

An attack by Silent Ransom Group typically begins with an unremarkable-looking email. It may claim to be about an invoice, often sent from a regular off-the-shelf email account, but there is no malicious link or attachment.

That Doesn't Sound like Much of a Threat...

The email's job is to plant a small seed of concern in the recipient's mind, meaning that when they receive a phone call shortly afterward, the victim believes there is some kind of problem that needs sorting out.

On the call, the attacker poses as a member of the company's own IT helpdesk or security team. Often they will use genuine names and contact details harvested from the firm's own website, staff directory, or LinkedIn.

The attacker will then talk the victim into starting a screen-sharing session (Zoom, Microsoft Teams, and Quick Assist have all been used) and attempt to install a legitimate remote-access tool such as AnyDesk or Zoho Assist.

With that in place, the attackers quickly use legitimate tools to copy data or simply upload files through the browser to cloud accounts under the attackers' control - hunting for anything which may be of value from the victim's SharePoint, OneDrive, corporate email, etc. In one case investigated by Mandiant, the attackers stole 1.7GB via Google Drive before switching to WinSCP to grab a further 14.4GB.

Nasty! Who Is Being Targeted?

Silent Ransom Group has focused its attention on the insurance, finance, healthcare sectors, and particularly law firms.

The reason for that is that law firms store huge amounts of confidential data that extortionists know will be child's play to monetize: client files, merger plans, trade secrets, regulatory filings, and colossal collections of personal and financial information.

A leak of such material would be catastrophic for both the law firm and its clients, and the attackers are banking on victims being highly motivated to make the problem go away by paying a ransom.

According to Google's Mandiant researchers, the group hit dozens of organizations across the legal, financial, and professional services sectors in the first five months of this year.

I Guess We Have to Always Remind Staff to be Wary of Emails and Phone Calls They Receive, Claiming to Come from the IT Support Desk...

It gets worse...

Uh-oh. What?

Last month the FBI issued an alert warning that when Silent Ransom Group's remote-access approach fails, the group has, in some cases, escalated to sending someone to physically visit the victim's premises.

You're Kidding Me?

Nope. Someone visits your office posing as an IT support technician, claims that they need to image your computer or run a backup to deal with a "security issue" and then plugs a USB drive or external hard disk into your employee's computer to copy data directly.

So, No Malware? No Exploit? No Zero-Day?

Just a whole heap of confidence, a plausible story, and a memory stick. To be clear, investigators have said that the evidence linking the in-person visits to the Silent Ransom Group is limited, and Google's analysts describe them only as "likely" to be related. But the FBI has determined that the threat is serious enough to warrant warning organizations about it directly.

And I guess Once the "technician" Has Left the Building....?

The extortion begins - often within just 30 minutes, you will receive an extortion email giving you a three-day deadline to pay up. Victims are warned that staff, clients, partners, journalists and regulators will be informed of the breach, and stolen files will ultimately be published on the group's leak data for all to see - if the ransom is not paid.

Charming!

Silent Ransom Group's approach leans heavily on social engineering rather than malware, and so your strongest defence is going to be a mixture of raising awareness amongst your staff, and technical controls:

• Train staff to be suspicious of unsolicited contact with "IT support", and particularly any requests that they install remote access software out of the blue. Make sure that everyone knows that it's fine to hang up on a real helpdesk call and call IT back on a known, trusted number to verify.
• Treat unexpected on-site "technicians" with suspicion. Establish a clear process for verifying the identity of anyone who turns up claiming to need access to a machine, and make staff feel empowered to challenge a stranger plugging hardware into a company computer.
• Lock down USB and external storage on computers and devices wherever you can, to neutralize the potential for data to be stolen in-person.
• Watch for unauthorized remote access tools. Their appearance on a machine that shouldn't have them is worth investigating.
• Monitor for unusual data movement, and set up real-time alerting where you can.

For more advice, be sure to read the FBI's advisory about the Silent Ransom Group impersonating IT staff.

Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor and do not necessarily reflect those of Fortra.