Back

Silent Ransom Group Targets Law Firms with Fast Flux Infrastructure

Severity: High (Score: 69.5)

Sources: www.resecurity.com, Securityaffairs.Co

Published: 2026-06-07 · Updated: 2026-06-07

Keywords: group, silent, ransom, resecurity, fast, flux, infrastructure

Summary

The Silent Ransom Group (SRG), a cyber extortion group active since 2022, has been identified using DNS Fast Flux infrastructure to target U.S. law firms and other sensitive industries. Unlike traditional ransomware, SRG focuses on data theft and extortion without encryption. The FBI has issued warnings about ongoing attacks, particularly against law firms that manage sensitive client data. Resecurity has uncovered SRG's Fast Flux network, which uses compromised devices to create a resilient infrastructure against takedowns. The group is known for exploiting vulnerabilities in IoT devices and customer premises equipment. The advisory highlights the need for collaboration between public and private sectors to combat this threat. The SRG's activities have been linked to other underground projects, indicating a broader network of cybercrime. Law firms are particularly vulnerable due to the sensitive nature of the data they handle. Key Points: • The Silent Ransom Group uses DNS Fast Flux to evade detection and maintain operations. • Law firms are primary targets due to their management of sensitive client data. • The FBI has issued advisories regarding ongoing attacks against U.S. businesses.

Detailed Analysis

**Impact** U.S.-based law firms, particularly top AmLaw 100 firms, are the primary targets, with at least 38 law firms confirmed to have data leaked. Other affected sectors include healthcare, hotels, finance, and insurance. The group targets sensitive client data such as legal documents, intellectual property, and privileged communications, risking significant reputational and legal consequences. The malicious infrastructure spans multiple regions, including Latin America, Eastern Europe, Central Asia, Middle East/Africa, East Asia, and the Caribbean. **Technical Details** The Silent Ransom Group uses social engineering (callback phishing, vishing) and physical infiltration by operatives posing as IT support to gain access. They employ DNS Fast Flux infrastructure, leveraging compromised IoT and CPE devices worldwide to rotate DNS records rapidly with short TTLs, enhancing resilience against takedown efforts. No specific malware or CVEs were mentioned. The group operates data leak sites on the clearnet to extort victims without encrypting data. **Recommended Response** Defenders should monitor for callback phishing and vishing attempts impersonating IT or third-party providers, especially those referencing known brands like Duolingo or Masterclass. Network defenders and ISPs should collaborate to detect and block Fast Flux DNS patterns, including rapid DNS record changes and short TTL values. Hardening IoT and CPE devices against compromise is critical to disrupt the botnet infrastructure. No patch or CVE-specific mitigations were provided.

Source articles (2)

  • Silent Ransom Group (SRG): Switching To DNS Fast Flux Infrastructure — Securityaffairs.Co · 2026-06-05
    Researchers exposed the Silent Ransom Group ‘s Fast Flux infrastructure as the FBI warns of ongoing attacks targeting U.S. law firms and businesses. Resecurity uncovered the Silent Ransom Group (SRG)’…
  • Resecurity — www.resecurity.com · 2026-06-07
    The Silent Ransom Group (SRG), also known as Luna Moth , Chatty Spider , and UNC3753 , is a sophisticated cyber extortion group that has been active since at least 2022. Unlike traditional ransomware…

Timeline

  • 2022-01-01 — SRG begins operations: The Silent Ransom Group is identified as active in cyber extortion, focusing on data theft.
  • 2026-05-01 — FBI issues advisory: The FBI warns of ongoing attacks by SRG targeting U.S. law firms and businesses.
  • 2026-06-07 — Resecurity uncovers Fast Flux network: Resecurity identifies SRG's Fast Flux infrastructure, sharing intelligence to disrupt their activities.

Related entities

  • Data Breach (Attack Type)
  • Phishing (Attack Type)
  • Ransomware (Attack Type)
  • Supply Chain Attack (Attack Type)
  • Argentina (Country)
  • Bolivia (Country)
  • Brazil (Country)
  • Bulgaria (Country)
  • Colombia (Country)
  • Costa Rica (Country)
  • Croatia (Country)
  • Dominican Republic (Country)
  • Ecuador (Country)
  • Egypt (Country)
  • Jamaica (Country)
  • Kyrgyzstan (Country)
  • Mexico (Country)
  • North Macedonia (Country)
  • Panama (Country)
  • Peru (Country)
  • Saudi Arabia (Country)
  • South Korea (Country)
  • Tunisia (Country)
  • Uzbekistan (Country)
  • Cwe-352 - Cross-Site Request Forgery (csrf) (Cwe)
  • 100xmargin.com (Domain)
  • 192204-coinbase.com (Domain)
  • 1xst.ru (Domain)
  • 4nhaarmgex.com (Domain)
  • 952cd7f5-55c2-472f-bc9d-08487ef75661.random.aoptical.omerta.cc (Domain)
  • ab.omerta.cc (Domain)
  • abqnurbs.omerta.cc (Domain)
  • acdc.omerta.cc (Domain)
  • acesam.omerta.cc (Domain)
  • adaudit.omerta.cc (Domain)
  • adcollective.omerta.cc (Domain)
  • addrea.omerta.cc (Domain)
  • addressing.omerta.cc (Domain)
  • admin.admin.admin.admin.admin.cvv-union.at (Domain)
  • admin.admin.admin.admin.admin.hostmaster.omerta.cc (Domain)
  • admin.admin.admin.admin.admin.omerta.cc (Domain)
  • admin.admin.admin.admin.admin.union-shop.at (Domain)
  • admin.admin.admin.admin.admin.www.cvv-union.at (Domain)
  • admin.admin.admin.admin.admin.www.omerta.cc (Domain)
  • admin.admin.admin.admin.admin.www.union-shop.at (Domain)
  • admin.admin.admin.admin.cvv-union.at (Domain)
  • admin.admin.admin.admin.hostmaster.omerta.cc (Domain)
  • admin.admin.admin.admin.omerta.cc (Domain)
  • admin.admin.admin.admin.union-shop.at (Domain)
  • admin.admin.admin.admin.www.cvv-union.at (Domain)
  • admin.admin.admin.admin.www.omerta.cc (Domain)
  • admin.admin.admin.admin.www.union-shop.at (Domain)
  • admin.admin.admin.cvv-union.at (Domain)
  • admin.admin.admin.hostmaster.omerta.cc (Domain)
  • admin.admin.admin.omerta.cc (Domain)
  • admin.admin.admin.union-shop.at (Domain)
  • admin.admin.admin.www.cvv-union.at (Domain)
  • admin.admin.admin.www.omerta.cc (Domain)
  • admin.admin.admin.www.union-shop.at (Domain)
  • admin.admin.cvv-union.at (Domain)
  • admin.admin.hostmaster.omerta.cc (Domain)
  • admin.admin.omerta.cc (Domain)
  • admin.admin.union-shop.at (Domain)
  • admin.admin.www.cvv-union.at (Domain)
  • admin.admin.www.omerta.cc (Domain)
  • admin.admin.www.union-shop.at (Domain)
  • admin.cvv-union.at (Domain)
  • admin.hostmaster.omerta.cc (Domain)
  • admin.mywebb.at (Domain)
  • admin.omerta.cc (Domain)
  • admin.union-shop.at (Domain)
  • admin.www.cvv-union.at (Domain)
  • admin.www.omerta.cc (Domain)
  • admin.www.union-shop.at (Domain)
  • aedwardes.omerta.cc (Domain)
  • [email protected] (Email)
  • Financial (Industry)
  • Healthcare (Industry)
  • Insurance (Industry)
  • 123.214.62.28 (Ipv4)
  • 130.204.1.83 (Ipv4)
  • 159.0.229.102 (Ipv4)
  • 161.132.94.226 (Ipv4)
  • 177.222.41.236 (Ipv4)
  • 177.84.182.188 (Ipv4)
  • 179.52.106.82 (Ipv4)
  • 186.101.193.110 (Ipv4)
  • 186.23.249.254 (Ipv4)
  • 187.199.140.132 (Ipv4)
  • 187.228.100.237 (Ipv4)
  • 189.195.132.134 (Ipv4)
  • 190.140.81.252 (Ipv4)
  • 190.147.128.172 (Ipv4)
  • 190.147.200.151 (Ipv4)
  • 190.16.5.248 (Ipv4)
  • 190.224.203.37 (Ipv4)
  • 190.249.139.21 (Ipv4)
  • 195.158.3.172 (Ipv4)
  • 197.134.192.101 (Ipv4)
  • 197.44.54.74 (Ipv4)
  • 201.191.99.134 (Ipv4)
  • 211.202.224.10 (Ipv4)
  • 212.112.110.243 (Ipv4)
  • 41.225.239.178 (Ipv4)
  • 63.143.98.185 (Ipv4)
  • 95.178.198.144 (Ipv4)
  • 95.178.213.100 (Ipv4)
  • 95.86.30.3 (Ipv4)
  • Spy Corporate (Malware)
  • d7cf169127fe39dd1aa3d0479fcc0876 (Md5)
  • T1071.004 - DNS (Mitre Attack)
  • T1566 - Phishing (Mitre Attack)
  • Tor (Platform)
  • CSRF - Cross-Site Request Forgery (Vulnerability)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed