EXECUTIVE SUMMARY
The Silent Ransom Group, also known as Luna Moth, Chatty Spider and UNC3753, operates as a cyber‑extortion outfit active since early in its operations. Its campaigns focus on data theft rather than encryption, targeting organisations that store confidential information. Primary victims include law firms, healthcare providers, financial services, insurers and hospitality operators, with a noticeable emphasis on U.S. legal practices. The group’s infrastructure spans Latin America, Eastern Europe, Central Asia, the Middle East, East Asia and the Caribbean, enabling a resilient fast‑flux network. Its objective is to exfiltrate sensitive files and pressure victims into paying to prevent public disclosure.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
The Silent Ransom Group, also known as Luna Moth, Chatty Spider and UNC3753, operates as a cyber‑extortion outfit active since early in its operations. Its campaigns focus on data theft rather than encryption, targeting organisations that store confidential information. Primary victims include law firms, healthcare providers, financial services, insurers and hospitality operators, with a noticeable emphasis on U.S. legal practices. The group’s infrastructure spans Latin America, Eastern Europe, Central Asia, the Middle East, East Asia and the Caribbean, enabling a resilient fast‑flux network. Its objective is to exfiltrate sensitive files and pressure victims into paying to prevent public disclosure.[emaillocker id="1283"]
SRG typically gains initial access through credential‑phishing emails, voice‑phishing calls that impersonate IT support, or by planting operatives inside target offices to bypass physical security. Compromised routers and other IoT devices are also recruited to build a fast‑flux DNS layer that masks command‑and‑control endpoints. After foothold is achieved, the group deploys custom tools to enumerate file shares, copy privileged documents and move laterally across the network. Collected data is uploaded to a clearnet data‑leak site, where victims receive a token‑based link. Continuous DNS rotation allows the attackers to retain access while evading takedown efforts.
The threat is significant because it bypasses traditional ransomware safeguards; without encryption, backups provide little protection once confidential files are exposed. Fast‑flux DNS makes the malicious infrastructure hard to locate and takedown, while the use of familiar communication channels increases the success of social‑engineering attacks. Organisations should harden IoT and CPE devices, enforce strict patching, and segment critical file stores to limit lateral movement. Continuous monitoring of DNS traffic for rapid TTL changes, coupled with email and voice‑phishing awareness programs, can reveal early compromise. Maintaining air‑gapped backups and deploying advanced endpoint detection further reduce the impact of a breach.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Resource Development | T1583.001 | Acquire Infrastructure | Domains |
| Resource Development | T1583.004 | Acquire Infrastructure | Server |
| Initial Access | T1566.003 | Phishing | Spearphishing via Service |
| Initial Access | T1195.003 | Supply Chain Compromise | Compromise Hardware Supply Chain |
| Command and Control | T1090.002 | Proxy | External Proxy |
| Command and Control | T1568.001 | Dynamic Resolution | Fast Flux DNS |
| Exfiltration | T1567.003 | Exfiltration Over Web Service | Exfiltration to Text Storage Sites |
REFERENCES:
The following reports contain further technical details:
https://www.securityweek.com/silent-ransom-group-uses-dns-fast-flux-in-attacks/
https://www.resecurity.com/blog/article/silent-ransom-group-srg-uncovering-dns-fast-flux-infrastructure