A cybercriminal group known as the Silent Ransom Group is running a targeted campaign against U.S. law firms and professional services companies, using convincing phone calls that impersonate internal IT support staff to gain remote access to systems and steal sensitive data — often within just hours of first contact.
The campaign was detailed in a new report by Mandiant, as reported by BleepingComputer. Rather than relying on malware-laden emails or exploiting software vulnerabilities, the attackers take a decidedly human approach: they pick up the phone.
Social Engineering at the Core
The group's playbook involves calling employees at targeted firms while posing as members of the organisation's own IT helpdesk. During these calls, victims are walked through granting remote access to their machines under the guise of routine troubleshooting or system maintenance. Once inside, the attackers move quickly to locate and exfiltrate valuable data before demanding payment to prevent its publication.
What makes this campaign particularly dangerous is the compressed timeline. Traditional cyberattacks may unfold over days or weeks, giving security teams time to detect anomalies. Here, the entire chain — from the initial phone call to confirmed data theft — can play out in a matter of hours, leaving defenders with an extremely narrow window to respond.
Why Law Firms Are Prime Targets
Law firms represent a high-value target for extortion operations. They routinely hold confidential client communications, merger and acquisition details, intellectual property, and privileged legal documents. The reputational and legal consequences of such data being leaked can be severe, making these organisations more likely to consider paying a ransom.
Mandiant's report indicates the group has been specifically singling out firms and professional services organisations in the United States, though the underlying social engineering tactics are not geographically limited. Any organisation that maintains an internal IT helpdesk and handles sensitive information could find itself in the crosshairs of a similar operation.
The Human Vulnerability
The campaign underscores a persistent reality in cybersecurity: technical defences can be rendered irrelevant when an attacker successfully exploits human trust. Employees are conditioned to cooperate with their IT departments, and a well-crafted phone call from someone who sounds knowledgeable and authoritative can bypass even the most carefully configured firewalls and endpoint detection tools.
This makes verification protocols essential. Security experts broadly recommend that organisations implement and enforce a strict "hang up and call back" policy for any unsolicited IT contact. In practice, employees should be required to end the call and independently dial their organisation's verified helpdesk number before granting anyone remote access — a simple procedural step that breaks the attack chain entirely.
Broader Implications
The campaign also raises questions about how smaller organisations can defend themselves. Large firms may have dedicated security operations centres capable of monitoring for anomalous data access in real time, but smaller practices with limited resources face a steeper challenge. For them, employee awareness and well-drilled internal procedures represent the most practical and effective line of defence.
Continuous, scenario-based security awareness training — focused specifically on social engineering techniques like vishing — is widely cited as a critical complement to technical controls. However, the effectiveness of such training depends on whether it drives genuine behavioural change rather than becoming a compliance checkbox.
The Silent Ransom Group's campaign is a reminder that as organisations invest heavily in technical security infrastructure, attackers continue to find success by going straight to the people who use it. For IT leaders, the message is clear: the phone on someone's desk can be just as dangerous as a phishing email, and defences must account for both.
一個名為「寂靜勒索集團」的網絡犯罪組織,正針對美國的律師事務所及專業服務公司發動針對性攻擊。他們透過令人信服的電話,冒充機構內部的IT支援人員,以獲取遠端系統存取權限並竊取敏感數據——整個過程往往在首次接觸後短短數小時內完成。
此攻擊行動詳載於Mandiant公司的一份新報告中,並經由BleepingComputer報導。攻擊者並非依賴帶有惡意軟件的電郵或利用軟件漏洞,而是採取一種截然不同的人際策略:他們直接打電話。
以社交工程為核心
該集團的慣用手法是致電目標公司的員工,假扮為機構內部的IT技術支援人員。在通話中,受害者會被引導以「進行例行故障排除或系統維護」為由,授予對方遠端存取其電腦的權限。一旦進入系統,攻擊者便迅速定位並竊取有價值的數據,隨後要求支付贖金以阻止數據公開。
這項行動特別危險之處在於其壓縮的時間線。傳統的網絡攻擊可能歷時數日或數週,給予安全團隊偵測異常的時間。然而在此攻擊中,整個鏈條——從初始電話到確認數據被竊——可以在數小時內完成,令防禦者幾乎沒有反應時間。
為何律師事務所成為首要目標
對於勒索行動而言,律師事務所代表著高價值目標。它們日常持有客戶的機密通訊記錄、企業合併與收購詳情、知識產權以及享有特權的法律文件。一旦此類數據外洩,可能帶來嚴重的聲譽及法律後果,使得這些機構更傾向於考慮支付贖金。
Mandiant的報告指出,該集團專門鎖定美國的律師事務所及專業服務機構,但其背後的社交工程手段並無地域限制。任何設有內部IT技術支援部門並處理敏感資訊的機構,都可能成為類似行動的目標。
人性的弱點
這項攻擊行動突顯了網絡安全領域一個持續存在的現實:當攻擊者成功利用人類的信任時,所有技術防禦都可能形同虛設。員工習慣於配合IT部門的工作,而一個精心策劃、聽起來專業且具權威性的電話,甚至可以繞過最嚴密配置的防火牆和端點偵測工具。
這使得驗證程序變得至關重要。安全專家普遍建議,機構應制定並嚴格執行「掛斷電話並主動回撥」的政策,以應對任何未經請求的IT聯繫。實際操作中,應要求員工結束通話,並獨立撥打機構已驗證的技術支援電話號碼後,才授予任何人遠端存取權限——這個簡單的程序性步驟能徹底阻斷攻擊鏈。
更廣泛的影響
這項攻擊行動也引發了關於較小型機構如何自我防禦的問題。大型公司可能擁有專門的安全運營中心,能夠實時監控異常的數據存取,但資源有限的小型律所則面臨更嚴峻的挑戰。對它們而言,員工的安全意識以及經過良好演練的內部程序,是最實際且有效的防線。
持續進行、基於場景的安全意識培訓——特別針對語音釣魚等社交工程技術——被廣泛認為是技術控制措施的重要補充。然而,此類培訓的效果取決於它是否能引發真正的行為改變,而不僅僅是淪為合規的勾選項目。
「寂靜勒索集團」的攻擊行動提醒我們,當機構在技術安全基礎設施上投入巨資時,攻擊者仍然能夠透過直接接觸使用這些設施的人員來取得成功。對於IT領導者而言,訊息很明確:辦公桌上的電話可能與釣魚電郵一樣危險,防禦措施必須同時考慮兩者。