Skip to content
Ransomware group

Silent Ransom Group

Silent Ransom Group is a financially motivated cyber extortion actor active since at least 2022 and widely tracked under the aliases UNC3753, Luna Moth, and Chatty Spider.

Profile source: Mallory opens in a new tab

Silent Ransom Group

Family profile

Silent Ransom Group is a financially motivated cyber extortion actor active since at least 2022 and widely tracked under the aliases UNC3753, Luna Moth, and Chatty Spider. The group is associated with the broader Conti cybercrime ecosystem and has been assessed as an offshoot or successor cluster that evolved away from conventional ransomware deployment toward pure data-theft extortion. Earlier activity has been linked to callback-phishing and BazarCall-style social engineering, while more recent operations emphasize impersonation of internal IT support rather than malware-led intrusion tradecraft.

The actor primarily targets organizations in the United States, with especially strong focus on law firms, legal services, financial services, insurance, and other professional services organizations. Law firms are a recurring priority because they hold privileged communications, legal strategy, financial records, intellectual property, tax documents, and personally identifiable information that can be monetized through extortion. Reporting also indicates prior targeting of other sectors through similar social-engineering-led access operations.

Silent Ransom Group typically initiates attacks with benign pretext emails, often invoice-themed or support-related, that contain no malicious payloads and are designed to set up follow-on contact. Operators then conduct voice phishing, impersonating internal help desk or security personnel and persuading victims to join screen-sharing sessions or install legitimate remote monitoring and management tools. Observed tradecraft includes abuse of commercial remote access and support software, use of self-destructing note services to transmit instructions, and exploitation of bring-your-own-device and virtual desktop workflows to pivot into corporate environments. Once access is obtained, the group rapidly enumerates local and network resources, searches document repositories such as enterprise legal document management platforms, stages files, and exfiltrates sensitive data to external storage or cloud services. In many cases, extortion demands follow very quickly, sometimes within the same business day and in some reported incidents within an hour of initial compromise.

A notable characteristic of the group is its reliance on deception and trusted-process abuse rather than custom malware or software exploitation. Silent Ransom Group has repeatedly used help desk impersonation, callback phishing, vishing, credential theft, account compromise, and social engineering to induce victims to perform actions on the attackers’ behalf. The group has also been linked to physical-world escalation: when remote social engineering fails, individuals associated with the operation have reportedly appeared in person at victim offices while posing as IT technicians, seeking endpoint access to copy data to removable media. This blending of cyber extortion with in-person impersonation distinguishes the actor from many traditional ransomware crews.

The group’s monetization model centers on theft of high-value data followed by extortion under threat of disclosure, rather than widespread encryption of victim systems. Silent Ransom Group has been repeatedly described as part of the broader shift from ransomware to data-only extortion. Historical reporting indicates that the cluster may previously have deployed ransomware, including LockBit Black in earlier phases, but its current operations are characterized by rapid data theft, coercive negotiation, and leak-site pressure. Public reporting also associates the actor with resilient leak infrastructure and fast-flux-style hosting intended to complicate disruption and takedown efforts.

Known aliases include Silent Ransom Group, Silent Ransom, SRG, Luna Moth, Chatty Spider, and UNC3753. The actor is best understood as a socially engineered extortion operation with Conti lineage, focused on stealing sensitive business and legal data from U.S.-based professional organizations and coercing payment through threats of public exposure.

Ransomware.live

Operational record

View group record ↗

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.