How UpSight Security Neutralizes the Silent Ransom Group’s Resurgent Attacks

In the ever-evolving landscape of cyber threats, a stealthy and persistent adversary known as the Silent Ransom Group (SRG)—also referred to as Luna Moth, Chatty Spider, and UNC3753—has been active since at least 2022. However, it’s their recent, intensified campaigns that have resurrected this threat with a vengeance, prompting heightened alerts and a crucial FBI notification for organizations across various sectors. Luna Moth distinguishes itself by forgoing traditional malware in favor of sophisticated social engineering and the abuse of legitimate commercial tools. This “lolbins on steroids” approach makes them notoriously difficult for conventional security solutions to detect, as their activities often blend with normal network traffic.

Understanding the Luna Moth Attack

The Luna Moth threat actor primarily leverages information technology (IT)-themed social engineering and callback phishing emails to gain unauthorized remote access to systems and steal sensitive data for extortion. Their methods manipulate unsuspecting users into inadvertently granting access, often by impersonating legitimate business operations.

While Luna Moth has historically victimized companies across various sectors, recent intensified targeting, specifically noted by the FBI since Spring 2023, has focused on US-based law firms, likely due to the highly sensitive nature of legal industry data. Other consistently targeted industries include the medical and insurance sectors.

The U.S. Federal Bureau of Investigation (FBI) recently issued a Private Industry Notification (PIN) on May 23, 2025, specifically warning law firms about SRG’s ongoing campaigns. You can find more details in the FBI Alert on Silent Ransom Group Targeting Law Firms.

Technical Breakdown of the Attack:

Luna Moth’s attack chain primarily revolves around human manipulation and the misuse of legitimate tools, often disguised as routine business interactions:

Following successful data exfiltration, Luna Moth sends extortion notes to victims, threatening to publish or sell the stolen data if a ransom isn’t paid. They’ve also been known to harass employees via phone calls to pressure organizations into negotiations.

Our Disruptive Approach to Luna Moth

Our approach to the Silent Ransom Group remains consistent with the core UpSight Security technology: we look for the story the behavior tells us. Luna Moth is unique in that it utilizes no malware and relies on plausible social engineering attacks and commercial off-the-shelf tools—truly a “lolbins on steroids” approach. Because of the commercial nature of many tools Luna Moth uses, most security vendors provide little or no control or visibility over their usage.

UpSight’s approach is consistent with how we disrupt ransom operations every day. We’ve specifically evolved our Causix AI model to recognize the unique behaviors associated with Luna Moth’s tactics and procedures, as we observed during a recent engagement with a prospect, now a customer. These attacks are branching out well beyond law firms and financial institutions; we’ve even seen them targeting several organizations, including our own, underscoring the widespread and indiscriminate nature of this threat.

While UpSight Security can’t see the initial social engineering aspects of the story, we pick it up immediately when an RMM application is launched (MITRE ATT&CK T1113). Our ability to detect T1113 is based on fingerprinting nearly two dozen commercial RMM applications cited in Luna Moth and other ransomware actor threat reports that use T1113 as an initial access vector. We also have a generic detection for the general behavior of an application capturing the screen session.

We then see the story unfold as Luna Moth gains control through an RMM session and performs reconnaissance and collects data from local data and attached network drives (MITRE ATT&CK T1005 & T1039). Our Data Sentry feature allows us to identify data files and build a pattern of behavior of accessing those files, with the optional step of building an archive from accessed data files. The final action Luna Moth takes is exfiltrating data using built-in Windows and commercially available file transfer tools (MITRE ATT&CK T1567), which we interdict and prevent, ensuring your data remains inaccessible and unavailable for extortion.

Put together, the Causix engine understands the attack as a “sentence” of T1113, [T1005, T1039], T1567. While this sequence may seem trivial, it completely shuts down Luna Moth and would force a change in their tactics and procedures. Importantly, this sentence doesn’t describe routine IT help desk support activities. An IT help desk may remotely access a system, but they generally shouldn’t need to collect and upload user data via such a session. If that scenario were to arise, UpSight.ai would require the SOC be notified and a temporary exception granted for the specific device where the work needed to be performed. Nor does this attack sentence describe routine work performed by a desktop user.

UpSight.ai continues to add new variations of this basic sentence from first-hand accounts or threat intelligence reports, further expanding our ability to detect data exfiltration attempts.