Threat Insight

Silent Ransom Group Targets Law Firms

The Silent ransom group are currently focusing on stealing data from major law firms in the United States and holding the stolen for extortion, threatening to publish it on their data leak blog.

  • Insight

Their favourite modus for initial access is so-called “BazaarCall” attacks. A BazarCall attack starts with a higlhy targeted phishing email informing that a subscription the recipient is allegedly paying for is about to be renewed automatically and cancelling the payment is possible by calling a specific phone number.

Victims calling the provided phone number reach a threat actor versed in social engineering, who convinces the caller to start a remote access session via legitimate software controlled by a network intruder. While the social engineer distracts the victim, the intruder determines how to compromise the network without triggering any alarm.

The Silent ransom group is one of several groups of cybercriminals that emerged with the breakup of the large Conti ransomware syndicate in May 2022. They may be a rebrand of the Quantum group, another ex-Conti group that used BazarCall tactics.

Assessment

The silent ransom group doesn’t use ransomware, relying solely on data leak extortion. It’s likely that this is at least partially due to the group not having their own malware developer in the team. There are rumors that the Silent ransom group ended up in a feud with another of the splinter groups from the Conti syndicate, over who could recruit the team’s malware developer.

The reason that the Silent ransom group focus on law firms is likely because such victims can be highly susceptible to data leak extortion as they hold very sensitive data belonging to their customers. Many ransomware criminals have a keen understanding of which types of victims are more susceptible to ransomware encryption and which are more susceptible to data leak extortion.

So far the only reported victims of the Silent ransom group’s campaign against law firms have been in USA, but this doesn’t mean there can be other victims in the future. The Quantum group that also used the BazarCall method, used it to impersonate a number of different brands and targeting different victims.

BazarCall is a form of social engineering. Organizations are advised to raise awareness about this type of attacks. Suspicious phishing mail such as these should be forwarded to security.

References

[1] https://www.ic3.gov/CSA/2025/250523.pdf
[2] https://www.bleepingcomputer.com/news/security/ransomware-gangs-move-to-callback-social-engineering-attacks/