The legal sector is currently in the crosshairs of the Silent Ransom Group (SRG), an extortion gang actively bypassing traditional email security gateways through a resurgence of voice phishing (vishing). According to a new report by Mandiant, SRG operatives are contacting U.S. law firms and professional services organizations, posing as internal IT support. Unlike standard phishing campaigns that rely on mass email volume, these attacks are highly targeted, interactive, and alarmingly efficient. Mandiant has observed instances where attackers move from initial contact to data theft within a matter of hours.
For defenders, this highlights a critical gap in the security stack: while email filters catch the majority of commodity malware, the human vulnerability exploited via phone calls remains a blind spot. When a user is convinced they are speaking to the helpdesk, the "authorization" they provide to install software or divulge credentials bypasses technical controls. This post outlines the technical execution of these attacks and provides actionable detection logic to identify the post-compromise indicators associated with SRG's campaign.
Technical Analysis
Threat Actor: Silent Ransom Group (SRG) Target Sector: Legal, Professional Services Initial Access Vector: Social Engineering (Vishing / Fake IT Support)
Attack Chain Breakdown:
- Reconnaissance & Contact: Attackers identify targets and contact them via phone, spoofing internal numbers or claiming to be external support contractors.
- Trust Elicitation: Using convincing narratives (e.g., "we detected a login anomaly" or "your VPN certificate is expiring"), they persuade the victim to grant remote access or install software.
- Payload Delivery / Mechanism: While the news summary focuses on the social aspect, technical analysis of SRG's historical and current campaigns indicates a reliance on legitimate Remote Monitoring and Management (RMM) tools (e.g., ScreenConnect, AnyDesk) or PowerShell scripts to facilitate data theft.
- Data Exfiltration: Once access is established, SRG rapidly identifies sensitive data (client files, M&A documents) and exfiltrates it via secure file transfer protocols or cloud storage uploads, leveraging the speed of the authenticated session.
Exploitation Status: Confirmed active exploitation in the wild against U.S. entities. No CVE is required for this attack vector as it exploits human trust rather than a software vulnerability.
Detection & Response
Detecting vishing requires correlating human activity with technical execution. Since the initial entry point is a phone call, security teams must focus on the artifacts of the attacker's presence on the endpoint. Specifically, look for the sudden appearance of remote management tools or unusual PowerShell execution patterns initiated by a user context immediately following a helpdesk "ticket" creation or phone log.
SIGMA Rules
---
title: Suspicious Installation of Remote Access Tools - SRG Context
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
status: experimental
description: Detects the execution or installation of common remote administration tools often used by fake IT support actors to gain access.
references:
- https://www.mandiant.com/resources/blog/silent-ransom-group-targets-law-firms
author: Security Arsenal
date: 2026/04/06
tags:
- attack.command_and_control
- attack.t1219
logsource:
category: process_creation
product: windows
detection:
selection_tools:
Image|endswith:
- '\anydesk.exe'
- '\connectwisecontrol.exe'
- '\screenconnect.clientsetup.exe'
- '\teamviewer.exe'
- '\splashtopbusiness.exe'
condition: selection_tools
falsepositives:
- Authorized IT support activities (verify with ticketing system)
level: high
---
title: PowerShell DownloadString Activity Post-Auth Login
id: b2c3d4e5-6789-01ab-cdef-234567890bcd
status: experimental
description: Detects PowerShell commands commonly used to download payloads or scripts, often seen when "support" guides a user to run a fix.
references:
- https://attack.mitre.org/techniques/T1059/001/
author: Security Arsenal
date: 2026/04/06
tags:
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection_pwsh:
Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains:
- 'DownloadString'
- 'IEX'
- 'Invoke-Expression'
filter_signed:
Signed: 'true'
condition: selection_pwsh
falsepositives:
- Legitimate system administration scripts
- Software installation mechanisms
level: medium
KQL (Microsoft Sentinel / Defender)
This hunt queries DeviceProcessEvents to identify the installation of high-risk RMM software that is not part of the standard baseline.
// Hunt for Silent Ransom Group indicators - RMM Tool Execution
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ('anydesk.exe', 'teamviewer.exe', 'connectwisecontrol.exe', 'screenconnect.clientsetup.exe', 'supremo.exe', 'ammyy.exe')
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, FileName, FolderPath, SHA256
| extend FullFilePath = FolderPath + FileName
| order by Timestamp desc
Velociraptor VQL
Use this artifact to hunt for running processes or established network connections associated with common remote administration tools used by SRG.
-- Hunt for active remote administration tools
SELECT Pid, Name, Exe, Username, Cmdline
FROM pslist()
WHERE Name =~ 'anydesk'
OR Name =~ 'teamviewer'
OR Name =~ 'connectwise'
OR Name =~ 'screenconnect'
OR Name =~ 'supremo'
Remediation Script (PowerShell)
This script checks for the presence of common RMM tools used in social engineering attacks and outputs their status. It can be used to audit endpoints or as part of an IR triage.
# Audit Script: Detect Common RMM Tools (SRG Vishing Vector)
$RmmProcesses = @(
'anydesk',
'teamviewer',
'connectwise',
'screenconnect',
'supremo',
'ammyy',
'splashtop'
)
Write-Host "[+] Scanning for Remote Management Tools..."
foreach ($proc in $RmmProcesses) {
$found = Get-Process -Name $proc -ErrorAction SilentlyContinue
if ($found) {
Write-Host "[!] ALERT: Found process matching '$proc' - PID: $($found.Id)" -ForegroundColor Red
# Optionally check if the file is signed or in a suspicious path
Get-Process -Name $proc | Select-Object Id, Path, StartTime | Format-List
}
}
Write-Host "[+] Scan Complete. If alerts were found, verify with the user if they initiated this support session."
Remediation
Immediate Actions:
- User Verification: If a user reports a suspicious call or if RMM software is detected, immediately disconnect the affected device from the network (isolate) to halt potential exfiltration.
- Credential Reset: Force a password reset for the user's account and any accounts accessed during the session. Revoke any MFA sessions.
- Process Termination: Kill any unauthorized RMM processes and uninstall the software if it was not deployed by IT.
Long-term Defenses:
- Application Control: Implement allow-listing (AppLocker or WDAC) to prevent the execution of unauthorized RMM software. Standard users should not be able to install
AnyDeskorScreenConnect. - Telecommunications Verification: Establish a strict policy where IT support never asks users to install software via an unsolicited call. Implement a "call-back" verification procedure using a known internal directory number.
- Endpoint Detection: Ensure EDR policies are tuned to alert on "Shadow IT" remote access tool installations, not just malware.
Related Resources
Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.