Threat Group Impersonates IT Support for Remote Access and In-Person Data Theft
A cybercriminal group that targets law firms, healthcare providers, insurance, and finance companies using phishing and social engineering tactics is conducting a new data theft and extortion campaign. The aim of the campaign is to trick employees into providing remote access to their devices, although in cases where that is not possible, the threat actor has been sending operatives to the victim’s physical location to access devices and steal data.
Silent Ransom Group has been operating since at least 2022 and engages in pure data theft and extortion, silently infiltrating networks, exfiltrating data, and issuing ransom demands. Payment is required to prevent the sale of stolen data, and if a buyer can’t be found, the stolen data is published on the group’s data leak site.
The group conducts social engineering campaigns, tricking employees into installing remote access software or opening a remote desktop session. Previous tactics have involved sending emails notifying the victim about an impending charge for a software subscription. To prevent the payment, the victim is required to call the number provided in the email. Since the emails contain no malicious content, other than the phone number, they are not usually flagged by security solutions. When the victim calls the number, they are informed that the only way to prevent the charge is to uninstall the software, which requires establishing a remote desktop session. The threat actor gains access to the user’s device and exfiltrates data.
The latest campaign sees the group impersonate the victim’s IT department, which requires access to the user’s device to resolve an IT issue. Contact is made via email or over the phone, and the user is tricked into opening a remote desktop session. Should that attempt fail, the user is told that an in-person visit is required. An operative is sent to the victim’s location, who informs the victim that they need to image the device or create a backup file to resolve a phishing attempt.
The in-person visit involves copying data onto a portable hard drive, whereas the remote desktop sessions involve data exfiltration using WinSCP (Windows Secure Copy), a version of Rclone, or internal file-sharing platforms such as Google Drive or Microsoft OneDrive. Since legitimate tools are used for data exfiltration and remote access, they are rarely flagged by security solutions.
The U.S. Federal Bureau of Investigation (FBI) has issued a cyber alert about the campaign, providing network defenders with recommendations for hardening security against the attacks and indicators of compromise. They include new downloads of system management or remote access tools, including Zoho Assist, Quick Assist, AnyDesk, RustDesk, Syncro, Splashtop, or Atera; unauthorized installation of external hard drives; exfiltration of data to OneDrive, Google Drive, or external servers; and connections of WinSCP or Rclone to external IP addresses.
Employees should be made aware of the campaign; communication policies and procedures should be established for IT support; limits should be placed on access to sensitive data; and verification checks should be conducted of credentials before allowing individuals to access company spaces, including obtaining a copy of each visitor’s identity card. The full list of recommendations and details of the campaign can be found in the FBI alert.
