Who is the Silent Ransom Group?
The Silent Ransom Group (SRG), also known as Luna Moth, Chatty Spider, and UNC3753, is a sophisticated cyber extortion group that has been active since at least 2022. Unlike traditional ransomware groups that encrypt data, SRG focuses on data theft and extortion without relying on encryption. The group is particularly known for targeting industries that handle sensitive information, such as law firms, healthcare, hotels, finance, and insurance .
The FBI recently issued an advisory about the SRG, which is actively targeting U.S.-based law firms and other industries through social engineering and in-person attacks. In this threat intelligence report, Resecurity highlights the notable tactics used by the SRG — specifically, the use of Clearnet Data Leak Sites (DLS) and DNS Fast Flux, an evasion technique used by cybercriminals to hide servers behind a continuously rotating network of compromised devices (often a botnet) acting as proxies. By changing the DNS records and using short Time-To-Live (TTL) values, attackers make their malicious infrastructure resilient against takedowns.
Last year, the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), Canadian Centre for Cyber Security (CCCS), and New Zealand National Cyber Security Centre (NCSC-NZ) released a joint advisory "Fast Flux: A National Security Threat," highlighting the importance of collaboration between the private and public sectors.
Resecurity is the first to uncover the SRG's Fast Flux network infrastructure and is sharing this intelligence with the cybersecurity community to disrupt their malicious activities and enable ISP/DNS providers to counter this threat. The nodes were identified in Latin America (Brazil, Mexico, Argentina, Ecuador, Colombia, Bolivia, Costa Rica, Peru, Panama), Eastern Europe (Bulgaria, Croatia, North Macedonia), Central Asia (Uzbekistan, Kyrgyzstan), Middle East/Africa (Egypt, Saudi Arabia, Tunisia), East Asia (South Korea), and Caribbean (Jamaica, Dominican Republic). The bots are likely infected via vulnerable IoTs and Customer Premises Equipment (CPE) — such as routers, modems, and gateways. Based on further analysis, other underground projects have been identified that could be linked to the SRG, including Spy Corporate, which emerged in May 2026. Fast Flux provides the SRG with resilient infrastructure to extort top AmLaw 100 firms.
Why Law Firms Are Targeted
Law firms are a primary target for the SRG because they manage large volumes of highly sensitive client data, often referred to as "crown jewels." This includes confidential legal documents (subpoenas, ongoing lawsuits, etc.), intellectual property, and privileged communications. Law firms are also perceived as more likely to pay ransoms to prevent the exposure or sale of stolen data, given the potential reputational and legal consequences of a breach. Example of leak by the SRG:
How Silent Ransom Group Attacks Law Firms
The SRG employs a range of sophisticated tactics to infiltrate law firms, leveraging both technical and social engineering techniques. Below are the primary methods used:
-
IT Impersonation and Social Engineering
The SRG frequently uses callback phishing campaigns and vishing (voice phishing) to impersonate IT support personnel. They contact employees at targeted law firms, claiming to be from IT departments or third-party service providers, and convince them to grant access to internal systems. These campaigns often involve impersonating well-known companies like Duolingo or Masterclass to appear legitimate . -
Physical Infiltration
In some cases, the SRG escalates its attacks by sending operatives physically into law firm offices, posing as IT support staff. These operatives gain access to internal systems by exploiting trust and bypassing physical security measures. This tactic has been particularly effective, with reports of at least 38 law firms having their data leaked as a result of such attacks . -
Data Theft and Extortion
Once inside the network, the SRG focuses on stealing sensitive data rather than encrypting it. They then use the stolen data to extort the victim, threatening to publish or sell the information unless a ransom is paid. This approach allows them to bypass the need for encryption-based ransomware, which can be mitigated by backups . -
Exploitation of Supply Chains
The SRG also targets law firms indirectly by exploiting vulnerabilities in their third-party vendors or supply chain partners. This allows them to infiltrate law firms through trusted connections, further complicating detection and response efforts . Speed and Persistence
The SRG is known for its persistent follow-ups with victims, often contacting employees directly to pressure them into ransom negotiations. This aggressive approach increases the likelihood of payment .
Data Leak Site (DLS)
The SRG does not deploy traditional ransomware to encrypt data. Instead, they focus on stealing sensitive data and then threatening to expose or sell it unless a ransom is paid. They operate a Data Leak Site (DLS), such as "business-data-leaks[.]com," where they publish stolen data if victims refuse to pay.
In December 2024, the group initially branded themselves as "LeakedData." This is why the DLS continues to use that naming. Each victim organization (published by the SRG) references their revenue and the total number of downloads of stolen data.
The SRG continues to update the list of victims—new victims were added at the beginning of June 2026, and it is expected that the group will target more organizations.
Besides law firms, the SRG attacked accounting services providers, as they store sensitive client data similar to law firms, involving their financial information.
As of June 2026, the DLS of the SRG features close to 100 victim organizations.
The Clearnet DLS generates a "token" similar to identifiers used in Traffic Distribution System (TDS) channels, enabling it to "route" visitors to a specific URL:
https[://]business-data-leaks[.]com/downloader/?csrfmiddlewaretoken=D7BGd0OyFdqGTJytqrYmjMEVVCQ82NVnxE2AT2DGf9kDn8GHakYpDfyxz5RH7fY8&who=658ce0babe23aa3d1fe1c4f90
After the URL is generated successfully, visitors will be redirected to a specific folder containing stolen data:
https[://]ep6pheij.com/[Victim_Name]/
This mechanism also enables the prevention of scraping from the index page of the DLS—by removing direct URLs to the folders with leaked data—thus complicating automated download and analysis.
A CSRF (Cross-Site Request Forgery) token is a unique, secret, and unpredictable string that a server-side application generates and assigns to a user's session. The SRG' operators copied this approach from cybersecurity solutions; for example, Web Application Firewalls (WAF) leverage such tokens as well.
Regardless of the group's possible attribution, it is important to highlight the choice of domain registrar for the DLS Clearnet infrastructure:
WHOIS Information:
Domain Name: BUSINESS-DATA-LEAKS[.]COM
Registry Domain ID: 2856574111_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.webnic.cc
Registrar URL: http://www.webnic.cc
Updated Date: 2026-02-22T16:14:14Z
Creation Date: 2024-02-19T13:55:59Z
Registry Expiry Date: 2027-02-19T13:55:59Z
Registrar: Web Commerce Communications Limited dba WebNic.cc
Registrar IANA ID: 460
Registrar Abuse Contact Email: compliance_abuse@webnic.cc
Registrar Abuse Contact Phone: +60.189836788
Domain Status: ok https://icann.org/epp#ok
Name Server: NS1.HEOPLDENTICALDERR.ORG
Name Server: NS2.HEOPLDENTICALDERR.ORG
Name Server: NS3.HEOPLDENTICALDERR.ORG
Name Server: NS4.HEOPLDENTICALDERR.ORG
WHOIS Information:
Domain Name: EP6PHEIJ[.]COM
Registry Domain ID: 2876106313_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.webnic.cc
Registrar URL: http://www.webnic.cc
Updated Date: 2026-05-06T19:38:26Z
Creation Date: 2024-04-26T22:50:04Z
Registry Expiry Date: 2027-04-26T22:50:04Z
Registrar: Web Commerce Communications Limited dba WebNic.cc
Registrar IANA ID: 460
Registrar Abuse Contact Email: compliance_abuse@webnic.cc
Registrar Abuse Contact Phone: +60.189836788
Domain Status: ok https://icann.org/epp#ok
Name Server: NS1.HEFIREALDE.ORG
Name Server: NS2.HEFIREALDE.ORG
Name Server: NS3.HEFIREALDE.ORG
Name Server: NS4.HEFIREALDE.ORG
WebNIC (Web Commerce Communications (Singapore) Pte. Ltd.) is one of Asia's largest providers, focusing on domain wholesale. It enables outsourced domain name registration and other related Internet services for resellers. Notably, this is not a bulletproof domain name registrar, but an ICANN-accredited organization. Unfortunately, wholesale domain providers are widely impacted by cybercriminals who misuse their services, and the SRG is a good example of this.
Name servers (HEOPLDENTICALDERR[.]ORG and HEFIREALDE[.]ORG) are used to orchestrate Fast Flux communications and IP address rotation.
WHOIS Information:
Domain Name: heopldenticalderr.org
Registry Domain ID: REDACTED
Registrar WHOIS Server: https://iwhois.webnic.cc
Registrar URL: https://www.webnic.cc/
Updated Date: 2026-02-27T13:32:53Z
Creation Date: 2026-02-22T13:32:20Z
Registry Expiry Date: 2027-02-22T13:32:20Z
Registrar: Web Commerce Communications Limited dba WebNic.cc
Registrar IANA ID: 460
Registrar Abuse Contact Email: compliance_abuse@webnic.cc
Registrar Abuse Contact Phone: +603.89966799
Domain Status: ok https://icann.org/epp#ok
Name Server: a.heopldenticalderr.org
Name Server: b.heopldenticalderr.org
Name Server: c.heopldenticalderr.org
Name Server: d.heopldenticalderr.org
WHOIS Information:
Domain Name: hefirealde.org
Registry Domain ID: REDACTED
Registrar WHOIS Server: https://iwhois.webnic.cc
Registrar URL: https://www.webnic.cc/
Updated Date: 2026-04-18T10:15:30Z
Creation Date: 2024-03-04T10:15:02Z
Registry Expiry Date: 2027-03-04T10:15:02Z
Registrar: Web Commerce Communications Limited dba WebNic.cc
Registrar IANA ID: 460
Registrar Abuse Contact Email: compliance_abuse@webnic.cc
Registrar Abuse Contact Phone: +603.89966799
Domain Status: ok https://icann.org/epp#ok
Name Server: a.hefirealde.org
Name Server: b.hefirealde.org
Name Server: c.hefirealde.org
Name Server: d.hefirealde.org
As of June 5, 2026, all domain names remain operational. Resecurity has observed some unavailability from specific regions and ISP providers, but this is due to local measures taken by those parties to filter or block malicious resources.
Why Silent Ransom Group is Using the Clearnet Instead of TOR
While most ransomware and extortion groups rely on TOR for hosting their data leak sites due to its anonymity and resistance to takedowns, the SRG's decision to use the clearnet could be influenced by several factors:
Ease of Access for Victims:
Hosting on the clearnet makes it easier for victims to access the site without needing to install or use the TOR browser. This lowers the barrier for victims to view leaked data or comply with ransom demands .
Operational Simplicity:
Setting up and maintaining a clearnet site is simpler than configuring and securing a TOR-based onion service. TOR services require additional technical expertise to ensure anonymity and prevent deanonymization attacks .
Avoiding TOR's Limitations:
TOR, while offering anonymity, is not widely used by typical Internet users. Less IT-savvy people are not familiar with the TOR Browser and Onion Hosts, which may limit access to the leaked data from a broader audience. By using the clearnet, the SRG may be avoiding these complexities.
Publicity and Visibility:
A clearnet site is more visible and accessible to the general public, media, and search engines. This could amplify the psychological pressure on victims by making the breach more public and increasing reputational damage.
Takedown Resistance:
While clearnet sites are more vulnerable to takedowns by law enforcement or hosting providers, the SRG may be using hosting services in jurisdictions with lax enforcement or rapid site migration techniques to mitigate this risk .
The Silent Ransom Group's decision to host their data leak site on the clearnet is unusual compared to the standard practices of ransomware groups, which typically rely on TOR for its anonymity and resilience. However, their approach may be driven by a desire for simplicity, accessibility, and increased visibility, even at the cost of exposing their infrastructure to potential takedowns. This strategy highlights their focus on maximizing pressure on victims.
Uncovered Fast Flux Infrastructure
Two domains — ep6pheij[.]com and business-data-leaks[.]com — were found to constantly rotate their DNS A-record IP addresses. An investigation was conducted to determine the nature and scope of this infrastructure.
DNS queries were executed across 44 public DNS resolvers with EDNS Client Subnet (ECS) spoofing from 50 world locations over 50 collection rounds per domain. We spoofed DNS queries from various locations worldwide — pretending to query from New York, London, Tokyo, São Paulo, Cairo, Sydney, Moscow, etc.
Both domains operate on a fast-flux network backed by a botnet spread across 18 countries and 22 ISPs. The two domains share 50–60% of their bot pool, confirming a single threat actor operates both. The infrastructure contains zero datacenter or hosting IPs — every node traces back to a consumer ISP (e.g., Telecentro, Mega Cable, Vodafone) and is flagged as residential or mobile IP address.
Each DNS query returns 10–18 IP addresses simultaneously as A-records. These are not load balancers or CDN nodes — they are home (residential) internet connections in various countries:
Observation |
Group 1 (ep6pheij.com) |
Group 2 (business-data-leaks.com) |
|---|---|---|
IPs per DNS response |
10–18 |
10–15 |
Total unique IPs collected |
18 |
15 |
New IPs appear after |
~2–3 min (batch rotation) |
~2–3 min (batch rotation) |
All IPs residential? |
✅ Yes — 100% |
✅ Yes — 100% |
In the first run, Group 1 returned IPs like
63.143.98.185 (Jamaica - Digicel Jamaica)
and 177.84.182.188
(Brazil - Cabonnet Internet Ltda). By the time the second run started 4 minutes later,
some of those IPs had been swapped out for entirely new ones.
This confirms active rotation controlled by a backend C2 server.
Result: All 50 locations received the exact same set of IPs.
This means:
- The DNS does not serve different IPs based on the querier's location
- This is not a CDN or geo-load-balancer
- The rotation is purely time-based — the C2 server updates the DNS zone with whichever bots are currently online, regardless of who is asking
9 out of 24 total IPs appear in both domains' rotation pools:
Shared IP |
Country |
ISP |
|---|---|---|
95.86.30.3 |
🇲🇰 North Macedonia |
Inel |
95.178.198.144 |
🇭🇷 Croatia |
OT-Optima Telekom |
130.204.1.83 |
🇧🇬 Bulgaria |
A1 Bulgaria EAD |
186.101.193.110 |
🇪🇨 Ecuador |
Telconet S.A |
187.199.140.132 |
🇲🇽 Mexico |
Uninet / Telmex |
190.224.203.37 |
🇦🇷 Argentina |
Telecom Argentina |
195.158.3.172 |
🇺🇿 Uzbekistan |
Uzbektelekom |
197.44.54.74 |
🇪🇬 Egypt |
TE Data |
197.134.192.101 |
🇪🇬 Egypt |
Vodafone |
Observation:
- 50% of Group 1's IPs also appear in Group 2
- 60% of Group 2's IPs also appear in Group 1
Group 1:
# |
IP Address |
CC |
Country |
City |
ISP |
AS |
Shared? |
|---|---|---|---|---|---|---|---|
1 |
95.86.30.3 |
MK |
North Macedonia |
Kavadarci |
Inel |
AS49056 |
✅ |
2 |
95.178.198.144 |
HR |
Croatia |
Rijeka |
OT-Optima Telekom |
AS34594 |
✅ |
3 |
130.204.1.83 |
BG |
Bulgaria |
Sofia |
A1 Bulgaria EAD |
AS13124 |
✅ |
4 |
159.0.229.102 |
SA |
Saudi Arabia |
Riyadh |
Saudinet |
AS25019 |
|
5 |
177.222.41.236 |
BO |
Bolivia |
La Paz |
Telefónica Bolivia |
AS27882 |
|
6 |
186.23.249.254 |
AR |
Argentina |
Buenos Aires |
Telecentro S.A. |
AS27747 |
|
7 |
186.101.193.110 |
EC |
Ecuador |
Guayaquil |
Telconet S.A |
AS27947 |
✅ |
8 |
187.199.140.132 |
MX |
Mexico |
Cabo San Lucas |
Uninet / Telmex |
AS8151 |
✅ |
9 |
187.228.100.237 |
MX |
Mexico |
Guadalajara |
Uninet / Telmex |
AS8151 |
|
10 |
189.195.132.134 |
MX |
Mexico |
Villa de Álvarez |
Mega Cable |
AS13999 |
|
11 |
190.147.128.172 |
CO |
Colombia |
Barranquilla |
Telmex Colombia |
AS10620 |
|
12 |
190.224.203.37 |
AR |
Argentina |
Córdoba |
Telecom Argentina |
AS7303 |
✅ |
13 |
195.158.3.172 |
UZ |
Uzbekistan |
Tashkent |
Uzbektelekom |
AS8193 |
✅ |
14 |
197.44.54.74 |
EG |
Egypt |
Cairo |
TE Data |
AS8452 |
✅ |
15 |
197.134.192.101 |
EG |
Egypt |
Cairo |
Vodafone Data |
AS24835 |
✅ |
16 |
201.191.99.134 |
CR |
Costa Rica |
San José |
ICE |
AS11830 |
|
17 |
211.202.224.10 |
KR |
South Korea |
Gyeonggi-do |
SK Broadband |
AS9318 |
|
18 |
212.112.110.243 |
KG |
Kyrgyzstan |
Bishkek |
AKNET Ltd. |
AS12764 |
|
Group 2:
# |
IP Address |
CC |
Country |
City |
ISP |
AS |
Shared? |
|---|---|---|---|---|---|---|---|
1 |
63.143.98.185 |
JM |
Jamaica |
Spanish Town |
Digicel Jamaica |
AS33576 |
|
2 |
95.86.30.3 |
MK |
North Macedonia |
Kavadarci |
Inel |
AS49056 |
✅ |
3 |
95.178.198.144 |
HR |
Croatia |
Rijeka |
OT-Optima Telekom |
AS34594 |
✅ |
4 |
123.214.62.28 |
KR |
South Korea |
Yongin-si |
SK Broadband |
AS9318 |
|
5 |
130.204.1.83 |
BG |
Bulgaria |
Sofia |
A1 Bulgaria EAD |
AS13124 |
✅ |
6 |
161.132.94.226 |
PE |
Peru |
Lima |
ON Empresas |
AS27843 |
|
7 |
179.52.106.82 |
DO |
Dominican Republic |
Santiago |
CODETEL |
AS6400 |
|
8 |
186.101.193.110 |
EC |
Ecuador |
Guayaquil |
Telconet S.A |
AS27947 |
✅ |
9 |
187.199.140.132 |
MX |
Mexico |
Cabo San Lucas |
Uninet / Telmex |
AS8151 |
✅ |
10 |
190.16.5.248 |
AR |
Argentina |
Olavarría |
Telecom Argentina |
AS7303 |
|
11 |
190.140.81.252 |
PA |
Panama |
Panama City |
Cable Onda |
AS18809 |
|
12 |
190.224.203.37 |
AR |
Argentina |
Córdoba |
Telecom Argentina |
AS7303 |
✅ |
13 |
195.158.3.172 |
UZ |
Uzbekistan |
Tashkent |
Uzbektelekom |
AS8193 |
✅ |
14 |
197.44.54.74 |
EG |
Egypt |
Cairo |
TE Data |
AS8452 |
✅ |
15 |
197.134.192.101 |
EG |
Egypt |
Cairo |
Vodafone Data |
AS24835 |
✅ |
Regional Distribution:
Region |
IP Count |
% of Total |
Notes |
|---|---|---|---|
Latin America |
12 |
50% |
Heaviest concentration |
Balkans / E. Europe |
3 |
12.5% |
All residential ISPs |
Central Asia |
2 |
8.3% |
State telecom subscribers |
Middle East / Africa |
3 |
12.5% |
Includes 1 mobile phone |
East Asia |
2 |
8.3% |
SK Broadband residential |
Caribbean |
2 |
8.3% |
Small island ISPs |
The heavy Latin American presence (50%) suggests the botnet malware may spread through:
- Vulnerable IoTs common in the region
- Phishing or malware campaigns
- Exploits targeting ISP-provided CPE devices
22 unique ISPs across 24 IPs — nearly every IP is on a different internet service provider. This is impossible for any legitimate service and is the definitive fingerprint of a botnet drawing from infected devices worldwide.
ISP |
Country |
IPs |
Groups |
|---|---|---|---|
Uninet / Telmex |
🇲🇽 Mexico |
2 |
G1 + G2 |
Telecom Argentina |
🇦🇷 Argentina |
2 |
G1 + G2 |
SK Broadband |
🇰🇷 South Korea |
2 |
G1 + G2 |
All other 19 ISPs |
Various |
1 each |
Various |
Bottom line: This is a professional-grade fast-flux botnet — not an amateur setup. The operator controls at least 24 compromised hosts and uses them to hide their infrastructure behind rotating residential IPs.
Spy Corporate: Money VS Reputation
Analyzing the hosts from the Fast Flux rotation, Resecurity identified other projects likely connected to the SRG activity. For example, 212.112.110.243 (Kyrgyzstan - AKNET Ltd.) was mapped to the domain spycorp[.]pro, which features another Data Leak Site (DLS).
The pattern—DLS has also been registered via Web Commerce Communications Limited (dba WebNic.cc) and is leveraging a token mechanism similar to the SRG. Additionally, it features a law firm as the victim organization.
http[://]spycorp[.]pro/get-link/?q=d7cf169127fe39dd1aa3d0479fcc0876
Notably, the domain is leveraging different name servers, but the IPs in rotation are identical to the original SRG fast flux infrastructure, which confirms the direct connection between the SRG and "Spy Corporate."
WHOIS Information:
Domain Name: SPYCORP[.]PRO
Registry Domain ID: 2876106313_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.webnic.cc
Registrar URL: http://www.webnic.cc
Updated Date: May 5, 2026
Creation Date: April 30, 2026
Registry Expiry Date: April 30, 2027
Registrar: Web Commerce Communications Limited dba WebNic.cc
Registrar IANA ID: 460
Registrar Abuse Contact Email: compliance_abuse@webnic.cc
Registrar Abuse Contact Phone: +60.189836788
Domain Status: ok https://icann.org/epp#ok
Name Server: ns1.digoprotergonde.org
Name Server: ns2.digoprotergonde.org
Name Server: ns3.digoprotergonde.org
Name Server: ns4.digoprotergonde.org
WHOIS Information:
Domain Name: DIGOPROTERGONDE[.]ORG
Registry Domain ID: REDACTED
Registrar WHOIS Server: https://iwhois.webnic.cc
Registrar URL: https://www.webnic.cc/
Updated Date: 2026-05-10T11:42:42Z
Creation Date: 2026-05-05T11:42:11Z
Registry Expiry Date: 2027-05-05T11:42:11Z
Registrar: Web Commerce Communications Limited dba WebNic.cc
Registrar IANA ID: 460
Registrar Abuse Contact Email: compliance_abuse@webnic.cc
Registrar Abuse Contact Phone: +603.89966799
Domain Status: ok https://icann.org/epp#ok
Name Server: c.digoprotergonde.org
Name Server: a.digoprotergonde.org
Name Server: d.digoprotergonde.org
Name Server: b.digoprotergonde.org
The IPs in rotation also included hosts from Tunisia (41.225.239.178). It is possible that the actors are updating the pool of addresses in rotation by adding new nodes; this is why the appearance of new geographies is possible.
Resecurity identified an interesting group of domains mapped to the same IP(s), including but not limited to those with references to Wi-Fi (likely involved in the rotation of residential IPs):
- wifi[.]business-data-leaks[.]com
- hotspot[.]mywebb[.]at
- airwave[.]mywebb[.]at
- meraki[.]mywebb[.]at
- wifi[.]mywebb[.]at
Notably, some of the IPs in the fast flux infrastructure have been previously mapped to CVV Union, a carding shop, and Omerta, a prominent dark web carding and cyberfraud forum that served as a major hub for buying and selling stolen payment card data, personally identifiable information (PII), and cash-out schemes:
_crl[.]_tcp[.]omerta[.]cc
_dmarc[.]omerta[.]cc
_dnss[.]_udp[.]omerta[.]cc
_h323cs[.]_udp[.]omerta[.]cc
_msdcs[.]omerta[.]cc
_sip-tls[.]_tcp[.]omerta[.]cc
_smb[.]_tcp[.]omerta[.]cc
_stun[.]_tcp[.]omerta[.]cc
_tcp[.]dc[.]_msdcs[.]omerta[.]cc
_turns[.]_udp[.]omerta[.]cc
_udp[.]omerta[.]cc
_vnc[.]_tcp[.]omerta[.]cc
abqnurbs[.]omerta[.]cc
acdc[.]omerta[.]cc
addrea[.]omerta[.]cc
The full list of acquired domain names and related DNS A records is provided at the end of this report in the Indicators of Compromise (IOCs) section.
Conclusion
The Silent Ransom Group (SRG) represents a significant threat due to its targeted, multi-faceted attack strategies and focus on data theft and extortion. By leveraging social engineering, physical infiltration, and supply chain vulnerabilities, the SRG has proven adept at exploiting the legal industry's reliance on sensitive data. Law firms must adopt robust cybersecurity measures, including employee training, multi-factor authentication, and supply chain risk management.
The SRG's attacks have had a significant impact on the legal industry. Law firms accounted for almost a quarter of all ransomware-related incidents tracked in the first quarter of 2026, making it the fourth-most targeted industry. The SRG's focus on data theft and extortion has contributed to this uptick, as their methods are particularly effective against organizations that prioritize confidentiality.
The use of fast-flux botnet by SRG confirms the group's advanced tactics, requiring the cybersecurity and law enforcement community to collaborate in order to disrupt this threat. Notable ransomware groups that have leveraged fast flux DNS networks include Hive and Nefilim. Additionally, other cybercriminal syndicates such as the Russian-linked hacking group Gamaredon have used these techniques to obscure their infrastructure and impose costs on security operations.
References
Fast Flux: A National Security Threat
https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-093a
Silent Ransom Group Targeting Law Firms
https://www.fbi.gov/file-repository/cyber-alerts/silent-ransom-group-targeting-law-firms-052325.pdf/...
Indicators of Compromise (IOCs)
Domain Names:
demo[.]business-data-leaks[.]com
id[.]business-data-leaks[.]com
member[.]business-data-leaks[.]com
assets[.]ep6pheij[.]com
spycorp[.]pro
mail[.]spycorp[.]pro
mail[.]business-data-leaks[.]com
business-data-leaks[.]com
_dmarc[.]mywebb[.]at
admin[.]mywebb[.]at
airwave[.]mywebb[.]at
apps[.]mywebb[.]at
cambium[.]mywebb[.]at
clearpass[.]mywebb[.]at
dev[.]mywebb[.]at
hotspot[.]mywebb[.]at
mywebb[.]at
omada[.]mywebb[.]at
ruckuscontroller[.]mywebb[.]at
staging[.]mywebb[.]at
test[.]mywebb[.]at
unifi[.]mywebb[.]at
unleashed[.]mywebb[.]at
www[.]mywebb[.]at
xq7mt9kp2v[.]business-data-leaks[.]com
api[.]mywebb[.]at
demo[.]mywebb[.]at
login[.]mywebb[.]at
wifi[.]mywebb[.]at
wifi[.]business-data-leaks[.]com
meraki[.]mywebb[.]at
ep6pheij[.]com
portal[.]ep6pheij[.]com
www[.]ep6pheij[.]com
app[.]business-data-leaks[.]com
portal[.]mywebb[.]at
lpclusertreyls[.]com
app[.]mywebb[.]at
www[.]business-data-leaks[.]com
www[.]www[.]ep6pheij[.]com
help[.]business-data-leaks[.]com
app[.]ep6pheij[.]com
bitrix[.]tg-auth[.]com
development[.]tg-auth[.]com
school[.]tg-auth[.]com
tg-auth[.]com
werkenbij[.]tg-auth[.]com
bbs[.]tg-auth[.]com
helpsscodds[.]in
www[.]helpsscodds[.]in
bitwinzz[.]com
booksandsongs[.]at
www[.]booksandsongs[.]at
api[.]tg-auth[.]com
_crl[.]_tcp[.]omerta[.]cc
_dmarc[.]omerta[.]cc
_dnss[.]_udp[.]omerta[.]cc
_h323cs[.]_udp[.]omerta[.]cc
_msdcs[.]omerta[.]cc
_sip-tls[.]_tcp[.]omerta[.]cc
_smb[.]_tcp[.]omerta[.]cc
_stun[.]_tcp[.]omerta[.]cc
_tcp[.]dc[.]_msdcs[.]omerta[.]cc
_turns[.]_udp[.]omerta[.]cc
_udp[.]omerta[.]cc
_vnc[.]_tcp[.]omerta[.]cc
abqnurbs[.]omerta[.]cc
acdc[.]omerta[.]cc
addrea[.]omerta[.]cc
admin[.]admin[.]admin[.]admin[.]admin[.]hostmaster[.]omerta[.]cc
admin[.]admin[.]admin[.]admin[.]admin[.]www[.]omerta[.]cc
admin[.]admin[.]admin[.]admin[.]hostmaster[.]omerta[.]cc
admin[.]admin[.]admin[.]omerta[.]cc
admin[.]admin[.]hostmaster[.]omerta[.]cc
admin[.]hostmaster[.]omerta[.]cc
admin[.]omerta[.]cc
aedweb[.]omerta[.]cc
afc[.]omerta[.]cc
afcwimbledon[.]omerta[.]cc
algorithms[.]omerta[.]cc
amb[.]omerta[.]cc
amberleycastle[.]omerta[.]cc
amember[.]omerta[.]cc
amse[.]omerta[.]cc
ancweb[.]omerta[.]cc
antigaspi[.]omerta[.]cc
apprenticerecordmanager[.]omerta[.]cc
apthompson[.]omerta[.]cc
arnaud[.]omerta[.]cc
arosetintedworld[.]omerta[.]cc
ashleyford[.]omerta[.]cc
at[.]ru[.]covcdxlp[.]omerta[.]cc
blackshift[.]omerta[.]cc
blog[.]omerta[.]cc
ca[.]production[.]uk[.]production[.]online[.]puagjosn[.]omerta[.]cc
cms[.]support[.]at[.]ru[.]covcdxlp[.]omerta[.]cc
corum[.]omerta[.]cc
dc[.]_msdcs[.]omerta[.]cc
djnkywww[.]ww[.]omerta[.]cc
exclusively[.]omerta[.]cc
formplm[.]omerta[.]cc
hostmaster[.]omerta[.]cc
mail[.]omerta[.]cc
mencap[.]omerta[.]cc
net-sub-r-family-account-my-ffojjfdq[.]omerta[.]cc
ns2[.]omerta[.]cc
offshore[.]omerta[.]cc
omerta[.]cc
pc[.]ca[.]production[.]uk[.]production[.]online[.]puagjosn[.]omerta[.]cc
ppls[.]of[.]b[.]wzyeirrg[.]omerta[.]cc
production[.]uk[.]production[.]online[.]puagjosn[.]omerta[.]cc
proxy-host[.]omerta[.]cc
random[.]monge[.]omerta[.]cc
random[.]westonturville[.]omerta[.]cc
smb[.]omerta[.]cc
support[.]omerta[.]cc
swarm[.]omerta[.]cc
tcao[.]omerta[.]cc
temir[.]omerta[.]cc
trafix[.]omerta[.]cc
trom[.]omerta[.]cc
tuuut[.]omerta[.]cc
tx[.]omerta[.]cc
ucr[.]omerta[.]cc
vari[.]omerta[.]cc
vplesk[.]omerta[.]cc
vpnt[.]omerta[.]cc
vprh[.]omerta[.]cc
vxuexadmin[.]admin[.]omerta[.]cc
westonturville[.]omerta[.]cc
widsi[.]omerta[.]cc
wine[.]omerta[.]cc
wph[.]omerta[.]cc
ww[.]omerta[.]cc
www[.]omerta[.]cc
wzyeirrg[.]omerta[.]cc
xdir[.]omerta[.]cc
yxkkiadmin[.]hostmaster[.]omerta[.]cc
zellis[.]omerta[.]cc
zoodle[.]omerta[.]cc
zrsbc[.]omerta[.]cc
952cd7f5-55c2-472f-bc9d-08487ef75661[.]random[.]aoptical[.]omerta[.]cc
_[.]www[.]omerta[.]cc
_bimi[.]omerta[.]cc
_kerberos-master[.]_tcp[.]omerta[.]cc
_mta-sts[.]omerta[.]cc
_tcp[.]omerta[.]cc
ab[.]omerta[.]cc
acesam[.]omerta[.]cc
adaudit[.]omerta[.]cc
adcollective[.]omerta[.]cc
addressing[.]omerta[.]cc
admin[.]admin[.]admin[.]admin[.]admin[.]omerta[.]cc
admin[.]admin[.]admin[.]admin[.]omerta[.]cc
admin[.]admin[.]admin[.]admin[.]www[.]omerta[.]cc
admin[.]admin[.]admin[.]hostmaster[.]omerta[.]cc
admin[.]admin[.]admin[.]www[.]omerta[.]cc
admin[.]admin[.]omerta[.]cc
admin[.]admin[.]www[.]omerta[.]cc
admin[.]www[.]omerta[.]cc
aedwardes[.]omerta[.]cc
alizee[.]omerta[.]cc
annona[.]omerta[.]cc
aoptical[.]omerta[.]cc
artsetmetiers[.]omerta[.]cc
assises[.]omerta[.]cc
at-m-login-init-org-ssl-ymnoygde[.]omerta[.]cc
b[.]wzyeirrg[.]omerta[.]cc
bchfr[.]omerta[.]cc
covcdxlp[.]omerta[.]cc
crypto[.]omerta[.]cc
default[.]_bimi[.]omerta[.]cc
dwww[.]omerta[.]cc
globalviewer[.]omerta[.]cc
gwwgezulma[.]omerta[.]cc
imap[.]omerta[.]cc
iscapsolutions[.]omerta[.]cc
nhyqgdwww[.]omerta[.]cc
oa[.]omerta[.]cc
of[.]b[.]wzyeirrg[.]omerta[.]cc
online[.]puagjosn[.]omerta[.]cc
production[.]online[.]puagjosn[.]omerta[.]cc
puagjosn[.]omerta[.]cc
random[.]aoptical[.]omerta[.]cc
ru[.]covcdxlp[.]omerta[.]cc
scandikitchen[.]omerta[.]cc
server-online-a-dev-free-metric-ru-onkjmmtl[.]omerta[.]cc
smtp[.]omerta[.]cc
stage[.]vpn[.]cms[.]support[.]at[.]ru[.]covcdxlp[.]omerta[.]cc
support[.]at[.]ru[.]covcdxlp[.]omerta[.]cc
testmobile[.]omerta[.]cc
toners[.]omerta[.]cc
tucs[.]omerta[.]cc
ubs[.]omerta[.]cc
uds[.]omerta[.]cc
uipiqbchfr[.]omerta[.]cc
uk[.]production[.]online[.]puagjosn[.]omerta[.]cc
unbee[.]omerta[.]cc
veiv[.]omerta[.]cc
vpn[.]cms[.]support[.]at[.]ru[.]covcdxlp[.]omerta[.]cc
vsi[.]omerta[.]cc
vx[.]omerta[.]cc
weh[.]omerta[.]cc
wgcdn[.]omerta[.]cc
wstp[.]omerta[.]cc
xlc[.]omerta[.]cc
xobuabchfr[.]omerta[.]cc
ytimg[.]omerta[.]cc
yurisearch[.]omerta[.]cc
zulma[.]omerta[.]cc
2[.]cvv-union[.]at
_bimi[.]cvv-union[.]at
_dmarc[.]cvv-union[.]at
_mta-sts[.]cvv-union[.]at
admin[.]admin[.]admin[.]admin[.]admin[.]cvv-union[.]at
admin[.]admin[.]admin[.]admin[.]admin[.]www[.]cvv-union[.]at
admin[.]admin[.]admin[.]admin[.]cvv-union[.]at
admin[.]admin[.]admin[.]admin[.]www[.]cvv-union[.]at
admin[.]admin[.]admin[.]cvv-union[.]at
admin[.]admin[.]admin[.]www[.]cvv-union[.]at
admin[.]admin[.]cvv-union[.]at
admin[.]admin[.]www[.]cvv-union[.]at
admin[.]cvv-union[.]at
admin[.]www[.]cvv-union[.]at
cvv-union[.]at
default[.]_bimi[.]cvv-union[.]at
hwhimshop[.]cvv-union[.]at
kttcoadmin[.]admin[.]admin[.]admin[.]www[.]cvv-union[.]at
login[.]cvv-union[.]at
mail[.]cvv-union[.]at
omah[.]cvv-union[.]at
owrbflogin[.]cvv-union[.]at
signup[.]cvv-union[.]at
staging[.]cvv-union[.]at
uvblswww[.]staging[.]cvv-union[.]at
www[.]cvv-union[.]at
ydmiwwww[.]staging[.]cvv-union[.]at
admin[.]admin[.]admin[.]admin[.]admin[.]union-shop[.]at
admin[.]admin[.]admin[.]admin[.]admin[.]www[.]union-shop[.]at
admin[.]admin[.]admin[.]admin[.]union-shop[.]at
admin[.]admin[.]admin[.]admin[.]www[.]union-shop[.]at
admin[.]admin[.]admin[.]union-shop[.]at
admin[.]admin[.]admin[.]www[.]union-shop[.]at
admin[.]admin[.]union-shop[.]at
admin[.]admin[.]www[.]union-shop[.]at
admin[.]union-shop[.]at
admin[.]www[.]union-shop[.]at
union-shop[.]at
www[.]union-shop[.]at
arculusupgrade[.]net
arculusupport[.]com
www[.]arculusupgrade[.]net
www[.]arculusupport[.]com
arculushub[.]com
onioploverans[.]at
newolymp[.]ru
tisv6ma68f[.]com
baiakmma[.]com
bug6skv6dw[.]com
hcw2wytgpo[.]com
4nhaarmgex[.]com
niksplus[.]ru
qiweassa[.]com
morfiuscc[.]pro
arculus[.]in
arculufi[.]com
d-s-p[.]ru
mail[.]obozintsev[.]ru
frixes[.]life
app[.]defgyma[.]com
obozintsev[.]ru
liverds[.]at
192204-coinbase[.]com
unicea[.]ws
wise[.]riskarbs[.]com
tech-servers[.]in[.]net
tnc-corp[.]ru
nwgrus[.]ru
arculusdefi[.]com
olihonols[.]in[.]net
ftp[.]mzxn[.]ru
epohe[.]ru
yosoborno[.]com
100xmargin[.]com
mzxn[.]ru
gebeus[.]ru
llcbc[.]org
jkshb[.]su
movlat[.]com
check-ftp[.]ru
selltix[.]org
guteyr[.]cc
cellc[.]org
defgyma[.]com
dbfhns[.]in
bipto[.]org
benfoks[.]ru
1xst[.]ru
mail[.]sktice[.]com
sktice[.]com
cajgtus[.]com
sdfjhuz[.]com
IPs:
63[.]143[.]98[.]185
95[.]86[.]30[.]3
95[.]178[.]198[.]144
95[.]178[.]213[.]100
123[.]214[.]62[.]28
130[.]204[.]1[.]83
159[.]0[.]229[.]102
161[.]132[.]94[.]226
177[.]222[.]41[.]236
179[.]52[.]106[.]82
186[.]23[.]249[.]254
186[.]101[.]193[.]110
187[.]199[.]140[.]132
187[.]228[.]100[.]237
189[.]195[.]132[.]134
190[.]16[.]5[.]248
190[.]140[.]81[.]252
190[.]147[.]128[.]172
190[.]147[.]200[.]151
190[.]224[.]203[.]37
190[.]249[.]139[.]21
195[.]158[.]3[.]172
197[.]44[.]54[.]74
197[.]134[.]192[.]101
201[.]191[.]99[.]134
211[.]202[.]224[.]10
212[.]112[.]110[.]243
