Austria
Belgium
Denmark
Estonia
Finland
France
Germany
Greece
Iceland
Ireland
Italy
Netherlands
Norway
Poland
Portugal
Spain
Sweden
Switzerland
Turkey
United Kingdom
Australia
New Zealand
Hong Kong
India
Indonesia
Japan
Malaysia
Philippines
Singapore
Thailand
Brazil
Chile
Colombia
Mexico
Peru
USA
Bahrain
Israel
Morocco
Oman
Tanzania
UAE
Turkey
The FBI issued an advisory warning U.S. law firms about active targeting by the Silent Ransom Group (SRG), also known as Luna Moth.
The FBI advisory issued on May 26, 2026 warns U.S. law firms to be on the lookout as they are actively targeted by a sophisticated cybercrime group using a blend of social engineering, remote access, and physical infiltration to steal sensitive data. Attackers are bypassing digital defenses by posing as IT support and, in some cases, visiting firms in person to steal sensitive data.
The legal sector is experiencing a sustained increase in cyber incidents, with both the frequency and severity of attacks rising across firms of all sizes. The advisory highlights a shift toward sophisticated social engineering and data exfiltration-driven extortion models. These developments are increasing operational disruption and financial exposure, reinforcing the need for proactive risk mitigation and engagement with specialized cyber resources.
An attractive target
Cyber incidents targeting law firms continue to accelerate, driven by the high value of sensitive data they hold, including privileged client communications, financial information, and litigation strategy. Intelligence indicates both opportunistic ransomware campaigns and coordinated attacks, with evidence suggesting potential supply chain vulnerabilities through shared legal technology platforms and service providers. The continued expansion of ransomware-as-a-service (RaaS) models has lowered the barrier to entry for threat actors, increasing the scale and frequency of attacks. The reputational, regulatory exposure and legal consequences of a breach can increase the likelihood of payment, making firms particularly attractive to extortion groups.
FBI FLASH advisory issued on May 26
The FBI FLASH advisory identifies the Silent Ransom Group (SRG) as a persistent threat actor targeting U.S. law firms. SRG employs social engineering techniques, often impersonating internal IT personnel, to gain rapid access to systems and exfiltrate data for extortion purposes without relying on encryption.
Key characteristics of the SRG threat include:
- Impersonation of IT support via phone or phishing emails
- Inducing employees to enable remote access tools
- Physical infiltration attempts to gain device access
- Use of legitimate tools and cloud services for data exfiltration
- Extortion based on threatened disclosure of sensitive data
Tactics, techniques & emerging trends
Threat actors targeting the legal sector are employing increasingly advanced techniques, including:
- Phishing and vishing campaigns leveraging social engineering
- Use of legitimate administrative tools to evade detection
- Data exfiltration prior to or in place of encryption
- Exploitation of known vulnerabilities in remote access tools
- Increasing use of artificial intelligence to enhance targeting and scale attacks
What you should do now
To reduce exposure, organizations should implement:
- Phishing-resistant multi-factor authentication
- Formal IT verification and authentication procedures
- Regular employee awareness and social engineering training
- Monitoring and restriction of remote access tools and external media
- Third-party/vendor risk assessments
- Secure, offline, and tested backup strategies
- Incident response planning focused on data exfiltration scenarios
Understand your cyber risk
The shift toward rapid data theft and extortion is driving higher claims frequency and severity, with increased complexity in incident response and recovery. The absence of encryption in some attacks reduces detection windows while increasing reputational and regulatory exposure tied to data breaches.
Organizations should proactively assess their cyber risk posture and resilience capabilities. Engagement with the Howden Cyber team is recommended to evaluate available tools, resources, and solutions designed to mitigate both operational disruption and financial impact associated with cyber incidents.