The Silent Ransom Group (SRG), a notorious ransomware entity, has been leveraging a fast flux network to obscure its operational infrastructure, according to warnings from cybersecurity firm Resecurity. This method involves using a network of infected devices to hide their servers’ locations.
SRG’s Tactics and Targeted Industries
Known by aliases such as Chatty Spider, Luna Moth, and UNC3753, the group employs voice phishing and social engineering techniques. They send phishing emails disguised as data migration notices or invoices, luring recipients into phone interactions with impostors posing as IT experts. These interactions often lead to victims unknowingly facilitating remote access to their systems.
SRG’s primary targets include U.S. law firms, where they have been reported to send operatives in person to insert USB drives for data exfiltration or malware installation. The group has also targeted finance, healthcare, insurance, and hospitality sectors due to the sensitive data these industries handle.
Operational Strategy and Fast Flux Networks
After penetrating an organization’s defenses, SRG typically seeks lateral movement and data exfiltration rather than deploying file-encrypting malware. Within a short span post-exfiltration, usually around 30 minutes, the group sends extortion emails threatening to release the stolen data publicly if demands are not met. They intensify their pressure tactics by reaching out to the victim’s employees and partners if initial threats are ignored.
Resecurity’s recent findings highlight SRG’s use of a fast flux network comprising infected routers, modems, and other IoT devices spread across 18 countries, including regions in Latin America, Eastern Europe, and Asia. This technique involves changing DNS records rapidly, making it difficult to pinpoint server locations.
Impact and Continued Threat
SRG’s activities have significantly impacted the legal sector, with law firms representing nearly a quarter of all ransomware incidents reported in early 2026, as noted by Resecurity. Their focus on data theft and extortion has contributed to an increase in such incidents.
A Google report indicates that SRG has been active since at least 2022, with overlapping activities with other groups like UNC2686, known for BazarCall campaigns. The group’s continued evolution and adoption of sophisticated techniques such as fast flux underline the persistent threat they pose globally.
As SRG continues its assault across various industries, vigilance and updated cybersecurity measures remain crucial for organizations to protect themselves against such advanced threats.
