Arctic Wolf has observed an uptick in activity from the Silent Ransom Group, a cybercriminal group first identified in 2020 and notorious for its targeted cyber extortion campaigns driven by financial gain.
This week, the group has been targeting the legal industry using “call-back” phishing tactics. The group sends emails impersonating services such as Duolingo or Masterclass, claiming a pending charge and urging recipients to call a phone number to resolve the issue. Arctic Wolf has also observed similar targeting across various other industries.
Once contact is made, the threat actors social engineer victims into installing remote desktop software such as Zoho Assist or AnyDesk, giving them full control of the system. The threat actors then exfiltrate sensitive data to private servers (often hosted on platforms like Hostwinds) and extort the victim by threatening to leak or sell the stolen data unless a ransom is paid.
Recommendations
Restrict Outbound SFTP Traffic (Port 22)
Arctic Wolf recommends restricting outbound SFTP traffic (port 22) to limit the risk of data exfiltration. In this campaign, the Silent Ransom Group leveraged SFTP with tools such as WinSCP to exfiltrate data. By restricting outbound SFTP traffic, organizations can reduce the potential for unauthorized data transfer and mitigate the impact of such attacks.
Uninstall Unused RMM Tools in Your Environment
If your organization does not have a business need for certain remote support tools, Arctic Wolf strongly recommends disabling or uninstalling them. This reduces the risk of external threat actors exploiting these tools to gain unauthorized access to your systems.
Additionally, consider implementing policies to block the installation of remote monitoring and management (RMM) tools unless they have been explicitly approved for use within your environment. This approach helps ensure that only vetted and secure tools are in operation, further safeguarding your systems.
Implement Comprehensive Security Awareness Training
Silent Ransom Group affiliates have successfully socially engineered victims through phone calls and emails during this ongoing campaign. Arctic Wolf strongly recommends implementing comprehensive security awareness training to equip users with the skills needed to quickly identify and report suspicious activity, including the tactics observed in this campaign.
Arctic Wolf offers several vishing-focused modules within its Managed Security Awareness (MSA) product to help users recognize and respond to the types of threats outlined in this bulletin.
Resources
