Dark Web Profile: Silent Ransom Group (LeakedData)
Summary:
A “new” threat group, LeakedData, emerged in mid-December 2024, claiming responsibility for at least 41 attacks. Initial speculation from some researchers regarding LeakData being a watering hole attack lure targeting researchers appears unfounded. Instead, evidence strongly suggests that LeakedData is a rebrand of the Silent Ransom Group (SRG), also known as Luna Moth, a cybercriminal organization that spun off from the Conti ransomware syndicate in early 2022. SRG is known for its callback phishing attacks, often initiating intrusions via emails and phone calls related to fake charges and then persuading victims to install legitimate remote management (RMM) tools for system access and data exfiltration without file encryption. LeakedData operates a simple data leak site where they list victims, initially with redacted names and countdown timers for full disclosure and data links. The oldest confirmed incident linked to this group dates back to June 2022, with a surge in activity throughout 2024. SRG primarily targets organizations in the United States, particularly data-sensitive sectors like law firms, insurance providers, accounting firms, and financial services, although some victims have been identified in Germany, Canada, and Poland. The group has also been observed creating fake helpdesk-themed domains to harvest credentials, alongside their continued use of callback phishing campaigns impersonating well-known brands to deploy software for remote access.
Security Officer Comments:
The surprise emergence of LeakedData as a likely rebrand of the SRG signifies a concerning evolution in their operational tactics. While the initial speculation of a researcher-targeted watering hole attack proved inaccurate, the reality of SRG's continued and potentially amplified activity under a new moniker presents a severe threat, particularly to organizations in the United States, their primary target. Their shift from ransomware deployment to targeted data extortion, coupled with their sophisticated use of social engineering and legitimate remote access tools like AnyDesk, allows them to conduct targeted attacks with a smaller malware footprint, making detection more challenging. The simplicity of LeakedData's data leak site, contrasting with the TOR reliance of many ransomware groups, suggests a potentially streamlined approach to their extortion activities. The observed creation of fake helpdesk domains further highlights their adaptability in leveraging social engineering to gain initial access and credentials. Organizations, especially those in their targeted sectors, must remain vigilant against callback phishing and carefully scrutinize unsolicited communications, including those related to purported charges or urgent technical support requests.
Suggested Corrections:
Mitigating threats from the Silent Ransom Group (SRG) requires a multi-layered strategy combining domain intelligence, network controls, access management, and end-user awareness.
Detect and Monitor Suspicious Domains
EclecticIQ researchers have outlined a clear method to proactively identify domains used by SRG:
Strengthen Email and Domain Protection
https://socradar.io/dark-web-profile-silent-ransom-group-leakeddata/
A “new” threat group, LeakedData, emerged in mid-December 2024, claiming responsibility for at least 41 attacks. Initial speculation from some researchers regarding LeakData being a watering hole attack lure targeting researchers appears unfounded. Instead, evidence strongly suggests that LeakedData is a rebrand of the Silent Ransom Group (SRG), also known as Luna Moth, a cybercriminal organization that spun off from the Conti ransomware syndicate in early 2022. SRG is known for its callback phishing attacks, often initiating intrusions via emails and phone calls related to fake charges and then persuading victims to install legitimate remote management (RMM) tools for system access and data exfiltration without file encryption. LeakedData operates a simple data leak site where they list victims, initially with redacted names and countdown timers for full disclosure and data links. The oldest confirmed incident linked to this group dates back to June 2022, with a surge in activity throughout 2024. SRG primarily targets organizations in the United States, particularly data-sensitive sectors like law firms, insurance providers, accounting firms, and financial services, although some victims have been identified in Germany, Canada, and Poland. The group has also been observed creating fake helpdesk-themed domains to harvest credentials, alongside their continued use of callback phishing campaigns impersonating well-known brands to deploy software for remote access.
Security Officer Comments:
The surprise emergence of LeakedData as a likely rebrand of the SRG signifies a concerning evolution in their operational tactics. While the initial speculation of a researcher-targeted watering hole attack proved inaccurate, the reality of SRG's continued and potentially amplified activity under a new moniker presents a severe threat, particularly to organizations in the United States, their primary target. Their shift from ransomware deployment to targeted data extortion, coupled with their sophisticated use of social engineering and legitimate remote access tools like AnyDesk, allows them to conduct targeted attacks with a smaller malware footprint, making detection more challenging. The simplicity of LeakedData's data leak site, contrasting with the TOR reliance of many ransomware groups, suggests a potentially streamlined approach to their extortion activities. The observed creation of fake helpdesk domains further highlights their adaptability in leveraging social engineering to gain initial access and credentials. Organizations, especially those in their targeted sectors, must remain vigilant against callback phishing and carefully scrutinize unsolicited communications, including those related to purported charges or urgent technical support requests.
Suggested Corrections:
Mitigating threats from the Silent Ransom Group (SRG) requires a multi-layered strategy combining domain intelligence, network controls, access management, and end-user awareness.
Detect and Monitor Suspicious Domains
EclecticIQ researchers have outlined a clear method to proactively identify domains used by SRG:
- Pattern Recognition: Look for domains following the format ^[a-z]{1,}-help(desk){0,1}.com$, which mimic internal IT support (e.g., company-helpdesk[.]com).
- Registrar Filtering: Monitor newly registered domains through registrars like GoDaddy, commonly used in SRG campaigns.
- Nameserver Check: Flag domains using domaincontrol[.]com, a frequent component of SRG infrastructure.
- Registration Date Range: Focus especially on domains registered after March 1, 2025, when recent waves of attacks were first observed.
Strengthen Email and Domain Protection
- Threat Intelligence Integration: Use automated tools and threat feeds to continuously scan for domains that match SRG patterns.
- Block Suspicious Domains: Preemptively block domains that follow known SRG naming conventions at the DNS level or via secure web gateways.
- Registrar Collaboration: Report suspicious domains to registrars like GoDaddy or Namecheap for potential takedown.
- Limit SFTP Traffic: Block outbound SFTP (port 22), as SRG uses tools like WinSCP to exfiltrate stolen data over secure file transfer.
- Harden Network Segmentation: Restrict access to internal shares and sensitive data directories unless strictly necessary.
- Remove Unused RMM Software: Uninstall remote management tools such as AnyDesk, Zoho Assist, or TeamViewer if they are not actively used for business operations.
- Enforce Application Control Policies: Only allow pre-approved remote access software via endpoint protection or group policy rules.
- Monitor for RMM Installations: Set alerts for the appearance of unauthorized RMM tools within your environment.
- Enable Multi-Factor Authentication (MFA): Ensure MFA is required across all privileged accounts and access points to mitigate stolen credential use.
- Implement Least Privilege: Audit and reduce user access rights, particularly for roles exposed to phishing and fraud attempts.
- Vishing & Phishing Simulations: Train employees to spot callback phishing scams, including fake support emails and phone-based social engineering.
- Verification Protocols: Encourage users to verify IT support requests by contacting internal helpdesks directly, not via email prompts or external numbers.
- Regular Refreshers: Reinforce awareness through routine simulations and targeted alerts when phishing trends evolve.
- Establish Playbooks: Maintain up-to-date response plans tailored to data extortion scenarios.
- Deploy Threat Hunting: Use EDR/XDR platforms to detect lateral movement, RMM activity, or unauthorized file transfers.
- Monitor Exfiltration Channels: Flag abnormal outbound connections, especially to file-sharing or remote hosting platforms like Hostwinds, often used by SRG.
https://socradar.io/dark-web-profile-silent-ransom-group-leakeddata/