Menu

Silent Ransom Group Targets Las Vegas Law Firms — Cybersecurity Alert

⚠ Cybersecurity Alert

Silent Ransom Group Targets Las Vegas Law Firms with Fake IT Support Calls

A new FBI-backed warning puts Las Vegas attorneys, accountants, and professional services firms directly in the crosshairs of one of 2026’s most aggressive extortion gangs—and the attack starts with nothing more than a phone call.

Published by CMIT Solutions of Las Vegas · Cybersecurity · 6 min read

A New Kind of Attack: No Malware, No Encryption—Just a Phone Call

If you run a law firm, accounting practice, or professional services company in Las Vegas, cybersecurity just got more personal. The Silent Ransom Group—a sophisticated extortion gang also tracked by researchers as UNC3753, Luna Moth, and Chatty Spider—is actively targeting U.S. legal and financial firms with a campaign that bypasses every piece of security software you have installed. Their weapon? A phone call from someone who sounds exactly like your IT department.

According to a June 2026 report from Mandiant and a concurrent FBI FLASH advisory, the group targeted dozens of organizations across the legal, financial, and professional services sectors between January and May 2026. They have shifted entirely away from traditional ransomware encryption and now focus on a faster, harder-to-detect model: steal your most sensitive client data, then demand payment within 72 hours or start leaking it to clients, regulators, and the press.

Las Vegas is a natural target. The city’s legal sector spans gaming and gaming compliance law, real estate and construction, hospitality, personal injury, and government contracting—all industries that generate exactly the kind of sensitive client files this group is hunting. If your firm has not reviewed its cybersecurity posture recently, this is the wake-up call.

Critical Warning

Mandiant reports that ransom demands often arrive within 30 minutes of attackers leaving the victim’s environment. Victims receive a 3-day deadline—after which attackers threaten to call employees and external clients directly to disclose the breach. Legal firms are targeted because they “may be highly motivated to resolve extortion situations quietly to protect their professional standing,” according to Mandiant.

How the Silent Ransom Group Gets Inside Your Network

The attack sequence is deceptively simple—which is exactly why it works. It does not rely on malware, zero-days, or compromised credentials purchased on the dark web. Instead, it exploits trust, routine, and the natural pressure employees feel when someone who sounds authoritative calls from “IT.”

  • Step 1 — Invoice phishing email: Employees receive an invoice-themed email from a consumer email account. The email contains no malicious links or attachments—it is designed solely to create alarm and prime the target for a follow-up call.
  • Step 2 — Vishing (voice phishing) call: Attackers call back impersonating your IT helpdesk. They reference the email, manufacture urgency, and direct employees to join a remote support session via Microsoft Teams, Zoom, Quick Assist, or Microsoft Terminal Services.
  • Step 3 — RMM tool installation: During the session, the attacker convinces the employee to install a remote monitoring and management (RMM) tool such as AnyDesk, Zoho Assist, Bomgar, or SuperOps—software that looks legitimate and rarely triggers security alerts.
  • Step 4 — Data reconnaissance and theft: Once inside, attackers systematically search for contracts, tax records, Social Security numbers, merger or acquisition files, and client case files. They exfiltrate everything using tools like WinSCP or Rclone.
  • Phishing domains used: Mandiant identified fake IT portal domains following patterns such as [yourorganization]-itdesk.com, [yourorganization]-it.com, and [yourorganization]-helpdesk.com—all designed to look like internal company resources.
  • Anti-forensics tactic: The group uses Privnote (a self-destructing message service) to share installation links during calls, deliberately reducing evidence left in browser histories and chat logs.

Why Las Vegas Professional Services Firms Are at Elevated Risk

Mandiant’s researchers are direct about why this group targets legal and financial firms over manufacturing or retail: “Legal services firms maintain concentrated repositories of extremely sensitive client transaction files, merger and acquisition plans, client trade secrets, and corporate regulatory reports.” Las Vegas firms sit at the intersection of gaming compliance, real estate transactions, entertainment contracts, and personal injury settlements—a gold mine for extortion actors.

  • Client attorney-privilege files leaked publicly, exposing clients to competitive and legal harm
  • Nevada State Bar disciplinary proceedings for failure to safeguard client data
  • HIPAA exposure if the firm handles healthcare-adjacent matters (personal injury, medical malpractice)
  • Client lawsuits for negligent data handling—exactly what the extortion letter threatens to incite
  • Gaming industry contractors subject to Nevada Gaming Control Board scrutiny if compliance data is exposed
  • Permanent reputational damage in a city where referral networks and professional trust are everything

Three Steps Las Vegas Firms Must Take Right Now

► Step 1: Implement a Verified IT Contact Protocol

THE GAP Most small and mid-sized Las Vegas firms have no formal process for employees to verify whether an inbound IT call is legitimate. Attackers exploit this gap every time—and employees, trying to be helpful, comply with requests they should question.

THE FIX Establish a single, written IT support contact—phone number and email—that every employee knows. Train staff that your real IT team will never initiate a call asking them to install software or join a remote session without a prior support ticket. Any unsolicited IT call should be treated as suspicious and verified through an independent callback to the known IT number, not the number the caller provides.

► Step 2: Audit and Lock Down Remote Access Tools

THE GAP AnyDesk, Zoho Assist, and similar RMM tools are freely downloadable—and once installed, they create a persistent backdoor that looks completely normal to most endpoint security tools. Many firms have no policy preventing employees from installing these applications.

THE FIX Work with your IT provider to audit which remote access tools are currently installed across all workstations and remove unauthorized ones immediately. Implement application allowlisting or endpoint policies that prevent non-approved software from being installed without administrator approval. If your firm uses a legitimate remote support tool, ensure only IT can initiate sessions—never employees responding to inbound calls.

► Step 3: Deploy MFA and Enforce Document Access Controls

THE GAP The Silent Ransom Group targets document management platforms and cloud storage because in most firms, any authenticated user can access everything. There are no role-based access controls, no audit logging, and no alerts when large volumes of files are accessed or copied in bulk.

THE FIX Enable MFA on every account—especially Microsoft 365, document management systems, and cloud storage. Implement least-privilege access so staff can only access files relevant to their role. Enable audit logging and set alerts for bulk file access or unusual data transfer activity. These controls do not stop a social engineering attack from getting started, but they dramatically limit what can be stolen before the session is detected and cut off.

Las Vegas Businesses: Don’t Wait for the Breach.

The Silent Ransom Group is active right now. A free security consultation with CMIT Solutions of Las Vegas takes 30 minutes—a data theft event takes years to recover from.

Get a Free Security Assessment

Defending Las Vegas with CMIT Solutions

CMIT Solutions of Las Vegas has protected Clark County businesses for years, and the threat landscape we navigate every day looks exactly like what Mandiant is describing in this report. Social engineering attacks are not stopped by firewalls alone—they are stopped by layered defenses, trained employees, and a managed IT partner who monitors your environment around the clock. If you operate a law firm, financial practice, or professional services company in the Las Vegas valley, the question is not whether you are a target. You are. The question is whether you are prepared.

Protect Your Las Vegas Business Today

The Silent Ransom Group does not discriminate by firm size. Any Las Vegas law firm, CPA practice, or professional services company with valuable client data is a viable target.

CMIT Solutions of Las Vegas provides 24/7 managed cybersecurity, employee security training, endpoint protection, and incident response for Clark County businesses.

Schedule a Free Security Review

Prefer to talk? Call (702) 725-2877 or email hello@cmitsolutions.com

Back to Blog

Share:

Related Posts

Las Vegas skyline — guide to choosing the best managed IT services in Las Vegas

Your 2025 Guide: Best Managed IT Services in Las Vegas | SMB Buyer’s Checklist

Your 2025 Guide: Choosing the Best Managed IT Services in Las Vegas…

Read More
From casino breaches to law firm hacks, here’s what 2025 looks like for Las Vegas cybersecurity — and how local SMBs can defend themselves.

Las Vegas Cybersecurity Threats in 2025

Las Vegas Cybersecurity Threats in 2025: What SMBs Must Know & How…

Read More

How Data Backup Protects You from Ransomware (Las Vegas SMB Guide)

How Data Backup Protects You from Ransomware: A Practical Guide for Las…

Read More