Silent Ransom Group (SRG) Strengthens Data Leak Operations with Fast-Flux Botnet Tactics

A significant shift in cyber extortion tactics has emerged as the Silent Ransom Group (SRG) enhances its operations with a sophisticated fast-flux botnet infrastructure. This development complicates tracking and disruption efforts, particularly affecting sensitive sectors such as law firms.

The Evolution of SRG

Since its emergence in 2022, SRG has gained notoriety for its distinct approach to cyber extortion. Unlike traditional ransomware groups that encrypt victims’ files, SRG focuses on stealing sensitive data. The group pressures organizations by threatening to publish or sell this stolen information, making their tactics particularly dangerous and circumventing many defenses against ransomware attacks.

Recent advisories from the FBI indicate that SRG is specifically targeting U.S.-based law firms and other sensitive industries. Their tactics include social engineering and even in-person attacks, increasing the risks for organizations that manage confidential information.

Fast-Flux Technology Explained

Fast flux is a cybercriminal technique characterized by the rapid rotation of malicious domains through numerous IP addresses. This method often utilizes compromised devices, such as routers and modems, making it challenging for investigators and security teams to identify the underlying infrastructure.

Research from Resecurity has identified two domains associated with SRG—business-data-leaks.com and ep6pheij.com—utilizing this fast-flux technique. These domains rotate DNS records through residential and mobile IP addresses, supported by a botnet spanning 18 countries and 22 internet service providers.

The Technical Landscape

Investigations reveal that SRG’s infrastructure does not include datacenter or hosting IPs. Instead, every node traced back to consumer internet service providers indicates the use of compromised residential devices to obscure the group’s operations. Each DNS query returns between 10 and 18 IP addresses, changing every two to three minutes. This rotation is managed by a backend command-and-control server, distinguishing it from legitimate content delivery networks.

The research also indicates that both domains share approximately 50 to 60 percent of the same bot pool, suggesting they are operated by the same threat actor. Notably, nine IP addresses appeared in the rotation pools of both domains, with nodes located in regions including North Macedonia, Croatia, and Egypt.

Implications for the Legal Sector

SRG’s focus on law firms raises significant concerns. Legal organizations are custodians of highly sensitive client data, including privileged communications and confidential legal documents. The potential for such data to be leaked publicly poses severe risks, making law firms attractive targets for extortion groups.

SRG employs various attack methods, including callback phishing, voice phishing, and impersonation of IT support staff. In some instances, members of the group have allegedly infiltrated law firm offices under the guise of IT personnel to gain physical access to systems. They also target third-party vendors and supply chain partners to indirectly reach law firms.

Once inside a network, SRG prioritizes data theft over deploying encryption-based ransomware. This strategy allows them to evade some protective measures organizations typically implement against ransomware, such as backup restoration.

The Clearnet Data Leak Site

In contrast to many ransomware gangs, SRG operates a clearnet data leak site. This approach increases accessibility for victims, journalists, and the public, thereby amplifying the pressure on victims by making the threat of exposure more visible. As of June 2026, the site reportedly lists nearly 100 victim organizations, with new victims added regularly.

Resecurity has also identified a potential new project linked to SRG called Spy Corporate, which surfaced in May 2026. The domain spycorp.pro employs a similar token-based mechanism and shares IPs with SRG’s fast-flux infrastructure, indicating a direct connection.

National Security Concerns

The findings regarding SRG’s operations coincide with a joint advisory issued by cybersecurity agencies from the United States, United Kingdom, Australia, Canada, and New Zealand. This advisory highlighted fast flux as a national security concern and called for enhanced cooperation between public and private sector organizations to disrupt such infrastructures.

SRG’s use of fast flux underscores the group’s increasing sophistication and the urgent need for law firms and other sensitive organizations to bolster their cybersecurity measures. Security experts recommend that law firms implement training programs to help employees identify phishing and vishing attempts, enforce multi-factor authentication, and verify IT support requests through trusted channels.

As reported by cyberwarriorsmiddleeast.com, law firms accounted for nearly a quarter of all ransomware-related incidents tracked in the first quarter of 2026, positioning the sector as the fourth-most targeted industry.

For law firms, the risk extends beyond data encryption or operational disruptions. Groups like SRG leverage stolen information as a means of extortion, transforming confidentiality into a significant vulnerability.

Explore the latest digital editions of FAME Delivered in the Magazine section: https://famedelivered.com/magazine/

Published on 2026-06-06 18:55:00 • By FAME Delivered News Desk