The Silent Ransom Group — one of the most aggressive ransomware operations hitting US law firms — has a new trick: a fast flux network built from compromised routers, modems, and IoT devices spanning 18 countries.
Resecurity published a report this week revealing that the gang (also tracked as Chatty Spider, Luna Moth, and UNC3753) is using rapidly rotating DNS records across a botnet of consumer and enterprise networking equipment to hide its command-and-control infrastructure. The technique, known as fast flux, constantly swaps out IP addresses tied to a domain name, making it extremely difficult for defenders to block or trace the attacker’s servers.
How SRG Gets In
The group’s playbook is disturbingly effective. It starts with a phishing email — usually themed around data migration or invoices — that tricks recipients into calling phone numbers controlled by the attackers. Gang members pose as IT support specialists and talk victims into launching screen-sharing sessions and installing remote access tools.
But it doesn’t stop at social engineering. A recent FBI alert revealed that SRG has sent operatives in person to insert USB drives into victims’ computers. Once inside, they exfiltrate data and deploy malware. The whole operation — from access to extortion — can happen in as little as 30 minutes.
Law firms are the primary target, accounting for nearly a quarter of all ransomware incidents in Q1 2026, according to Resecurity. Finance, healthcare, insurance, and hospitality firms are also on the hit list.
The Fast Flux Infrastructure
The fast flux botnet identified by Resecurity rotates DNS records across two domains known to be associated with SRG: ep6pheij[.]com and business-data-leaks[.]com. The compromised nodes are spread across 22 ISPs in Latin America, Eastern Europe, Central Asia, the Middle East, Africa, East Asia, and the Caribbean.
That’s a massive footprint. Fast flux requires a large pool of hijacked devices to work — and the fact that SRG has amassed one across multiple continents suggests sustained, systematic compromise of consumer and small-business networking equipment.
Unlike traditional ransomware operations that encrypt files and demand payment to decrypt, SRG focuses purely on data theft and extortion. They don’t bother with encryption at all. They steal data, then threaten to publish it on their clear web leak site. If the victim doesn’t respond, the gang contacts the victim’s employees and partners directly to ramp up the pressure.
Why This Matters
SRG has been active since at least 2022, according to Google. Some of its activities overlap with UNC2686, the group behind BazarCall campaigns that used TrickBot, Ursnif, and BazarLoader. This isn’t a fly-by-night operation — it’s a well-established, well-resourced criminal enterprise.
The group’s shift to fast flux is significant because it shows they’re investing in defensive infrastructure, not just offensive tactics. Hiding C2 behind a rotating proxy botnet makes attribution harder, increases uptime for their operations, and complicates takedowns by law enforcement.
What Defenders Should Do
Organizations in SRG’s target industries should prioritize: blocking or heavily restricting remote access tools like AnyDesk, ScreenConnect, and TeamViewer unless explicitly approved; DNS logging and monitoring to catch fast flux patterns — specifically rapid A-record changes for single domains; network segmentation to limit lateral movement once an endpoint is compromised; and user awareness training that covers vishing attacks, particularly the “call this number for IT support” social engineering pattern.
The combination of in-person intrusions, vishing, and now a global fast flux network makes SRG one of the more creative — and dangerous — ransomware operations active right now. Defenders can’t afford to treat this as just another extortion group.
