Luna Moth’s Deceptive Tactics
Luna Moth hackers, also known as Silent Ransom Group, target U.S. legal and financial firms with clever scams. These cybercriminals pose as IT helpdesk staff to steal sensitive data. For example, they send fake emails urging victims to call a phony support number. When victims call, attackers trick them into installing remote access tools.
How the Scam Works
The group relies on social engineering, not malware, to breach networks. They create fake IT helpdesk websites using domain names like “[company]-helpdesk.com.” According to a report, Luna Moth registered at least 37 such domains in March 2025. These sites mimic legitimate support portals, making the scam highly convincing.
Gaining Access and Stealing Data
Once victims install tools like AnyDesk or Syncro, attackers gain full control of their devices. They then search for valuable files on local drives and shared networks. Afterward, they steal data using tools like WinSCP or Rclone. Finally, they demand ransoms, ranging from $1 to $8 million, threatening to leak the data online if unpaid.
Why It’s Hard to Detect
Unlike traditional ransomware, these attacks use no malicious code, making them hard to spot. Victims install legitimate software, believing they’re getting IT help. Therefore, organizations must stay vigilant to avoid falling for these deceptive tactics. The report notes the group’s shift from ransomware to data extortion after splitting from the Conti syndicate in 2022.
Preventing Luna Moth Attacks
To combat Luna Moth scams, organizations should train employees to verify IT support requests. For instance, confirm requests through official channels before acting. Additionally, restrict remote access tool installations to authorized IT staff. Implementing multi-factor authentication and monitoring network activity can also block unauthorized access. By staying proactive, firms can reduce the risk of falling victim to these sophisticated social engineering attacks.
Sleep well, we got you covered.
