'Ransomware in focus' is our series unravelling the complexities of ransomware groups active in today’s threat landscape. By detailing their business strategies, target victims, and the tactics, techniques, and procedures (TTPs) behind their operations, we hope to arm businesses with essential knowledge required to confront and overcome the challenges posed by ransomware. In this instalment, Sam Steen examines the operations of Luna Moth.
Background
Luna Moth, also known as Silent Ransom Group (SRG), Chatty Spider, and UNC3753, is a financially motivated threat actor first observed in 2022. Although active over the past three years, activity has increased notably since early 2026, following a prior peak in Spring 2025. During these periods, the group has disproportionately targeted US-based law firms. Luna Moth typically gains initial access through social engineering and phishing, before exfiltrating large volumes of data then holding victims to ransom.
Motivations and operating model
Luna Moth is financially motivated, with no indication of political or ideological drivers. They focus on identifying sensitive data in their victims’ network and exfiltrating this data for later extortion, often setting their initial demands in the millions of dollars.
Since emerging in 2022, Luna Moth has operated a data exfiltration-led extortion model, without deploying ransomware. Initial access is typically achieved through social engineering, followed by rapid data identification and exfiltration to maximize leverage over victims. There are currently no clear indicators of a formal Ransomware-as-a-Service (RaaS) structure. However, the recent increase in victim volume may suggest the group has scaled its operations or expanded its resourcing.
Victimology
While Luna Moth has been active since 2022, most available data relates to activity from 2024 onwards.
Since 2024, Luna Moth has focused its attacks on organizations based in the United States, with over 70% of all observed victims being U.S.-based law firms (see charts below). The combination of targeting law firms and relying solely on data exfiltration suggests that Luna Moth is pursuing a deliberate strategy. Because law firms hold significant volumes of highly sensitive data, often distributed across both individual devices and shared infrastructure, this makes them attractive targets for data-driven extortion.
Luna Moth versus other ransomware groups – percentage of known victims which were law firms (2026)
| Ransomware Group | 2026 Total known victims | # Law firms | % Law firms |
| Luna Moth | 27 | 22 | 78% |
| INC Ransomware | 232 | 39 | 18% |
| Akira | 310 | 18 | 6% |
| Qilin | 708 | 34 | 5% |
| DragonForce | 243 | 7 | 3% |
| The Gentlemen | 456 | 5 | 1% |
Source: eCrime
Top 5 sectors: Number of victims per month

Victims targeted by Luna Moth by sector (all time)

Countries targeted by Luna Moth (all time)

Victims by revenue band (2026 only)

Extortion approach
Luna Moth utilizes a single-extortion scheme based on the exfiltration of sensitive data from the victim’s environment. The group maintains a clearnet leak site (see screenshot below) where they post the names, company revenue, company information, and exfiltrated data of victims that do not pay a ransom.

Luna Moth typically sets high initial ransom demands, oftentimes in the seven to eight figures. While the group consistently anchors negotiations at high figures, they have settled for significantly lower amounts on a number of matters our team has handled. To bolster their negotiation strategy, Luna Moth will conduct open-source research on their victim in order to reference profit and revenue metrics and information. In several S-RM engagements, this has included referencing and sharing information sourced from publicly available platforms such as ZoomInfo to reinforce credibility and apply pressure.
During negotiations, Luna Moth applies consistent and particularly aggressive pressure tactics, especially in relation to deadlines. Compared to many other threat actor groups, Luna Moth frequently imposes short, recurring deadlines - often on a daily basis - and uses urgent, final language to create a sense of immediacy and escalation. These tactics include referencing and, in some cases, sharing transcripts of their prior negotiations with often high-profile organizations that did not pay, reinforcing the consequences of failing to reach an agreement. The group is also known to escalate pressure through staged disclosure tactics where, if a victim misses a deadline, they will publish the victim’s name in an obfuscated format, revealing it incrementally (e.g. letter by letter) until the full identity is disclosed.
Luna Moth is generally consistent in following through on their threats when deadlines are missed, particularly in relation to leak site publication. However, S-RM has observed instances where deadlines have passed without immediate action, suggesting some flexibility depending on the negotiation dynamic and strategy. In a number of our cases, additional pressure tactics included direct outreach to employees, such as phone calls and voicemails outlining demands, as well as persistent follow-up until engagement is established.
Our experience with this group suggests that Luna Moth follows through on agreed commitments once a ransom is paid. These commitments include providing copies of exfiltrated data, proof of the same being deleted from their systems, a security report outlining vulnerabilities exploited in the victim’s environment, and confirmation Luna Moth will not publish any data or target the victim again. S-RM is not aware of any instances where Luna Moth has failed to follow through on commitments once a settlement has been reached.
Initial access
Initial access is primarily achieved through social engineering and targeted phishing campaigns. Luna Moth’s favored method is Teams calls and calls to the victim’s corporate phone number pretending to be IT support. In these calls, the threat actor convinces the end user to download an IT remote management (RMM) tool to give the threat actor full remote access to the endpoint. In S-RM cases, the most frequently observed tools used to establish access are Quick Assist and AnyDesk.
In addition to remote social engineering, there are reported instances of Luna Moth attempting to gain physical access to victims’ corporate offices where attempts to establish remote access have failed. In these cases, individuals posing as IT technicians have sought entry to premises and attempted to introduce USB storage devices to endpoints for direct data access and exfiltration, under the pretext of addressing or remediating a suspected phishing incident. These in-person approaches are designed to exploit trust in internal IT functions, consistent with the group’s broader reliance on social engineering as their primary initial access vector.
Propagation
Following initial access, Luna Moth focuses primarily on data exfiltration, using common data exfiltration tools, most frequently, Windows Secure Copy (WinSCP). Due to the initial access and persistence mechanism established on the first host they gain access to through the RMM tool, little focus is generally made towards privilege escalation or lateral movement to other hosts. Rather, Luna Moth prioritizes data reconnaissance and data staging on the initial host prior to exfiltration. For law firms where partners may have large amounts of sensitive data on their own computers (or available via network shares from that computer), this can already give the group significant leverage to extort the whole law firm. S-RM has also observed Luna Moth leveraging user access to cloud storage platforms (e.g. OneDrive, SharePoint, Google Drive), in some instances persuading victims to download files to facilitate exfiltration.
Indicators of compromise
- WINSCP.EXE
- QuickAssist.exe
- AnyDesk.exe
- Increased number of phone calls or Teams call from individuals purporting to be “IT support”
- Emails or phone calls from unknown individuals stating data has been stolen.
Written by Sam Steen, edited by Virginia Romero, Lori Murphy and Dan Caplin