Threat Groups

Silent Ransom (Silk Typhoon) – Threat Actor Profile

1. Overview

Silent Ransom, also referred to as Silk Typhoon by Microsoft, is a Chinese state-aligned threat actor operating at the intersection of cyber espionage and data extortion. The group is known for conducting stealthy intrusions into government, telecom, and critical infrastructure organisations, typically without deploying ransomware in the traditional sense. Instead, it focuses on access operations, credential theft, and selective data exfiltration, occasionally coupled with financial or reputational extortion.

Unlike many ransomware groups, Silent Ransom does not use noisy encryption techniques. The group’s name reflects its strategy: operate quietly, maintain access over long periods, and use the threat of data exposure as leverage.

2. Origin and Evolution

Silent Ransom was first identified in 2023 and quickly associated with Chinese cyber operations targeting critical industries. The group has been observed leveraging both publicly disclosed vulnerabilities and custom malware implants to gain initial access and establish persistence.

Its evolution mirrors a broader trend in Chinese cyber activity, blending traditional espionage with opportunistic monetisation. Some victims receive extortion demands after Silent Ransom exfiltrates sensitive documents, while others experience silent compromise and passive data theft.

Silk Typhoon is the name used by Microsoft to describe the same actor within their threat taxonomy.

3. Tactics, Techniques, and Procedures (TTPs)

Silent Ransom uses a sophisticated toolkit focused on stealth, lateral movement, and minimal footprint:

  • Initial access
    Exploits known vulnerabilities in public-facing services, including VPNs and application servers (T1190). Frequently uses stolen credentials from earlier breaches or underground markets (T1078).
  • Credential harvesting
    Uses tools such as Mimikatz, LSASS memory scraping, and Windows Credential Manager exports to gather credentials and escalate access (T1003).
  • Persistence and lateral movement
    Maintains access via scheduled tasks, WMI, and registry changes (T1053, T1112). Moves laterally using PsExec, SMB, and RDP with compromised credentials (T1021).
  • Data exfiltration
    Selectively collects email archives, contracts, operational documents, and configuration files. Exfiltrates data via encrypted HTTP POST or cloud storage platforms (T1041).
  • Extortion
    In some cases, sends discreet messages to victims offering the option to “prevent publication” of stolen data. These communications often avoid traditional ransom language and are designed to appear like covert negotiations.

4. Targeting Profile

Silent Ransom focuses on high-value targets that support national security, economic development, and strategic Chinese interests. These include:

  • Government ministries and agencies
  • Telecommunications providers
  • Critical infrastructure (energy, water, transport)
  • Legal and financial services
  • Technology manufacturers and software vendors
  • Defence and aerospace contractors

Several organisations in the UK, particularly in telecoms and public sector IT supply chains, have been indirectly affected by the group’s campaigns.

5. Notable Campaigns and Victims

Due to its covert approach, confirmed campaigns attributed to Silent Ransom are limited in the public domain. However, investigations by private sector researchers and government agencies have revealed:

  • Infiltration of a Southeast Asian telecoms provider, with access lasting several months before discovery
  • Compromise of a US-based law firm, with sensitive legal documents stolen and later used in an extortion attempt
  • Long-term presence within the IT network of a European logistics company, during which emails and partner documents were silently exfiltrated
  • Observed targeting of UK-based organisations linked to civil engineering and infrastructure development

In many cases, data is not leaked on public platforms, and extortion attempts are made quietly to avoid attention and reduce the chance of attribution.

6. Technical Indicators

Silent Ransom maintains a low profile, but some indicators have been shared by threat intelligence providers:

  • Custom malware loaders using DLL sideloading
  • Use of signed binaries for credential access and lateral movement
  • Registry modifications for persistence and WMI filters
  • Scheduled tasks under names like “SystemUpdater” or “TelemetryAgent”
  • Use of legitimate cloud storage services (including OneDrive and Dropbox) for C2 and data exfiltration

Because of the actor’s stealthy operations, detection often requires in-depth forensic investigation and log correlation.

7. Defensive Measures and Recommendations

To defend against Silent Ransom and Silk Typhoon campaigns:

  • Audit remote access infrastructure and enforce strong MFA across all externally accessible services
  • Monitor for abnormal credential use and unexpected lateral movement
  • Use endpoint detection and response (EDR) tools with memory scanning and behavioural detection
  • Enable and retain PowerShell and command-line logging for forensic visibility
  • Monitor for signs of slow data exfiltration and suspicious cloud traffic
  • Segment networks to limit privilege escalation and lateral movement between departments

Organisations in targeted sectors should treat stealthy access and passive data loss as credible risks even in the absence of encryption-based attacks.

8. Attribution and Alliances

Silent Ransom is attributed to Chinese state-linked actors, likely affiliated with or contracted by units of the Ministry of State Security (MSS). The group appears to operate as part of China’s broader cyber strategy, supporting both intelligence collection and competitive advantage in key industries.

Silk Typhoon is Microsoft’s internal designation for this actor. It shares some traits with older Chinese APT groups such as APT41 and APT27, though the operational model and tactics suggest a distinct team.

9. Conclusion

Silent Ransom, or Silk Typhoon, represents a new generation of cyber threat actor combining espionage tradecraft with low-noise extortion. By avoiding encryption and focusing on stealthy access and data theft, the group can remain undetected for extended periods while selectively applying pressure to victims.

UK organisations in infrastructure, telecoms, and public-private sectors should prioritise visibility, identity management, and threat hunting to defend against this subtle but impactful threat.

Author:
Threat Intelligence Team, UK Cyber Defence Ltd
All intelligence current as of May 2025

  • 11 Views

you may also like

Stealth-State Actors: Silent Persistence, Slow Exfiltration, and Cloud-Based C2

An insights post exploring the stealthy methods of state-aligned threat actors, including Silent Ransom (Silk Typhoon), and how defenders can detect slow exfiltration and cloud-based command and control in enterprise environments.
Continuous Threat Exposure Management

Continuous Threat Exposure Management

In an era where cyber attacks are not a question of if but when, Continuous Threat Exposure Management has emerged as a crucial strategy for staying one step ahead. For IT directors and C-suite executives, CTEM offers a little easier sleep at night.
Open Source Security Tools

Open-Source Tools for SOC Analysts

PCI-DSS-4.0

PCI DSS 4.0: Significance for Retailers and the Value of SOC-as-a-Service

SOC as a Service

SOC365: The Backbone of SOC as a Service

UK Cyber Defence’s SOC365 is a cutting-edge Security Information and Event Management (SIEM) service platform that forms the backbone of the company’s SOC-as-a-service offering.
AI-Powered_SOC

What is SOC?

What is SOC? Understanding the Security Operations Centre for Modern UK Businesses

Stay Informed. Stay Secure.

Subscribe to our newsletter.
Linkedin-in
© 2025 CyberDefence