Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Law firms heavily targeted by ransomware operation that has been quiet for some time, as Marriott debunks hacking claim.
A ransomware group known for its use of phishing to compromise its victims has seemingly reemerged from the darkweb, claiming responsibility for more than 70 hacks in a single update to what appears to be a new leak site.
The Silent Ransomware Group listed 72 victims on its leak site on May 6, many of them US law firms.
But one victim stood out for the possible global implications of the hack – the Marriott International hotel group.
However, while the status of the Marriott breach is ‘leaked’ and the update features a ‘click to download’ link, the link – much like that of every other victim listed as leaked – appears to lead nowhere, making the Silent Ransomware Group’s claims difficult to verify.
When contacted by Cyber Daily to provide comment on the ransomware group’s claims, a spokesperson for Marriott International said the incident was a historical one, saying on May 13 “this is an incident that occurred at a single hotel in the US three years ago”.
“At the time, Marriott notified and worked with law enforcement on an investigation, which is now resolved and closed, and determined that the information accessed in 2022 primarily contained non-sensitive internal business files regarding the operation of the property.”
This is likely referring to a 2022 cyber incident involving a Marriott hotel in the US state of Maryland. At the time, Marriott said a threat actor had managed to use a social engineering trick to gain access to a computer belonging to one of the hotel’s associates. Despite the threat group at the time claiming otherwise, Marriott said that no credit card data had been accessed or compromised and only a small number of individuals had been impacted.
None of the other victims listed appear to be related to historical incidents, and Ransomware.live estimates the date of the alleged attack was December 2024.
Who is the Silent Ransomware Group
Like many modern ransomware operations, the Silent Ransomware Group draws its lineage back to the Conti ransomware group, which fell apart over disagreements regarding the Russian invasion of Ukraine in 2022.
That same year, the Silent Ransomware Group – or something operating under that name – was becoming known for its success using callback phishing techniques to compromise its victims.
Callback phishing – aka, telephone-oriented attack delivery – relies upon an initial phishing email that calls upon the victim to call back some service. In the case of the group’s tactics in 2022, this email would have contained an invoice for a relatively small amount of money related to an unpaid invoice, attached as a PDF.
The email does not contain any malware, but when the victim calls up to question the invoice or their apparent subscription, they are directed to download a legitimate remote access tool. Because the software is legitimate, it does not trigger any security response. With remote access gained, the hackers can download further tools and begin looking for data to exfiltrate.
“These cases show a clear evolution of tactics that suggests the threat actor is continuing to improve the efficiency of their attack,” Palo Alto Networks said in a 2022 blog post.
“Cases analysed at the beginning of the campaign targeted individuals at small- and medium-sized businesses in the legal industry. In contrast, cases later in the campaign indicate a shift in victimology to include individuals at larger targets in the retail sector.”
More recently, researchers at Arctic Wolf spotted an uptick in activity by the Silent Ransomware Group in April 2025, with a focus on targeting law firms. The group is still using callback phishing to gain initial access and using remote access tools such as Zoho Assist or AnyDesk to gain system access.
Without evidence of any successful hacks, it’s hard to tell whether this is some elaborate hoax or data recycling campaign, or a newly resurgent ransomware group experiencing some teething trouble with its new leak site.
However, the fact that security researchers appear to be taking the Silent Ransomware Group seriously suggests that the best advice Cyber Daily can give is: Watch this space.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
