Luxury Resort & Casino Hit by Ransomware, Employee HR Systems Compromised

February 25, 2026 — Luxury hospitality and gaming operator Silver Court Resorts confirmed late Tuesday night that a cyber intrusion led to the compromise of sensitive employee data, following what investigators describe as a quiet, multi-stage attack that unfolded over several weeks.

The attackers are demanding 21.8 BTC (≈ $1.6M CAD) in exchange for not publishing what they claim is more than 600GB of internal HR and payroll data. While guest booking systems, casino floors, and payment platforms remain operational, internal HR infrastructure has been taken offline as forensic teams continue containment efforts.

According to sources familiar with the investigation, the breach did not begin with ransomware. It began with credentials.

Timeline of the Intrusion

January 29 – Security logs show anomalous authentication attempts against Silver Court’s legacy VPN gateway.

January 31 – Successful login from an IP address previously linked to an infostealer malware campaign. Analysts believe credentials were harvested from a finance department employee whose laptop had been infected with a commodity infostealer strain.

February 2 – Attackers deploy a legitimate Remote Monitoring & Management (RMM) tool to establish persistence. The tool blended into normal administrative traffic.

February 4–10 – Lateral movement observed toward payroll and HR file servers. Privilege escalation achieved via misconfigured service account with domain admin rights.

February 12 – Large outbound data transfer (≈ 600GB) flagged but not immediately escalated.

February 14 – Ransom note discovered on internal HR systems.

Preliminary forensic analysis indicates that the compromised data includes employee names and addresses, Social Insurance Numbers, payroll records, direct deposit banking details, benefits enrollment information, and internal HR case documentation. Security officials state that no customer payment systems were directly accessed; however, investigators caution that employee PII breaches often become stepping stones for broader fraud operations.

Threat intelligence analysts warn that exposures of this nature frequently precede identity theft campaigns, business email compromise attempts, credential stuffing against internal and customer portals, and highly targeted social engineering attacks aimed at executives and finance teams.

Incident responders believe the attack chain began months earlier when credentials were harvested through an infostealer infection. From there, an unpatched VPN appliance allowed password-based access into the corporate network. Although MFA was reportedly enabled across most systems, it was not enforced on the legacy gateway used in the intrusion. Attackers then leveraged a legitimate RMM tool to maintain access and avoid traditional malware detection. Domain misconfigurations, including a service account with domain administrator privileges, enabled rapid privilege escalation once inside.

“This wasn’t flashy,” said one responder involved in the containment effort. “It was patient. Controlled. Each step looked normal on its own. The danger was in how the pieces fit together.”

The threat group, identifying itself as “Black Meridian,” has posted a countdown timer on a Tor-based leak site, claiming it will release employee payroll data within seven days if the ransom is not paid. The organization has not confirmed whether negotiations are underway, stating only that it is working with external forensic teams and law enforcement partners.

The incident underscores a recurring reality across the hospitality and gaming sector: when revenue platforms are hardened and segmented, attackers often pivot to internal systems where monitoring thresholds are lower and data is dense. HR environments, in particular, remain one of the most concentrated repositories of high-value information inside an enterprise.

In today’s threat landscape, attackers do not always go straight for customers. They start with the people behind the business.

Watching the perimeter — and what slips past it. — Ayaan Chowdhury