Rhysida attacks Istituto Prosperius

Incident Date:

September 26, 2023

World map



Rhysida attacks Istituto Prosperius


Istituto Prosperius




Florence, Italy

, Italy

First Reported

September 26, 2023

The Rhysida Ransomware Gang's Attack on Istituto Prosperius

The Rhysida ransomware gang has attacked Istituto Prosperius. Istituto Prosperius is an Italian healthcare institution specializing in rehabilitation and medical services. It's known for its commitment to providing high-quality rehabilitation care and support to individuals recovering from various medical conditions. Rhysida posted Istituto Prosperius to its data leak site on September 26th, demanding a $130,000 ransom for the safe return of company data.

Rhysida's Modus Operandi

Rhysida is a RaaS that was first observed on May 17, 2023. Rhysida has been observed deploying Cobalt Strike or similar command-and-control frameworks and abusing PSExec for lateral movement, dropping PowerShell scripts, and for payload delivery. They engage in data exfiltration for double extortion and maintain both a leaks site and a victim support portal on TOR. They are thought to be responsible for attacks against the Chilean military and more recently against Prospect Medical Holdings which impacted services at hundreds of clinics and hospitals across the US.

Rhysida has been steadily increasing their attack volume and continuing to expand the targeted industries, but volume is modest compared to leaders. Rhysida appears to be opportunistic attackers with a similar victimology as Vice Society.

Ransom Demands and Tactics

IT remains unclear how much Rhysida operators typically demand for a ransom payment at this time. Rhysida appears to have a fairly advanced RaaS offering, with capabilities that include advanced evasion techniques that can bypass antivirus protection, the wiping of Volume Shadow Copies (VSS) to prevent rollback of the encryption, and the ability to modify Remote Desktop Protocol (RDP) configuration. Rhysida employs 4096-bit RSA key and AES-CTR for file encryption.

Rhysida does not appear to be targeting Linux systems, maintaining a focus on Windows targets. TTPs are similar to those of Vice Society, which has been less active as Rhysida has emerged. Rhysida has been observed targeting the healthcare, education, government, manufacturing, and tech industries.

False Claims of Cybersecurity Assistance

Rhysida operators purport to be a “cybersecurity team” conducting unauthorized “penetration testing” to ostensibly “help” victim organizations identify potential security issues and secure their networks. The subsequent ransom demand is viewed as “payment” for their services.

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.