Rhysida Ransomware Group Strikes: CDSHotels Held for Ransom

Incident Date:

April 25, 2024

World map



Rhysida Ransomware Group Strikes: CDSHotels Held for Ransom






Lecce, Italy

, Italy

First Reported

April 25, 2024

Ransomware Attack on CDSHotels by Rhysida Group

Attack Overview

A prominent hospitality company based in Italy, CDSHotels, has recently fallen victim to a ransomware attack by the Rhysida group. The attackers have demanded a ransom of 7 BTC (approximately $450,000) to provide the decryption key. The breach involved the exfiltration of various sensitive documents, including Personally Identifiable Information (PII), invoices, and other data.

Company Profile

CDSHotels operates a range of hotels and resorts in the picturesque regions of Puglia and Sicily, Italy. With over 30 years in the hospitality industry, the company employs between 201 and 500 individuals. Known for their unique accommodations and attention to detail, the company specializes in providing all-inclusive experiences, wellness centers, and local cuisine, making them a distinguished player in the hospitality sector.

Vulnerabilities and Security Insights

The attack on the company underscores potential vulnerabilities within the hospitality industry, which handles vast amounts of guest data. The breach involved compromised credentials and external surface attacks, asserting the essentiality of fortified cybersecurity protocols in protecting sensitive information and systems from sophisticated threat actors like Rhysida.

Details of the Rhysida Ransomware Group

The Rhysida Ransomware Group, active since May 2023, targets various sectors including healthcare, education, and government. Employing double extortion tactics, Rhysida threatens to publish stolen data unless a ransom is paid. This group is known for its use of the ChaCha20 encryption algorithm and a sophisticated method of attack involving phishing campaigns and the exploitation of network vulnerabilities.


Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.