Studio Marchi Ransomware Claim by Everest (May 2026)

Claim Summary

The Everest ransomware group has allegedly claimed responsibility for a cyberattack against Studio Marchi - Studio Professionale Associato, an Italian business services firm. The claim was posted on the group’s dark web leak site on May 5, 2026. According to the threat actor’s posting, they purportedly exfiltrated data from the organization, though the volume and nature of the stolen information remain undisclosed. This report is based solely on the group’s unverified claims and has not been independently confirmed by Yazoul Security or any third-party incident response team.

Threat Actor Profile

Everest is a ransomware group first observed in 2020, known for operating a double-extortion model - encrypting victim systems while also exfiltrating sensitive data to pressure payment. The group has allegedly claimed 339 victims to date, though this figure may include exaggerated or duplicate entries. Everest’s credibility is mixed; while they have demonstrated technical capability in high-profile attacks against healthcare and government entities, they have also been observed recycling old data or inflating victim counts.

The group’s known toolset includes:

• ProcDump - for credential dumping from LSASS process memory
• SoftPerfect NetScan - for network reconnaissance and asset discovery
• Cobalt Strike - for command-and-control and lateral movement
• Metasploit - for exploitation of vulnerabilities
• Meterpreter - for post-exploitation payload delivery
• AnyDesk, Atera, Splashtop - legitimate remote access tools abused for persistence

Everest typically gains initial access through phishing campaigns, exposed RDP services, or exploitation of unpatched vulnerabilities. They have been observed using living-off-the-land binaries (LOLBins) to evade detection.

Alleged Data Exposure

The Everest group claims to have exfiltrated data from Studio Marchi, but has not provided specific details regarding the type or volume of information allegedly stolen. Based on the group’s historical targeting of business services firms, potential data exposure could include:

• Client contracts and legal documentation
• Financial records and billing information
• Employee personally identifiable information (PII)
• Internal correspondence and intellectual property

Without confirmation from Studio Marchi or independent forensic analysis, the scope of any data breach remains speculative. Ransomware groups frequently exaggerate claims to pressure victims into ransom negotiations.

Potential Impact

If the claim is verified, Studio Marchi could face significant operational and reputational consequences. As a professional services firm handling sensitive client data, any confirmed breach would trigger notification obligations under Italy’s GDPR implementation (D.Lgs. 196/2003 as amended). Potential impacts include:

• Operational disruption - encrypted systems could halt billing, client communication, and document management
• Regulatory penalties - GDPR fines up to 4% of annual global turnover for inadequate data protection
• Client trust erosion - particularly if legal or financial documents are exposed
• Ransom demand - Everest typically demands payment in Bitcoin or Monero, with amounts varying based on victim size

What to Watch For

Organizations in the Italian business services sector should remain vigilant for:

• Phishing emails impersonating Studio Marchi or related entities
• Unusual network scanning activity from unknown IP addresses
• Attempts to deploy remote access tools like AnyDesk or Splashtop without authorization
• Detection of Cobalt Strike beacons or Metasploit payloads in network traffic

Yazoul Security recommends monitoring for YARA rules targeting Everest’s known payloads and infrastructure. For detection guidance, refer to our advisory at /intel/everest-ransomware-detection/.

Disclaimer

This intelligence report is based on unverified claims posted by the Everest ransomware group on their dark web leak site. Yazoul Security has not independently confirmed the attack, data exfiltration, or any ransom demands. Ransomware groups routinely fabricate or exaggerate claims to pressure victims. All information should be treated as preliminary and subject to verification through official channels or third-party incident response. No PII, credentials, download links, or access methods are provided in this report.