The Everest ransomware gang has struck once more, this time focusing on sportswear large Below Armour in a cyberattack that uncovered delicate data from tens of millions of consumers worldwide.
The breach, which occurred in November 2025, concerned hackers stealing 343 GB of firm information earlier than issuing ultimatum calls for.
On Jan. 21, Have I Been Pwned reported that buyer information from the incident was printed publicly on a well-liked hacking discussion board, together with 72 million e mail addresses. Many information additionally contained extra private data reminiscent of names, dates of start, genders, geographic places, and buy data.
Meet the Everest gang
The Everest ransomware group has emerged as one of the vital prolific cybercriminal organizations, with Below Armour representing simply their newest high-profile conquest. Working since December 2020, the gang has developed from easy ransomware assaults into a complicated legal enterprise that additionally capabilities as an Preliminary Entry Dealer, promoting community entry to different hackers.
Their latest sufferer record reads like a Fortune 500 listing: Coca-Cola Europacific Companions, AT&T, Collins Aerospace, and the Abu Dhabi Division of Tradition and Tourism have all fallen prey to Everest’s operations. These aren’t opportunistic assaults—they signify calculated strikes in opposition to world infrastructure that generates billions in mixed income.
The group’s technical sophistication turns into clear when analyzing their strategies. Everest operatives make the most of distant entry instruments like AnyDesk and Splashtop for command and management, whereas generally exploiting weak or stolen credentials for preliminary community penetration. After they do deploy ransomware, victims uncover their information encrypted utilizing AES and DES algorithms, with compromised recordsdata bearing the distinctive ‘.EVEREST’ extension.
The gang posted their Below Armour breach claims on Nov. 16, 2025, giving the corporate simply seven days to determine contact by way of encrypted messaging earlier than threatening to launch all stolen data.
Because the Everest gang continues increasing their legal empire with more and more subtle assaults, this incident serves as a stark reminder that no group stays proof against decided cybercriminals working in at the moment’s digital panorama.
Keep secure
Whereas the large scale of uncovered information grabs headlines, cybersecurity specialists warn the true risk lies in what comes subsequent.
George Foley, ESET Eire safety spokesperson, mentioned, “When a well known shopper model is linked to a serious leak, criminals transfer quick. They don’t cease on the information that was taken. They use it to create plausible follow-up emails, texts, and even telephone calls that seem like they’re coming from the corporate concerned. The intention is to trick individuals into handing over extra data, clicking a hyperlink, resetting a password by way of a faux web page, or sharing cost particulars.”
ESET Eire mentioned shoppers ought to deal with any sudden message claiming to be from Below Armour, or referencing an account subject, supply drawback, refund, loyalty factors, or “safety verification”, as suspicious till confirmed in any other case.
Foley added, “Should you get a message that pressures you to behave rapidly, that could be a crimson flag. Go on to the corporate’s official web site or app your self, somewhat than utilizing hyperlinks in messages. And in case you reused the identical password wherever else, change these accounts first. Password reuse turns one leak into a number of compromises.”
ESET Eire shopper steerage consists of reviewing password hygiene and enabling multifactor authentication the place accessible, being cautious about calls or texts that reference private particulars and anticipating extremely personalised phishing makes an attempt that use identified information factors to sound credible.
Cybercriminals have launched a complicated phishing marketing campaign focusing on LastPass prospects with pressing “upkeep” alerts designed to steal grasp passwords.
