Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Jan 23, 2026 · 5 min read

The Everest Ransomware Gang Just Hit Under Armour, Nissan, and McDonald's in One Month

A prolific threat actor is attacking major brands and leaking millions of customer email addresses. Here's what you need to know.

In the span of a single month, the Everest ransomware gang has claimed attacks against Under Armour, Nissan Motor Corporation, McDonald's India, and several other organizations. The group operates one of the most sophisticated cybercrime operations in existence, combining ransomware extortion with a network access brokerage and an insider recruitment program. When Everest attacks, customer email addresses are often among the first things exposed.

Dark mountain peak with digital code representing Everest ransomware threat to corporations

Recent Attack Spree

The attacks have come in rapid succession:

  • Under Armour (November 2025, leaked January 18, 2026): 72.7 million customer accounts compromised, including email addresses, names, purchase history, and location data
  • Nissan Motor Corporation (January 10, 2026): The group claims to have exfiltrated 900 GB of data, with sample images posted as proof
  • McDonald's India (January 20, 2026): Everest alleges 861 GB of customer and internal company files were stolen
  • Bolttech and Ciena Corporation (January 20-21, 2026): Additional victims added to the group's leak site

Healthcare, technology, and business services are among Everest's most targeted sectors, with the United States being the most affected country. The gang has claimed 82 US based victims since emerging in December 2020.

How Everest Operates

Everest runs three distinct revenue streams, making it more resilient and dangerous than typical ransomware operations:

  • Double extortion ransomware: The group encrypts victim data while also stealing it. If the ransom is not paid, stolen data gets published on their dark web leak site
  • Network access brokerage: Everest sells access to compromised networks to other criminal groups, extending the damage beyond their own attacks
  • Insider recruitment: Since October 2023, the gang actively recruits corporate insiders, offering cash payments or profit sharing in exchange for access credentials

This Russian speaking operation evolved from simple data exfiltration to full ransomware capabilities by early 2021, using hybrid AES and DES encryption. Their tactics continue to evolve, incorporating new methods to breach corporate networks and evade detection.

Why Email Addresses Matter

In every major Everest breach, email addresses appear among the stolen data. This is not coincidental. Email addresses serve multiple purposes for cybercriminals:

  • They enable targeted phishing campaigns using information from the breach to craft convincing scam emails
  • They can be sold to spam operators and other criminal groups
  • They allow credential stuffing attacks, where stolen email and password combinations from other breaches are tested against new accounts
  • They provide a way to contact victims directly for secondary extortion attempts

When Everest publishes a data dump, the 72 million Under Armour customers or the unknown number of Nissan and McDonald's customers become targets for countless subsequent attacks.

The Corporate Silence Problem

One pattern across these attacks is troubling: corporate silence. Under Armour has not issued a public breach notification despite the attack occurring in November and data being leaked in January. When companies stay quiet, customers remain unaware that their data has been compromised.

Troy Hunt, who runs Have I Been Pwned, expressed surprise at Under Armour's lack of disclosure given the breach's scale. Without notification, affected customers cannot take appropriate protective measures until security researchers or journalists expose the breach.

Protecting Yourself

When threat groups like Everest operate at this scale, individual defensive measures matter more than ever:

  • Monitor Have I Been Pwned and similar breach notification services for your email addresses
  • Use unique passwords for every account so one breach does not compromise multiple services
  • Enable two factor authentication on all important accounts
  • Treat any unexpected email from companies you do business with as potentially suspicious, especially if it references past purchases or personal details
  • Assume that companies you have shopped with have been or will be breached. This is not paranoia. It is reality

Ransomware gangs like Everest are not going away. As long as companies pay ransoms or fail to protect customer data, the attacks will continue. Your job is to minimize the damage when your data inevitably ends up in a breach.