The notorious Everest Ransomware group has made waves with a bold public announcement, claiming responsibility for a massive data breach involving American apparel giant Under Armour.
According to the group, they have successfully stolen a staggering 340 GB of sensitive data from the company, and they’ve set a strict deadline of just seven days for Under Armour to pay the ransom. Failure to meet this demand will result in the stolen data being sold on the dark web, the criminal group warns.
What Was Stolen?
The Everest Ransomware group has outlined the types of data they allegedly obtained from Under Armour. The stolen information includes a variety of sensitive customer data, such as:
i) Personal Identification Information: Email addresses, phone numbers, and physical location data.
ii) Sensitive Documents: Customer passport details, gender information, and purchase histories.
iii) Internal Company Data: Information about the company’s products, including details about SKUs (Stock Keeping Units), as well as internal marketing and sales data.
While the exact methods of the breach remain unclear, the nature of the stolen data raises several questions. For instance, it’s puzzling why Under Armour would store such sensitive personal information—such as passport details and precise location data—on its systems, particularly when customers are simply shopping online. This highlights potential security gaps in how the company handles consumer data.
The Evolution of Everest Ransomware
Emerging from the notorious BlackByte ransomware family, Everest Ransomware first appeared on the cybercrime scene in 2020. Known for its sophisticated attacks, Everest initially targeted businesses using a powerful combination of AES (Advanced Encryption Standard) and DES (Data Encryption Standard) encryption.
The group quickly made its mark by launching ransomware attacks on a variety of industries, but in September 2023, it evolved into a more dangerous threat by adopting the practice of double extortion.
Double extortion involves not only encrypting the victim’s data but also threatening to release it publicly unless the ransom is paid. This added layer of pressure has made Everest—and similar ransomware groups—significantly more dangerous to businesses and organizations worldwide.
Interestingly, Everest Ransomware employs encryption code written in Russian, which suggests a calculated effort to avoid targeting Russian-speaking countries or former Soviet states like Belarus. This could be an attempt to evade detection by law enforcement agencies in these regions, or possibly even an indication of the group’s geographic or political motivations.
The Ransom Payment: Monero vs. Bitcoin
As is typical with ransomware attacks, the Everest group demands payment in cryptocurrency. However, unlike many other cybercriminal groups, Everest specifically requests payment in Monero (XMR). This is a cryptocurrency known for its enhanced privacy features, which make it far more difficult to trace than Bitcoin (BTC).
The shift to Monero highlights the growing sophistication of ransomware operations, as Bitcoin’s traceability has made it increasingly vulnerable to detection by law enforcement agencies worldwide. Many law enforcement agencies have developed sophisticated tools to track Bitcoin transactions, leading cybercriminals to shift to other cryptocurrencies that offer a higher level of anonymity.
The Impact on Under Armour
The breach poses significant risks for Under Armour, particularly in light of the sensitive customer data that has reportedly been compromised. If the ransom is not paid, the stolen data could be exposed on the dark web, where it could be used for identity theft, fraud, or other malicious purposes. Furthermore, the leak of internal company data could severely damage Under Armour’s reputation and give competitors insight into its business strategies.
As of now, Under Armour has not publicly commented on the breach, but cybersecurity experts will be closely watching the situation to see how the company responds to the threat.
(Sources: Cybersecurity insider)
