Everest Ransomware Group Claims Nissan Data Breach and Extortion Deadline
The Everest ransomware group claimed it breached Nissan Motor Corporation and stole data, posting alleged proof on its dark web leak site. The actors shared six screenshots and a directory listing that appear to show internal file storage and records, including documents and data extracts in formats such as .csv, .txt, and .xls (with additional file types like .pgp referenced). The material shown includes references to dealership information, certification reports, and claims processing; one screenshot reportedly shows a spreadsheet with dealership names and locations. Everest issued Nissan a five-day ultimatum to respond, threatening to publish the allegedly stolen data if the company does not engage.
The screenshots do not visibly expose sensitive personal data, but the folder names and file types suggest access to operational systems and internal documentation that could enable further exploitation or data mining. Reporting also contextualized the claim against Nissan’s prior exposure to ransomware activity, including a 2025 claim by Qilin involving a Nissan-related entity, underscoring continued targeting of large automotive organizations by extortion-focused groups.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Nissan says alleged breach stemmed from third-party vendor incident
Nissan Motor Co. said the reported breach claims were linked to a cyber incident at a third-party vendor rather than Nissan's internal environment. The company added that its internal systems and customer data were not affected.
ASEC roundup cites Everest attack on major Japanese automaker
AhnLab ASEC's weekly dark web roundup noted an Everest ransomware attack against a major Japanese automobile manufacturing and sales company, consistent with the Nissan claim. This reflected broader security-industry reporting of the incident in mid-January.
Nissan had not publicly responded as reports emerged
By the time media reports were published, Nissan had not issued a public response to Everest's allegations. Coverage on January 12 and January 13 repeated the same claimed breach and extortion deadline without confirming the intrusion independently.
Everest gives Nissan a five-day deadline to respond
Alongside its breach claim, Everest reportedly demanded that Nissan respond within five days or the group would publish the allegedly stolen data. The visible screenshots suggested access to dealership, reporting, and operational records, though no clear sensitive personal data was exposed in the images.
Everest posts Nissan breach claim on leak site
On its dark web leak site, the Everest ransomware group claimed it had breached Nissan Motor Corporation. The post included six screenshots and a directory listing purportedly showing Nissan-related internal files and folders.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
teiss - News - Nissan says alleged data breach linked to third-party vendor, not internal systems
teiss.co.uk
Open sourceRansom & Dark Web Issues Week 2, January 2026 - ASEC
asec.ahnlab.com
Open sourceEverest ransomware group claims Nissan breach, demands response | SC Media
scworld.com
Open sourceEverest Ransomware Claims Breach at Nissan, Says 900GB of Data Stolen
hackread.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Everest Ransomware Claims Third-Party Data Theft at Citizens Financial and Frost Bank
The Everest ransomware operation claimed it stole data tied to **Citizens Financial Group** and **Frost Bank** and threatened to publish the information after listing both institutions on its leak site. Reports said Everest alleged it held nearly **3.4 million** Citizens-related records from a SQL database dump and about **250,000** Frost customer records, with sample data purportedly including personal and financial information. The gang gave the organizations a short deadline before release and framed the incident as part of its broader double-extortion campaign. Both banks said their own internal networks were not directly compromised and attributed the exposure to a **third-party vendor**. Citizens said the material involved mostly **masked test data** with only limited real customer information, while Frost said it had brought in external cybersecurity experts to investigate. The activity was linked to Everest, a Russia-linked ransomware-as-a-service group that has previously targeted major enterprises including Nissan, Collins Aerospace, Iberia Airlines, Under Armour, and BMW.
May 28, 2026
Ransomware and Data-Extortion Claims Targeting Luxshare, McDonald’s India, and US Healthcare Providers
**Ransomware and data-extortion activity** was reported across multiple sectors, with threat actors using leak sites to pressure victims and amplify impact. The **RansomHub** ransomware-as-a-service operation claimed it breached Chinese manufacturer **Luxshare** and stole sensitive manufacturing and R&D archives allegedly tied to major technology firms (including Apple, Nvidia, Tesla, and LG). The posted sample was described as containing engineering artifacts such as **3D CAD/Parasolid files, PCB manufacturing data, and engineering documentation**, plus some project-related PII; the breach had not been independently confirmed at the time of reporting. Separately, the **Everest** ransomware group claimed it breached **McDonald’s India**, alleging exfiltration of **861 GB** of internal documents and customer personal data and threatening publication if demands were not met; McDonald’s India had not confirmed the claim. In US healthcare, **Valley Eye Associates** confirmed a ransomware incident with **data exfiltration** during a short intrusion window, while **Qilin** publicly claimed responsibility and alleged **139 GB** stolen and posted—suggesting a non-payment outcome. A related but distinct development involved healthcare IT vendor **Veradigm**, which agreed to a **$10.5M** settlement tied to a prior (2024) breach affecting **2+ million** patients, underscoring ongoing legal and financial exposure following large-scale patient-data compromises.
Mar 21, 2026
Ransomware Groups Claim Data-Theft Attacks Against Major Sportswear Brands
**Under Armour** customer data tied to an **Everest** ransomware intrusion was added to *Have I Been Pwned*, including **~72 million email addresses** and additional fields such as names, birthdates, gender, purchase details, and location information. Reporting notes Everest previously claimed theft of **343 GB** from Under Armour and threatened public release if negotiations did not occur; commentary also highlighted the downstream risk of exposed data enabling targeted phishing and social engineering, and described Everest as expanding beyond encryption into **initial access brokering** using remote access tools and weak credentials. Separately, **Nike** was listed by the **WorldLeaks** ransomware/extortion group on its darknet leak site, with the actor claiming data exfiltration and threatening to publish stolen data. Nike publicly stated it is **investigating a potential cybersecurity incident**, while the attacker’s post provided limited verifiable detail and the total volume of data remains unconfirmed; the report alleged exposure could include internal documentation and customer/employee information, and described WorldLeaks as an **extortion-only** rebrand of *Hunters International* focused on data theft rather than file encryption.
Mar 21, 2026