Ransomware and Data-Extortion Claims Targeting Luxshare, McDonald’s India, and US Healthcare Providers
Ransomware and data-extortion activity was reported across multiple sectors, with threat actors using leak sites to pressure victims and amplify impact. The RansomHub ransomware-as-a-service operation claimed it breached Chinese manufacturer Luxshare and stole sensitive manufacturing and R&D archives allegedly tied to major technology firms (including Apple, Nvidia, Tesla, and LG). The posted sample was described as containing engineering artifacts such as 3D CAD/Parasolid files, PCB manufacturing data, and engineering documentation, plus some project-related PII; the breach had not been independently confirmed at the time of reporting.
Separately, the Everest ransomware group claimed it breached McDonald’s India, alleging exfiltration of 861 GB of internal documents and customer personal data and threatening publication if demands were not met; McDonald’s India had not confirmed the claim. In US healthcare, Valley Eye Associates confirmed a ransomware incident with data exfiltration during a short intrusion window, while Qilin publicly claimed responsibility and alleged 139 GB stolen and posted—suggesting a non-payment outcome. A related but distinct development involved healthcare IT vendor Veradigm, which agreed to a $10.5M settlement tied to a prior (2024) breach affecting 2+ million patients, underscoring ongoing legal and financial exposure following large-scale patient-data compromises.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
Qilin claimed Valley Eye Associates attack and leaked data
By the time Valley Eye Associates disclosed its ransomware incident, the Qilin ransomware group had claimed responsibility, said no ransom was paid, and published allegedly stolen data totaling 139 GB. Valley Eye Associates said it was still determining which data was affected and planned to notify impacted individuals after completing its review.
Everest posted alleged McDonald's India breach claim
On January 20, 2026, the Everest ransomware group claimed on its dark web leak site that it had breached McDonald's India and exfiltrated 861 GB of data. The group threatened to publish the material if the company did not respond by its stated deadline, though the breach had not been confirmed by the company.
Imperial Beach clinic completed review of affected files
On December 30, 2025, Imperial Beach Community Clinic completed its review of files tied to the email compromise. The clinic concluded that patient and insurance-related data elements may have been acquired and notified the California Attorney General.
RansomHub allegedly breached Luxshare and stole design data
RansomHub claimed that it breached Chinese electronics manufacturer Luxshare on December 15, 2025, stealing sensitive manufacturing and R&D archives. The allegedly stolen material included CAD and engineering design files, printed circuit board data, and project information tied to Apple-related work.
Valley Eye Associates suffered a ransomware intrusion
Around October 8, 2025, attackers accessed Valley Eye Associates' network for roughly one day and exfiltrated files containing sensitive patient data. The Wisconsin practice said it engaged third-party cybersecurity specialists to investigate the incident.
Unauthorized access at Imperial Beach clinic ended
Imperial Beach Community Clinic said the unauthorized access to certain email accounts lasted until May 2, 2025. The exposed information may have included patient and insurance-related data elements.
Imperial Beach clinic discovered its email-environment compromise
On April 15, 2025, Imperial Beach Community Clinic discovered unauthorized access in its email environment. The incident was later determined to have involved certain email accounts over a multi-month period.
Imperial Beach clinic email accounts were first compromised
Imperial Beach Community Clinic reported that unauthorized access to certain email accounts began on February 4, 2025. The compromise affected its email environment and later raised concerns that patient and insurance-related information may have been acquired.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Tech giants’ data possibly exposed in RansomHub-claimed Luxshare hack | SC Media
scworld.com
Open sourceEverest Ransomware Group Allegedly Claims to Have Breached McDonald's India
cybersecuritynews.com
Open sourceValley Eye Associates Confirms Patient Data Stolen in Ransomware Attack
hipaajournal.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Everest Ransomware Extortion Claims Target McDonald’s India and Under Armour
The **Everest** ransomware group publicly claimed two separate victim intrusions, alleging large-scale data theft and using leak-site pressure tactics. Everest posted that it breached **McDonald’s India**, claiming exfiltration of **861 GB** of customer data and internal documents and sharing screenshots purportedly showing financial reports, audit trails, pricing data, internal communications, and month-by-month directories suggestive of access to accounting/ERP systems. The leak claim also referenced a “Contact Database” spreadsheet with personal and business details of investors/partners across multiple countries and store-level operational data (e.g., manager names and contact numbers), alongside a short deadline for the company to respond. Separately, **Have I Been Pwned (HIBP)** reported ingesting files allegedly leaked by an Everest member that impacted **72.7 million Under Armour accounts**, with exposed fields including names, email addresses, dates of birth, gender, location, and purchase-related details; Everest additionally claimed other data types (e.g., phone numbers, addresses, loyalty details) and had previously threatened publication unless a ransom was paid. Under Armour had not publicly acknowledged the alleged incident at the time of reporting, and a proposed class action lawsuit was filed following Everest’s initial leak-site posting. A third report about **RansomHub** claiming an intrusion at Apple partner **Luxshare** describes a different ransomware operation and does not appear connected to the Everest claims.
Mar 21, 2026
Ransomware and data-extortion incidents drive new breach disclosures across healthcare, aviation, and hospitality
Multiple organizations disclosed or were linked to **ransomware/data-extortion** activity with material operational or privacy impact. **Air Côte d’Ivoire** confirmed a cyberattack affecting parts of its information systems after **INC ransomware** claimed theft of **208 GB** and threatened to leak data, while the airline said it engaged the national CERT and external experts to contain impact and maintain flight operations. In the US healthcare sector, **University of Mississippi Medical Center (UMMC)** reported a ransomware incident that forced statewide clinic closures and disrupted access to **Epic** electronic medical records, prompting engagement with the **FBI** and **CISA** and use of downtime procedures to sustain patient care. Separately, **Conduent**’s earlier ransomware-linked breach continued to expand in scope, with breach notifications indicating at least **~25 million** people affected across multiple states and exposure of sensitive PII (including **SSNs** and health/insurance data). **Wynn Resorts** also confirmed an unauthorized party accessed and stole employee data after being listed by the **ShinyHunters** extortion group, with the company stating the actor claimed the data was deleted and that guest operations were not impacted. Other items in the set describe distinct, unrelated security events and broader threat research rather than the same incident: alleged data leaks involving **Burger King France** and **Wendy’s UK**; **Qilin** ransomware claims against a New York City transit union; Russian cyber operations against Ukraine’s power grid focused on intelligence collection; and a New Zealand healthcare application (**MediMap**) taken offline after apparent unauthorized access and **patient record tampering** (e.g., records marked deceased). Additional references cover threat research and trends (airline brand impersonation domains, edge-device exploitation telemetry, MuddyWater’s *Operation Olalampo*, Google Ads cloaking via **1Campaign**, freight/logistics phishing by “Diesel Vortex,” and various governance/AI/5G/quantum commentary), which provide context on the threat environment but do not substantively report on the same specific breach event.
Mar 21, 2026
RansomHub Claims Breach of Apple Supplier Luxshare With Alleged Leak of Engineering and Supply-Chain Data
Apple manufacturing partner **Luxshare Precision Industry** was reportedly hit by a ransomware incident involving data theft and extortion, with internal documents allegedly published to pressure payment. Reporting indicates the exposed materials include sensitive operational information tied to Luxshare’s role in Apple’s supply chain (e.g., production workflows, security procedures, and supply-chain protocols), raising concerns about downstream risk to Apple-related manufacturing and repair operations. *Help Net Security* reports the **RansomHub** ransomware-as-a-service operation claimed responsibility, alleging affiliates stole and encrypted data and posted proof on its leak site. The group claimed the stolen archives include **3D CAD models**, engineering design/documentation, **2D manufacturing drawings**, and **PCB design/manufacturing data**, and asserted the data set contains information related to multiple Luxshare customers (including Apple and other major technology/automotive firms); third-party researchers cited in the report said the leak appears to include confidential Apple-Luxshare repair and shipping project details, while Luxshare had not publicly confirmed the breach at the time of reporting.
Mar 21, 2026