Everest Ransomware Extortion Claims Target McDonald’s India and Under Armour
The Everest ransomware group publicly claimed two separate victim intrusions, alleging large-scale data theft and using leak-site pressure tactics. Everest posted that it breached McDonald’s India, claiming exfiltration of 861 GB of customer data and internal documents and sharing screenshots purportedly showing financial reports, audit trails, pricing data, internal communications, and month-by-month directories suggestive of access to accounting/ERP systems. The leak claim also referenced a “Contact Database” spreadsheet with personal and business details of investors/partners across multiple countries and store-level operational data (e.g., manager names and contact numbers), alongside a short deadline for the company to respond.
Separately, Have I Been Pwned (HIBP) reported ingesting files allegedly leaked by an Everest member that impacted 72.7 million Under Armour accounts, with exposed fields including names, email addresses, dates of birth, gender, location, and purchase-related details; Everest additionally claimed other data types (e.g., phone numbers, addresses, loyalty details) and had previously threatened publication unless a ransom was paid. Under Armour had not publicly acknowledged the alleged incident at the time of reporting, and a proposed class action lawsuit was filed following Everest’s initial leak-site posting. A third report about RansomHub claiming an intrusion at Apple partner Luxshare describes a different ransomware operation and does not appear connected to the Everest claims.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
HIBP ingests alleged Under Armour leak affecting 72.7 million accounts
By January 21, 2026, Have I Been Pwned had ingested the files leaked on January 18 and reported that 72.7 million Under Armour accounts were affected. HIBP said the exposed records contained personal and purchase-related information from the alleged ransomware-linked leak.
Everest claims breach of McDonald's India on leak site
On January 20, 2026, Everest posted McDonald's India on its dark web leak site, alleging it had exfiltrated 861 GB of customer data and internal company documents. The group shared screenshots and set a two-day deadline for the company to respond, while McDonald's India had not publicly commented at the time of reporting.
Everest member leaks alleged Under Armour data on a cybercrime forum
On January 18, 2026, files allegedly tied to the Under Armour incident were leaked by an Everest member via a cybercrime forum. The leaked data was later described as including names, email addresses, dates of birth, genders, geographic locations, and previous purchase details.
Everest posts Under Armour on its leak site and threatens data release
About two months before January 21, 2026, the Everest ransomware group added Under Armour to its leak site, claiming to have stolen data and threatening to publish it unless an undisclosed ransom was paid within seven days. The posting prompted a proposed class action lawsuit by a law firm on behalf of an Under Armour customer.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Ransomware and Data-Extortion Claims Targeting Luxshare, McDonald’s India, and US Healthcare Providers
**Ransomware and data-extortion activity** was reported across multiple sectors, with threat actors using leak sites to pressure victims and amplify impact. The **RansomHub** ransomware-as-a-service operation claimed it breached Chinese manufacturer **Luxshare** and stole sensitive manufacturing and R&D archives allegedly tied to major technology firms (including Apple, Nvidia, Tesla, and LG). The posted sample was described as containing engineering artifacts such as **3D CAD/Parasolid files, PCB manufacturing data, and engineering documentation**, plus some project-related PII; the breach had not been independently confirmed at the time of reporting. Separately, the **Everest** ransomware group claimed it breached **McDonald’s India**, alleging exfiltration of **861 GB** of internal documents and customer personal data and threatening publication if demands were not met; McDonald’s India had not confirmed the claim. In US healthcare, **Valley Eye Associates** confirmed a ransomware incident with **data exfiltration** during a short intrusion window, while **Qilin** publicly claimed responsibility and alleged **139 GB** stolen and posted—suggesting a non-payment outcome. A related but distinct development involved healthcare IT vendor **Veradigm**, which agreed to a **$10.5M** settlement tied to a prior (2024) breach affecting **2+ million** patients, underscoring ongoing legal and financial exposure following large-scale patient-data compromises.
Mar 21, 2026
Ransomware Groups Claim Data-Theft Attacks Against Major Sportswear Brands
**Under Armour** customer data tied to an **Everest** ransomware intrusion was added to *Have I Been Pwned*, including **~72 million email addresses** and additional fields such as names, birthdates, gender, purchase details, and location information. Reporting notes Everest previously claimed theft of **343 GB** from Under Armour and threatened public release if negotiations did not occur; commentary also highlighted the downstream risk of exposed data enabling targeted phishing and social engineering, and described Everest as expanding beyond encryption into **initial access brokering** using remote access tools and weak credentials. Separately, **Nike** was listed by the **WorldLeaks** ransomware/extortion group on its darknet leak site, with the actor claiming data exfiltration and threatening to publish stolen data. Nike publicly stated it is **investigating a potential cybersecurity incident**, while the attacker’s post provided limited verifiable detail and the total volume of data remains unconfirmed; the report alleged exposure could include internal documentation and customer/employee information, and described WorldLeaks as an **extortion-only** rebrand of *Hunters International* focused on data theft rather than file encryption.
Mar 21, 2026
Under Armour Investigates Everest Ransomware Data Leak Affecting 72M Customers
Under Armour said it is investigating claims that an unauthorized party obtained customer data after a dataset tied to the company was posted to a hacker forum and subsequently ingested by breach-notification services. **Have I Been Pwned** reported obtaining a copy of the data and notifying roughly **72 million** individuals; the exposed information reportedly includes names, email addresses, gender, date of birth, approximate location (postcode/ZIP-derived), and purchase-related data, and also contains numerous Under Armour employee email addresses. Under Armour stated there is currently **no evidence** the incident affected *UA.com* or systems used to process payments or store customer passwords, while noting that the portion of customers with “sensitive” information impacted is believed to be small. Multiple reports tie the leak to a **November 2025** intrusion claimed by the **Everest** ransomware group, which alleged Under Armour failed to meet a negotiation deadline and that the data was then published and redistributed across forums and leak sites. One account describes the theft as involving **343 GB** of company data and indicates the forum-posted dataset includes **72 million email addresses** plus additional PII and purchase information; another report cites a much larger dataset claim (over **191 million records** with ~**72.7 million** unique email addresses) and notes a US class action lawsuit alleging negligence and large-scale exfiltration, including potential employee data. Reporting also reiterates Everest’s typical tradecraft, including credential-based access and use of remote access tooling (e.g., *AnyDesk*, *Splashtop*), though Under Armour has not publicly confirmed the intrusion vector or the full scope of data exfiltration.
Mar 21, 2026