Everest Ransomware Claims Third-Party Data Theft at Citizens Financial and Frost Bank
The Everest ransomware operation claimed it stole data tied to Citizens Financial Group and Frost Bank and threatened to publish the information after listing both institutions on its leak site. Reports said Everest alleged it held nearly 3.4 million Citizens-related records from a SQL database dump and about 250,000 Frost customer records, with sample data purportedly including personal and financial information. The gang gave the organizations a short deadline before release and framed the incident as part of its broader double-extortion campaign.
Both banks said their own internal networks were not directly compromised and attributed the exposure to a third-party vendor. Citizens said the material involved mostly masked test data with only limited real customer information, while Frost said it had brought in external cybersecurity experts to investigate. The activity was linked to Everest, a Russia-linked ransomware-as-a-service group that has previously targeted major enterprises including Nissan, Collins Aerospace, Iberia Airlines, Under Armour, and BMW.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Sefas discloses breach details and 191,848 Frost Bank customers affected
Sefas disclosed a data security incident involving unauthorized access to an SFTP server used for software support, with intermittent file downloads occurring between December 2025 and April 2026. Frost Bank reported to Texas regulators that at least 191,848 individuals were affected, and Sefas said the intrusion did not extend beyond the SFTP server and had ceased after April 16, 2026.
Everest threatens public release of allegedly stolen bank data
Everest's leak-site deadline indicated it would publish the allegedly stolen data from Frost Bank and Citizens Financial Group if its demands were not met. The threatened release date was set for April 26.
Banks say incident stemmed from third-party vendor, not internal networks
Frost Bank and Citizens Financial Group said the exposed data was tied to a third-party vendor rather than a compromise of their own internal systems. Citizens said most of the data was masked test data with limited real customer information, while Frost said it brought in external cybersecurity experts to investigate.
Everest lists Frost Bank and Citizens Financial Group on leak site
On its dark web leak site, the Everest ransomware operation claimed it had breached Frost Bank and Citizens Financial Group, posted sample data, and set a six-day deadline before full publication.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
teiss - News - Close to 200,000 Frost Bank customers affected by Sefas security breach
teiss.co.uk
Open sourceExtensive Citizens Financial Group, Frost Bank breaches claimed by Everest ransomware | brief | SC Media
scworld.com
Open sourceHackers target US banking giants Frost Bank and Citizens Bank | Cybernews
cybernews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Everest Ransomware Group Claims Nissan Data Breach and Extortion Deadline
The **Everest ransomware group** claimed it breached **Nissan Motor Corporation** and stole data, posting alleged proof on its dark web leak site. The actors shared **six screenshots** and a directory listing that appear to show internal file storage and records, including documents and data extracts in formats such as `.csv`, `.txt`, and `.xls` (with additional file types like `.pgp` referenced). The material shown includes references to dealership information, certification reports, and claims processing; one screenshot reportedly shows a spreadsheet with dealership names and locations. Everest issued Nissan a **five-day ultimatum** to respond, threatening to publish the allegedly stolen data if the company does not engage. The screenshots do not visibly expose sensitive personal data, but the folder names and file types suggest access to operational systems and internal documentation that could enable further exploitation or data mining. Reporting also contextualized the claim against Nissan’s prior exposure to ransomware activity, including a 2025 claim by **Qilin** involving a Nissan-related entity, underscoring continued targeting of large automotive organizations by extortion-focused groups.
Apr 7, 2026
Everest Ransomware Attack on Catalyst RCM Exposes Vikor Scientific Patient Data
**Everest ransomware** claimed responsibility for a breach tied to *Catalyst RCM*, a third-party medical billing/revenue cycle management provider, resulting in exposure of data associated with diagnostic firm **Vikor Scientific** (now operating as **Vanta Diagnostics**) and affiliated labs. Reporting indicates suspicious activity was detected in Catalyst RCM’s secure file system in November 2025, with investigation finding misuse of an authorized login to access a server and copy data without permission. The incident was reported as affecting roughly **139,964–140,000 individuals**, and Everest later posted the victim(s) to its Tor leak site and published allegedly stolen files after an apparent failure to reach payment. Stolen data described across reporting includes a mix of **personal, financial, and healthcare information**, potentially including names, dates of birth, payment card data, and medical/diagnosis details; Everest also claimed theft of specific datasets (e.g., tens of thousands of PDFs totaling multiple gigabytes). Catalyst RCM reviewed the exposed information to determine impacted individuals and support notification efforts. Separate reporting on a ransomware-driven clinic shutdown at the **University of Mississippi Medical Center** describes a different, unrelated incident with no confirmed linkage to Everest or Catalyst RCM.
Mar 21, 2026
Everest Ransomware Extortion Claims Target McDonald’s India and Under Armour
The **Everest** ransomware group publicly claimed two separate victim intrusions, alleging large-scale data theft and using leak-site pressure tactics. Everest posted that it breached **McDonald’s India**, claiming exfiltration of **861 GB** of customer data and internal documents and sharing screenshots purportedly showing financial reports, audit trails, pricing data, internal communications, and month-by-month directories suggestive of access to accounting/ERP systems. The leak claim also referenced a “Contact Database” spreadsheet with personal and business details of investors/partners across multiple countries and store-level operational data (e.g., manager names and contact numbers), alongside a short deadline for the company to respond. Separately, **Have I Been Pwned (HIBP)** reported ingesting files allegedly leaked by an Everest member that impacted **72.7 million Under Armour accounts**, with exposed fields including names, email addresses, dates of birth, gender, location, and purchase-related details; Everest additionally claimed other data types (e.g., phone numbers, addresses, loyalty details) and had previously threatened publication unless a ransom was paid. Under Armour had not publicly acknowledged the alleged incident at the time of reporting, and a proposed class action lawsuit was filed following Everest’s initial leak-site posting. A third report about **RansomHub** claiming an intrusion at Apple partner **Luxshare** describes a different ransomware operation and does not appear connected to the Everest claims.
Mar 21, 2026