Everest Ransomware Strikes Under Armour: 343GB of Sensitive Data Stolen

Listen to this Post

Featured Image
The sportswear giant Under Armour is grappling with a massive cyber attack after the notorious Everest ransomware group claimed to have exfiltrated 343 gigabytes of internal data. The breach, first reported on November 16, 2025, has rattled the global sportswear industry, raising urgent questions about corporate cybersecurity defenses and the growing sophistication of ransomware groups. The leaked sample data posted on Everest’s dark web site appears to validate the group’s claims, exposing sensitive information that could have far-reaching consequences for both customers and employees.

Massive Data Breach: Scope and Impact

Everest alleges that the compromised dataset includes extensive personal and corporate information affecting millions of customers and employees worldwide. This data reportedly covers customer transaction histories, personal identifiers like emails, phone numbers, physical addresses, passport details, and professional contacts for employees across multiple countries.

Internal company files are also part of the theft, including complete product catalogs with SKUs, pricing information, inventory status, marketing analytics, and user behavior data. The attack seems to have targeted Under Armour’s customer relationship management systems, e-commerce platforms, and marketing or product registration infrastructure. The inclusion of passport details and transaction records is particularly concerning, as this information could facilitate identity theft, fraud schemes, or phishing campaigns targeting employees and customers alike.

Everest Ransomware’s Track Record

Everest has been active since 2021 and is known for high-profile cyber operations. Their previous alleged targets include AT&T’s carrier database, exposing over 500,000 users, Dublin Airport with 1.5 million passenger records, and internal files from Coca-Cola. The group’s typical strategy involves data exfiltration for extortion rather than traditional encryption-based ransomware attacks.

In this case, Everest issued a seven-day ultimatum to Under Armour via encrypted messaging, demanding engagement before releasing further stolen data. While the initial announcement did not specify a ransom amount, the group’s history suggests escalating data leaks as a pressure tactic.

Under Armour’s Exposure

Headquartered in Baltimore and operating across 190 countries, Under Armour now faces unprecedented exposure risks. The company owns MyFitnessPal, which suffered a 2018 breach affecting 150 million users, demonstrating a worrying precedent. This latest incident is broader, potentially including financial transaction records and personal identification documents that could fuel fraud and social engineering attacks. The theft of passport information and international employee data further raises the risk of targeted supply chain attacks and sophisticated phishing campaigns.

Vulnerabilities Exploited

Cybersecurity experts note that ransomware groups increasingly prioritize intelligence-gathering from corporate systems over simple file encryption. Key vulnerabilities likely exploited in this attack include:

CVE ID Vulnerability Severity CVSS Score Affected Systems Relevance

CVE-2024-21883 Windows ActiveDirectory Elevation of Privilege Critical 9.8 Windows Server 2019, 2022 Potential initial access vector for domain compromise
CVE-2024-38063 Remote Code Execution in Microsoft SharePoint Critical 9.9 SharePoint Server 2019–2022 Data exfiltration from enterprise repositories
CVE-2024-27956 SQL Server Authentication Bypass High 8.6 SQL Server 2019, 2022 Access to customer and transaction databases
CVE-2024-35264 Cobalt Strike C2 Communication Evasion High 8.2 Network Detection Systems Persistence and command-control evasion post-compromise

These vulnerabilities highlight critical weaknesses in enterprise security configurations, underscoring the importance of continuous patching and proactive threat monitoring.

What Undercode Say: Strategic Analysis of the Breach

Under Armour’s cyber attack illustrates the evolving nature of ransomware threats. Everest is not simply encrypting files for ransom; they are extracting actionable intelligence, a trend that aligns with the broader evolution of cybercrime toward monetizable data exploitation. The inclusion of personal and financial identifiers signals a shift to hybrid extortion models where stolen data is sold, weaponized for identity theft, or used for future attacks against corporate partners.

The scale of the breach—343GB—is massive by any standard and suggests extensive penetration into Under Armour’s critical IT infrastructure. Likely, attackers leveraged a combination of SQL Server vulnerabilities and SharePoint remote execution flaws to access internal repositories. The inclusion of Active Directory escalation indicates potential administrative-level access, meaning the attackers may have navigated the network laterally, mapping sensitive assets before exfiltration.

This type of attack underscores a persistent vulnerability across global enterprises: the integration of consumer-facing applications and backend corporate databases. Systems like MyFitnessPal, designed for user engagement, now represent high-value targets because they store both behavioral data and personally identifiable information. Combined with insufficient segmentation, these environments allow ransomware operators to pivot across platforms, maximizing their data haul.

The operational model of Everest also signals an emerging risk for multinational companies: timing and psychological pressure. By issuing a short ultimatum without initially specifying a ransom, the group applies uncertainty, forcing companies to respond quickly under threat of progressive data leaks. This approach exploits human decision-making vulnerabilities within corporate leadership and legal teams.

From a broader industry perspective, this breach may accelerate investment in zero-trust architectures, continuous monitoring, and cross-departmental incident response planning. Organizations must also anticipate hybrid threats that combine ransomware, targeted phishing, and deep intelligence-gathering attacks. In essence, the Everest incident exemplifies the transition from blunt ransomware attacks to precision-targeted, data-driven cyber extortion campaigns.

🔍 Fact Checker Results

✅ Everest ransomware group active since 2021 with documented high-profile attacks
✅ Breach reportedly exposes personal, financial, and corporate data affecting millions
❌ No confirmed ransom amount disclosed yet; data verification still in progress

📊 Prediction: Future Risks for Under Armour

Given the sophistication and scale of this attack, Under Armour is likely to face prolonged remediation challenges. Expect tighter scrutiny from regulators in the U.S. and internationally regarding data protection compliance. Customer trust may erode, leading to potential revenue impact, particularly in digital fitness and e-commerce platforms.

Cybercriminals may continue to target similar sportswear and lifestyle brands, leveraging hybrid intelligence-exfiltration models. Businesses will likely accelerate adoption of AI-driven anomaly detection and multi-layered threat prevention. This incident may mark a turning point where hybrid ransomware and data intelligence theft become the new standard in high-stakes corporate cybercrime.

The Everest breach is a stark reminder: no global brand is immune, and the cost of inaction against evolving cyber threats is far higher than previously imagined.

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.twitter.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon