• Home
  • cyber
  • AkzoNobel: Anubis ransomware claims responsibility for AkzoNobel network breach
cyber Ransomware

AkzoNobel: Anubis ransomware claims responsibility for AkzoNobel network breach

Feb 24, 2026 2 min read
AkzoNobel: Anubis ransomware claims responsibility for AkzoNobel network breach

Anubis Ransomware Gang Claims 170GB Data Theft from AkzoNobel in February Breach

In December 2024, the Anubis ransomware operation emerged as a ransomware-as-a-service (RaaS) group, and in February 2025, it breached Dutch paint manufacturer AkzoNobel, exfiltrating approximately 170,000 files totaling 170GB of sensitive data. The stolen material includes confidential client agreements, employee contact details, private emails, passport scans, and technical documents.

AkzoNobel, a global company with 35,000 employees and brands like Dulux and Sikkens, confirmed the incident at one of its U.S. sites, stating the breach had been contained with limited impact. The attack occurred on February 24, when the threat actor FulcrumSec exploited the React2Shell vulnerability in an unpatched React frontend application to gain access to AkzoNobel’s AWS infrastructure. The company has not disclosed whether it is negotiating with the attackers.

Anubis has previously deployed a data wiper capable of permanently destroying files, adding to the severity of its attacks. Meanwhile, Iranian threat group Dust Specter has been linked to a separate campaign, spoofing Iraq’s Ministry of Foreign Affairs to target Iraqi government officials with new malware strains SplitDrop, TwinTask, TwinTalk, and GhostForm as part of an AI-powered intrusion operation first detected in January.

The breach highlights ongoing risks from unpatched vulnerabilities and the evolving tactics of ransomware groups, including the use of destructive payloads alongside data exfiltration.

Source: https://www.scworld.com/brief/akzonobel-network-breached-by-anubis-ransomware

AkzoNobel cybersecurity rating report: https://www.rankiteo.com/company/akzonobel

"id": "AKZ1772649747",
"linkid": "akzonobel",
"type": "Ransomware",
"date": "2/2026",
"severity": "100",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'industry': 'Manufacturing (Paint and Coatings)',
                        'location': 'Netherlands (breach occurred at a U.S. '
                                    'site)',
                        'name': 'AkzoNobel',
                        'size': '35,000 employees',
                        'type': 'Corporation'}],
 'attack_vector': 'Exploitation of unpatched vulnerability (React2Shell)',
 'data_breach': {'data_exfiltration': 'Yes',
                 'number_of_records_exposed': '170,000 files',
                 'personally_identifiable_information': ['Employee contact '
                                                         'details',
                                                         'Passport scans'],
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': ['Confidential client agreements',
                                              'Employee contact details',
                                              'Private emails',
                                              'Passport scans',
                                              'Technical documents']},
 'date_detected': '2025-02-24',
 'description': 'In February 2025, the Anubis ransomware operation breached '
                'Dutch paint manufacturer AkzoNobel, exfiltrating '
                'approximately 170,000 files totaling 170GB of sensitive data. '
                'The stolen material includes confidential client agreements, '
                'employee contact details, private emails, passport scans, and '
                'technical documents. The attack occurred on February 24, when '
                'the threat actor FulcrumSec exploited the React2Shell '
                'vulnerability in an unpatched React frontend application to '
                'gain access to AkzoNobel’s AWS infrastructure. The company '
                'confirmed the incident at one of its U.S. sites and stated '
                'the breach had been contained with limited impact. Anubis has '
                'previously deployed a data wiper capable of permanently '
                'destroying files.',
 'impact': {'data_compromised': '170GB (170,000 files)',
            'identity_theft_risk': 'High (passport scans, employee contact '
                                   'details)',
            'operational_impact': 'Limited impact (contained)',
            'systems_affected': 'AWS infrastructure'},
 'initial_access_broker': {'entry_point': 'React2Shell vulnerability in '
                                          'unpatched React frontend '
                                          'application'},
 'lessons_learned': 'Ongoing risks from unpatched vulnerabilities and evolving '
                    'ransomware tactics, including destructive payloads.',
 'motivation': 'Data exfiltration and ransom demand',
 'post_incident_analysis': {'root_causes': 'Exploitation of unpatched '
                                           'React2Shell vulnerability'},
 'ransomware': {'data_exfiltration': 'Yes (170GB)',
                'ransomware_strain': 'Anubis'},
 'references': [{'source': 'Cyber Incident Report'}],
 'response': {'containment_measures': 'Contained',
              'incident_response_plan_activated': 'Yes'},
 'threat_actor': 'Anubis ransomware gang (FulcrumSec)',
 'title': 'Anubis Ransomware Gang Claims 170GB Data Theft from AkzoNobel in '
          'February Breach',
 'type': 'Ransomware',
 'vulnerability_exploited': 'React2Shell'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.