The Everest Ransomware group executed a high-profile attack on Under Armour, exfiltrating **340 GB of sensitive data**, including **customer PII (email addresses, phone numbers, physical locations, passport details, gender info, purchase histories)** and **internal company data (product SKUs, marketing/sales strategies)**. The group employed **double extortion**, encrypting systems while threatening to sell the stolen data on the dark web if a **Monero (XMR) ransom** is not paid within **7 days**. The breach exposes Under Armour to severe risks: **identity theft, financial fraud, reputational damage**, and **competitive intelligence leaks**. The attack leverages **AES+DES encryption**, with Russian-language code suggesting geopolitical targeting avoidance. Under Armour’s silence on the incident heightens uncertainty, while the stolen data’s sensitivity—particularly **passport details and precise location data**—raises concerns over compliance violations and long-term customer trust erosion. The group’s shift from Bitcoin to **Monero** underscores its focus on evading law enforcement tracking, amplifying the threat’s sophistication.
Source: https://www.cybersecurity-insiders.com/under-armor-data-breach-by-everest-ransomware-group/
Under Armour cybersecurity rating report: https://www.rankiteo.com/company/under-armour
"id": "UND3492734111825",
"linkid": "under-armour",
"type": "Ransomware",
"date": "11/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Apparel/Retail',
'location': 'United States',
'name': 'Under Armour',
'size': 'Large (global enterprise)',
'type': 'Corporation'}],
'data_breach': {'data_exfiltration': True,
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (includes PII, passport details, '
'and internal business data)',
'type_of_data_compromised': ['Personal Identification '
'Information (PII): email '
'addresses, phone numbers, '
'physical location data',
'Sensitive Documents: passport '
'details, gender information, '
'purchase histories',
'Internal Company Data: product '
'SKUs, marketing data, sales '
'data']},
'description': 'The Everest Ransomware group claimed responsibility for a '
'massive data breach involving Under Armour, stealing 340 GB '
'of sensitive data. The group demanded a ransom in Monero '
'(XMR) with a seven-day deadline, threatening to sell the data '
'on the dark web if unpaid. Compromised data includes personal '
'identification information (email addresses, phone numbers, '
'physical location data), sensitive documents (passport '
'details, gender information, purchase histories), and '
'internal company data (product SKUs, marketing, and sales '
'data). The attack highlights potential security gaps in Under '
"Armour's data handling practices.",
'impact': {'brand_reputation_impact': 'High (potential severe damage due to '
'sensitive data exposure and internal '
'business strategy leaks)',
'data_compromised': True,
'identity_theft_risk': 'High (due to exposure of PII, passport '
'details, and location data)'},
'initial_access_broker': {'data_sold_on_dark_web': 'Threatened if ransom '
'unpaid',
'high_value_targets': ['Customer databases',
'Internal marketing/sales '
'data']},
'investigation_status': 'Ongoing (no public confirmation or details from '
'Under Armour as of report)',
'lessons_learned': ['Ransomware groups are evolving with double extortion '
'tactics (encryption + data theft).',
'Use of privacy-focused cryptocurrencies (e.g., Monero) '
'complicates ransom tracing.',
'Companies must reassess data storage practices, '
'especially for highly sensitive PII (e.g., passport '
'details).',
'Geopolitical motivations may influence target selection '
'(e.g., avoidance of Russian-speaking regions).',
'Public silence post-breach can exacerbate reputational '
'and operational risks.'],
'motivation': ['Financial Gain', 'Data Theft for Dark Web Sale'],
'post_incident_analysis': {'root_causes': ['Potential inadequate data '
'encryption or access controls for '
'sensitive PII.',
'Possible lack of segmentation '
'between customer data and '
'internal business systems.',
'Unclear initial access vector '
'(e.g., phishing, unpatched '
'vulnerability, or insider '
'threat).']},
'ransomware': {'data_encryption': {'language': 'Russian (encryption code)',
'methods': ['AES (Advanced Encryption '
'Standard)',
'DES (Data Encryption '
'Standard)']},
'data_exfiltration': True,
'ransom_demanded': {'amount': None,
'currency': 'Monero (XMR)',
'deadline': '7 days from announcement'},
'ransomware_strain': 'Everest Ransomware (evolved from '
'BlackByte family)'},
'recommendations': ['Implement robust encryption for stored sensitive data '
'(e.g., PII, internal documents).',
'Adopt multi-layered ransomware defenses, including '
'behavioral analysis and anomaly detection.',
'Develop and test incident response plans specifically '
'for double extortion scenarios.',
'Monitor dark web for leaked data and proactively notify '
'affected customers.',
'Conduct third-party audits of data handling practices to '
'identify unnecessary storage of high-risk information.',
'Evaluate cryptocurrency transaction monitoring tools to '
'detect ransom payments or dark web sales.',
'Enhance employee training on phishing and social '
'engineering, common initial access vectors for '
'ransomware.'],
'references': [{'source': 'Cybersecurity News Report (hypothetical, based on '
'incident description)'}],
'threat_actor': 'Everest Ransomware Group',
'title': 'Everest Ransomware Attack on Under Armour',
'type': ['Data Breach', 'Ransomware Attack', 'Double Extortion']}