The Everest ransomware group has claimed a massive cyberattack on Under Armour, announcing the theft of 343 GB of internal data from the sportswear company’s systems.
This breach, revealed on the group’s dark web site on November 16, 2025, puts millions of customers at risk of identity theft and fraud.
Under Armour, a Baltimore-based firm serving over 190 countries, has not confirmed the incident as of November 20.
The stolen data includes personal details like email addresses, phone numbers, physical addresses, passport information, gender data, and transaction histories from customer databases.
Corporate files, such as product catalogs with SKUs and prices, marketing logs, and user analytics, were also compromised, likely via customer relationship management (CRM) or e-commerce platforms.
This suggests that attackers targeted databases handling personalization and registration, using techniques such as SQL injection or credential stuffing to gain initial access.
Breach Details and Ransomware Tactics
Everest, active since late 2020, employs double-extortion methods: encrypting files with AES and DES algorithms while exfiltrating data for leaks if ransoms go unpaid.
The group, linked to the BlackByte and Conti ransomware families, often starts with phishing emails that deliver Qakbot malware, which deploys Cobalt Strike beacons for lateral movement and privilege escalation.
In this case, they provided a data sample on their leak site, including shopping histories and employee records from multiple countries, to prove authenticity.
No specific indicators of compromise (IoCs), such as SHA-256 hashes or IP addresses, were publicly detailed.
However, experts recommend scanning for Qakbot variants and Tox messenger communications, as Everest demanded contact via this encrypted app within 7 days.
Ransom demands typically involve Monero cryptocurrency for anonymity, though no amount was specified here.
Under Armour’s history includes a 2018 MyFitnessPal breach affecting 150 million users, which exposed emails and hashed passwords, but no financial data was compromised.
This new event appears broader, potentially enabling targeted phishing or supply chain attacks by combining personal and business intel.
Everest’s past victims include Dublin Airport (1.5 million passenger records in October 2025), AT&T’s carrier database (over 500,000 users), and Coca-Cola’s internal files, indicating a focus on high-value sectors such as retail and transport.
Implications and Protective Measures
The breach heightens risks of social engineering and fraud, as exposed passports and transaction logs could fuel advanced persistent threats (APTs).
Cybersecurity firms like Mandiant note that ransomware groups are shifting from pure encryption to data theft, turning breaches into intelligence assets for sale on dark web forums.
CISA has not yet added this to its Known Exploited Vulnerabilities catalog. However, similar cases have triggered federal alerts for enterprises to patch vulnerabilities in CRM tools.
Customers should monitor accounts for suspicious activity, update passwords on Under Armour sites, enable multi-factor authentication (MFA), and avoid phishing emails posing as breach notices.
Businesses can mitigate by segmenting networks, using endpoint detection and response (EDR) tools, and conducting regular penetration testing.
Under Armour could face regulatory fines under the GDPR or the CCPA if personal data crosses borders, as well as reputational damage and customer losses.
As investigations continue, this incident underscores the need for zero-trust architectures in global firms.
