The Everest ransomware group just made headlines by posting a threat notice on their dark web leak site claiming they walked away from Under Armour with roughly 343 gigabytes of internal data. Personal documents tied to clients and employees. Sensitive internal records. And to make their point impossible to ignore, they posted samples as proof and started a seven-day countdown clock, giving the company a window to make contact before things get worse.
Under Armour has not confirmed the breach. But the claim itself, the samples, and the countdown clock are all consistent with a playbook that has become disturbingly routine among sophisticated ransomware groups, and the details are worth understanding regardless of how the Under Armour situation ultimately resolves.
How Modern Ransomware Groups actually Operate
The public perception of ransomware is still largely shaped by the early generation of attacks, where the entire strategy was encryption. Get in, lock the files, demand payment, and provide the decryption key if the ransom was paid. The leverage was the encrypted data and the operational disruption it caused.
Everest and groups operating at a similar level have moved well past that model.
Encryption still happens, but it’s increasingly a secondary consideration. The primary leverage comes from data exfiltration, the theft of sensitive information before anything gets locked down. By the time a company discovers that its systems have been compromised, attackers like Everest may have already copied everything worth copying and moved it to infrastructure they control.
That shift fundamentally changes the nature of the threat. A company with excellent backups can recover from encryption relatively quickly. Recovery from data exfiltration is a different calculation entirely. The data is already gone. The question becomes what the attackers will do with it, and the countdown clock is the mechanism for making that question feel urgent and expensive.
If Everest’s claims about Under Armour prove accurate, 343 gigabytes of internal data represent an enormous exposure. Personal information tied to customers and employees creates regulatory consequences under frameworks like GDPR and various state-level privacy laws. Internal documents can expose business strategies, vendor relationships, financial details, and operational vulnerabilities. The reputational damage from a breach of this scale can affect customer trust and brand perception for months or years beyond the initial incident.
The encryption is almost a side effect at this point. The data theft is the leverage, and the leak site countdown is how that leverage gets applied.
Why Smaller Businesses Should Be Paying Close Attention
The natural response to a headline about a major brand getting targeted by a sophisticated ransomware group is to file it mentally under problems that affect large companies with large attack surfaces and large amounts of valuable data.
That response is exactly what groups like Everest are counting on.
The tactics these groups use don’t require a target of Under Armour’s scale to be worth deploying. Exposed credentials, unpatched systems, and employees who click on convincing phishing emails exist in organizations of every size. Everest and similar groups cast wide nets, often using automated scanning to identify vulnerable systems across thousands of potential targets simultaneously. The sophistication of the attack that follows scales to whatever the initial access allows, but the initial access itself requires nothing more than a single exploitable weakness.
A smaller company that holds customer payment information, employee personal data, or confidential business records has something worth stealing. The regulatory consequences of a data breach don’t scale down proportionally with company size. A small business that experiences a significant PII leak faces the same notification requirements, potential fines, and reputational exposure as a larger organization, often with far fewer resources to manage the aftermath.
The belief that your organization isn’t interesting enough to target is a comfort that the data doesn’t support. It’s also a belief that shapes security investment decisions in ways that leave organizations exposed precisely because they’ve convinced themselves the threat doesn’t apply to them.
What the Under Armour Situation Reveals About Attack Methodology
Setting aside the specific claim and focusing on the methodology reveals something instructive for any organization thinking about its own security posture.
Attacks at this level don’t happen through a single dramatic exploit. They typically begin with something mundane. A credential obtained through a phishing campaign. A known vulnerability on an internet-facing system that hadn’t been patched. An employee account with more access than the role required. From that initial foothold, attackers move quietly through the environment, mapping what’s available, escalating privileges where possible, and identifying the data worth taking before anyone realizes something is wrong.
The dwell time between initial compromise and detection is often measured in weeks or months. During that window, attackers are gathering information, establishing persistence mechanisms, and exfiltrating data in ways designed to avoid triggering alerts. By the time the victim organization knows something happened, the damage is already done.
This methodology has implications for how organizations should think about defense. Preventing every initial intrusion is an unrealistic goal. Limiting what an attacker can accomplish after achieving initial access is where the meaningful security investment happens.
Building the Defenses That Limit the Damage
The specific controls that address the methodology groups like Everest use are well understood. The gap between knowing what to do and having it implemented is where most organizations get into trouble.
Network segmentation is the control that most directly limits lateral movement after initial compromise. If an attacker who gains access through a phishing email on a marketing workstation cannot reach the database servers holding customer records without crossing additional security boundaries, the blast radius of that initial compromise shrinks dramatically. Flat networks where everything can reach everything else are extraordinarily dangerous in an environment where initial access is a question of when rather than if.
Access control audits reveal the accumulated permission creep that happens in most organizations over time. Employees get access to systems for specific projects and never lose it. Former employees sometimes retain access longer than they should. Service accounts accumulate permissions beyond what their function requires. Every unnecessary access point is a potential path for an attacker moving laterally through an environment.
Multi-factor authentication addresses the credential theft that initiates a significant percentage of breaches. Stolen passwords are extraordinarily common. Passwords obtained through phishing, purchased from dark web marketplaces, or extracted through previous breaches fuel attack campaigns across the industry. MFA doesn’t make stolen credentials harmless, but it raises the cost of using them substantially.
Patching known vulnerabilities remains one of the highest return security investments available. Ransomware groups consistently exploit vulnerabilities that have patches available, targeting organizations that haven’t applied them. Automated patching with monthly verification that it’s working closes the most commonly used doors before attackers walk through them.
The 3-2-1-1 backup rule provides the recovery foundation that transforms a ransomware incident from catastrophic to survivable. Three copies of critical data, on two different types of media, with one copy offline and one copy immutable. Offline and immutable backups cannot be reached or encrypted by ransomware operating on network-connected systems. The ability to restore operations from clean backups within hours rather than days or weeks changes the negotiating position entirely when a countdown clock appears.
Encrypting data at rest and in transit doesn’t prevent theft, but it significantly reduces the value of stolen data. Information that arrives at an attacker’s infrastructure in encrypted form requires additional work to make useful, and in many cases reduces the leverage available for extortion.
An incident response plan that has been tested through tabletop exercises within the past year means that when something goes wrong, the organization isn’t figuring out its response in real time. Who makes decisions? Who communicates with regulators and affected customers. Who handles technical containment? Who manages external communications? These questions have worse answers when they’re being worked out under pressure during an active incident than when they’ve been thought through in advance.
The Shift Worth Internalizing
The Everest claim against Under Armour, confirmed or not, represents a pattern that is becoming the standard operating procedure for sophisticated ransomware groups. Data exfiltration as primary leverage. Public leak sites with countdown clocks as pressure mechanisms. Samples posted as proof of capability. Seven-day windows designed to create urgency before negotiations begin.
This model works because it creates consequences that encryption alone doesn’t. A company that recovers from encryption through backups still faces the threat of stolen data being published. The leverage doesn’t disappear when the operational disruption is resolved. It persists for as long as the attacker holds data worth releasing.
Defending against this model requires accepting that the goal isn’t to make intrusion impossible. It’s to make the consequences of intrusion as limited as possible through segmentation, access control, encryption, and the backup infrastructure that removes the most acute operational leverage from the attacker’s toolkit.
The countdown clock is designed to create panic. Organizations with mature security practices and tested incident response plans are in a far better position to respond deliberately rather than reactively when one appears.
Build those practices before the clock starts.
