Executive Summary

In late 2025, Under Armour experienced a significant data breach attributed to the Everest ransomware group, resulting in the exposure of sensitive information belonging to approximately 72.7 million customers. The compromised data includes names, dates of birth, email addresses, gender, geographic location, purchase history, item browsing history, marketing logs, product catalog data, and employee information. The breach did not affect payment systems or customer passwords, according to official statements from Under Armour. The incident has led to multiple class action lawsuits and raised concerns about customer privacy, business operations, and competitive intelligence. The company is actively investigating the breach with external cybersecurity experts, and the leaked data has been widely distributed across hacker forums and leak sites. This report provides a comprehensive technical analysis of the breach, the tactics used by the threat actor, and actionable recommendations for organizations to mitigate similar risks. All information herein is based solely on evidence from primary, date-verified sources (BankInfoSecurity, DataBreach.com, Hoplon InfoSec).

Technical Information

The Everest ransomware group is a Russian-speaking cybercrime operation known for targeting large enterprises with double extortion tactics. In the case of Under Armour, Everest claimed responsibility for exfiltrating 343 gigabytes of internal and customer data. The group initially attempted to extort the company by threatening to leak the data if a ransom was not paid. When Under Armour did not comply, Everest published the stolen data on its leak site and distributed it across various hacker forums and leak databases (BankInfoSecurity, DataBreach.com).

Attack Lifecycle

The initial access vector used by Everest in this breach has not been explicitly disclosed in the available sources. However, Everest is known for leveraging compromised credentials and exploiting remote access services. The group used ProcDump to extract credentials from the LSASS (Local Security Authority Subsystem Service) process, enabling lateral movement within the network using legitimate credentials. Network scanning was performed using netscan.exe to identify additional targets and resources. Once the desired data was aggregated, it was compressed using WinRAR and exfiltrated from the environment. Communication with Under Armour regarding ransom demands was conducted via Tox Messenger (Hoplon InfoSec, DataBreach.com).

Everest’s double extortion methodology involved both encrypting data within the victim’s environment and threatening to publicly release sensitive information if the ransom was not paid. In this incident, after Under Armour refused to pay, Everest followed through on its threat, resulting in the public exposure of customer and employee data.

Data Compromised

The breach exposed a wide range of personally identifiable information (PII) and business-sensitive data. Specifically, the compromised data includes customer names, dates of birth, email addresses, gender, geographic location, purchase history (including SKUs, prices, quantities, purchase dates, and return status), item browsing history, marketing logs (such as deep-link tracking and campaign entries), product catalog data (SKUs, sizes, colors, descriptions, inventory status, and prices), and employee information (personal and work email addresses, work location, team, and addresses) (BankInfoSecurity, DataBreach.com, Hoplon InfoSec).

No evidence has been found to suggest that payment card data or customer passwords were compromised. Under Armour has stated that systems used to process payments or store customer passwords were not affected by this incident (BankInfoSecurity).

Threat Actor Tactics, Techniques, and Procedures (TTPs)

The technical methods used by Everest in this breach align with the following MITRE ATT&CK techniques:

• T1078: Valid Accounts – Use of legitimate credentials for initial access and lateral movement.

• T1003.001: OS Credential Dumping: LSASS Memory – Extraction of credentials from LSASS using ProcDump.

• T1021: Remote Services – Lateral movement using harvested credentials.

• T1018: Remote System Discovery – Network scanning with netscan.exe.

• T1560: Archive Collected Data – Data compression with WinRAR prior to exfiltration.

• T1041: Exfiltration Over C2 Channel – Exfiltration of compressed data.

• T1486: Data Encrypted for Impact – Encryption of data as part of the double extortion process.

• T1490: Inhibit System Recovery – Disruption of recovery mechanisms (implied by double extortion methodology).

These techniques are consistent with Everest’s historical operations against other high-profile targets, including McDonald's India, Chrysler, Asus, Iberia Airlines, Svenska kraftnät, Collins Aerospace, Dublin Airport, Coca-Cola (Middle East), and various healthcare entities (BankInfoSecurity, Hoplon InfoSec).

Impact Assessment

The breach has significant implications for customer privacy, business operations, and competitive intelligence. The exposure of PII increases the risk of identity theft and targeted phishing attacks against affected individuals. The leak of product catalog data, internal documents, and employee information could undermine Under Armour’s competitive position and supply chain security. The incident has also resulted in multiple class action lawsuits filed in federal courts in Maryland and Texas, alleging inadequate protection of customer data (BankInfoSecurity).

Affected Versions & Timeline

The breach was first publicly disclosed in November 2025, when the Everest ransomware group listed Under Armour as a victim on its data leak site. The group claimed to have exfiltrated 343 GB of data and provided sample data to support its claims. Under Armour acknowledged the incident and began an investigation with external cybersecurity experts in late 2025. The full extent of the breach, including the number of affected customers and the types of data compromised, became clear in January 2026 when the data was added to the Have I Been Pwned database and further details were published by security researchers (BankInfoSecurity, DataBreach.com, Hoplon InfoSec).

The specific systems and versions affected have not been disclosed by Under Armour. However, the breach did not impact UA.com, payment processing systems, or password storage systems, according to official statements (BankInfoSecurity).

Threat Activity

The Everest ransomware group is a well-organized cybercrime operation specializing in double extortion attacks. In this incident, Everest used a combination of credential harvesting, lateral movement, network scanning, data aggregation, and exfiltration techniques. The group’s use of ProcDump to extract credentials from LSASS, netscan.exe for network discovery, and WinRAR for data compression is consistent with their known tactics.

Everest’s extortion strategy involved giving Under Armour a seven-day deadline to respond via Tox Messenger before escalating the threat by leaking data. When the company did not pay the ransom, Everest published the stolen data on its leak site and distributed it across multiple hacker forums and leak databases. The group’s actions have resulted in widespread dissemination of sensitive customer and employee information, as well as internal business documents (DataBreach.com, Hoplon InfoSec).

The group’s targeting of large, publicly traded companies in sectors such as retail, manufacturing, critical infrastructure, and healthcare demonstrates a pattern of seeking high-value victims with the potential for significant financial and reputational impact. Everest’s previous attacks on organizations such as McDonald's India, Chrysler, and Dublin Airport further illustrate their focus on high-profile targets (BankInfoSecurity, Hoplon InfoSec).

Mitigation & Workarounds

The following recommendations are prioritized by severity and are based on the technical analysis of the attack methods used in this incident:

Critical: Organizations should immediately review and strengthen credential management practices, including the use of multi-factor authentication (MFA) for all remote access and privileged accounts. Regularly audit and rotate credentials, especially for administrative and service accounts, to reduce the risk of credential harvesting and lateral movement.

Critical: Implement robust endpoint detection and response (EDR) solutions capable of detecting credential dumping tools such as ProcDump and monitoring for suspicious use of legitimate administrative utilities. Ensure that security teams are trained to recognize and respond to indicators of compromise associated with ransomware operations.

High: Restrict the use of remote access tools and limit administrative privileges to only those users who require them. Monitor for unauthorized use of network scanning tools such as netscan.exe and block their execution where possible.

High: Regularly back up critical data and ensure that backups are stored offline or in immutable storage. Test backup restoration procedures to ensure business continuity in the event of ransomware or data destruction.

Medium: Conduct regular security awareness training for employees to recognize phishing attempts and social engineering tactics commonly used to obtain initial access.

Medium: Review and update incident response plans to include procedures for responding to ransomware and data extortion incidents. Ensure that legal, communications, and executive teams are prepared to coordinate a response to public data leaks and regulatory inquiries.

Low: Monitor dark web and leak sites for evidence of company data exposure and consider subscribing to breach notification services such as Have I Been Pwned to alert affected customers and employees.

References

https://www.bankinfosecurity.com/ransomware-hackers-leak-under-armour-customer-data-a-30589 (January 23, 2026)

https://databreach.com/breach/under-armour-2025 (November 2025)

https://hoploninfosec.com/under-armour-data-breach (November 18, 2025)

About Rescana

Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, assess, and monitor cybersecurity risks within their supply chain and vendor ecosystem. Our platform enables continuous risk assessment, automated evidence collection, and actionable reporting to support incident response and compliance efforts. For questions regarding this report or to discuss how our capabilities can support your organization’s risk management strategy, please contact us at ops@rescana.com.