The attack demonstrates continued escalation of double-extortion ransomware campaigns targeting multinational enterprises operating in India, with potential exposure of financial records, internal communications, and partner data.
The attackers stated that “personal data of your customers and internal documents were leaked into our storage,” including a “huge variety of personal documents and information of clients”. The stolen data reportedly contains internal records that could pose significant risks for identity theft and targeted phishing campaigns across the region.
11Alleged Impact & Data ExposureEverest ransomware operators claim to have exfiltrated approximately 861 GB of sensitive data from McDonald’s India infrastructure prior to encryption.
- Financial and accounting records
- Internal corporate communications and audit data
- Pricing, procurement, and business intelligence documents
- Partner and investor contact databases across India, the US, UK, and Singapore
- Potential personally identifiable information (PII) of customers and employees
The exposure presents risks of financial fraud, corporate espionage, regulatory penalties, and reputational damage.
3. Threat Actor Profile: Everest Ransomware Group- Russian-speaking ransomware-as-a-service (RaaS) operation active since ~2020
- Uses double-extortion model (data theft + encryption)
- Employs bespoke ransomware builds and rotating infrastructure
- Targets multinational enterprises and critical infrastructure sectors
3.1 File and Malware Indicators
| Category | Indicator |
|---|---|
| Encrypted file extensions | .everest, .eggs |
| Ransom note filenames | EVEREST_README.txt, HOW_TO_DECRYPT.txt |
| Encryption method | AES + RSA hybrid encryption |
| Backup destruction | vssadmin delete shadows /all /quiet |
- vssadmin delete shadows /all /quiet
- wmic shadowcopy delete
- bcdedit /set {default} recoveryenabled no
- RDP brute-force or compromised credential-based access
- Active Directory reconnaissance via SMB/LDAP
- Lateral movement using SMB, RDP, PsExec
- Large outbound data transfers prior to encryption
- Use of TOR or custom FTP infrastructure for exfiltration
- Everest Tor-based leak portal (“Everest Blog”)
- Tor-based victim negotiation portals
- Affiliate-operated onion services with high churn rate
- Potential disruption to franchise operations, supply chain, and corporate systems
- Compromise of ERP and financial platforms
- Potential violations of India’s DPDP Act and global data protection laws (GDPR)
- Exposure of investor and partner data could trigger contractual liabilities
- Public extortion campaigns intended to pressure ransom payment
- Consumer trust degradation and brand impact
- Monitor for .everest file extensions and EVEREST_README.txt artifacts
- Detect shadow copy deletion and backup tampering commands
- Alert on large outbound data transfers to unknown destinations
- Detect TOR traffic within enterprise networks
- Monitor anomalous RDP authentication attempts
- Disable unnecessary RDP exposure and enforce MFA
- Implement immutable offline backups
- Deploy EDR with ransomware behavioral blocking
- No publicly confirmed malware hashes or C2 infrastructure disclosed
- McDonald’s India has not publicly confirmed breach scope
- Attribution currently based on threat actor claim
This incident highlights Everest’s continued focus on high-value APAC enterprise targets and the growing trend of data-theft-driven extortion. If negotiations fail, public data leaks are likely, consistent with Everest’s historical campaigns.
References- Cybernews: Everest ransomware claims McDonald’s India breach
- SC Media: Evidence screenshots and data exposure claims
- Cyber Press and OSINT breach tracking platforms confirming listing