Cyber Threat Radar – Under Armour is investigating a significant data breach after the Everest ransomware group claimed responsibility for stealing 340GB of sensitive data.
The attackers have given the company seven days to respond or risk seeing the stolen information leaked on the dark web.
A sample of the stolen data appears to include:
- Email Addresses
- Phone Numbers
- Physical Locations
- Passport Information
- Purchase Histories
- Marketing Files
Internal corporate documents covering product SKUs and business data were also allegedly exfiltrated.
The hackers posted a countdown alongside a warning to follow instructions before time runs out. No official comment has yet been released by Under Armour.
While the method of the breach has not been confirmed, the attackers claim to have accessed systems holding highly detailed customer and employee data. This raises questions about how such sensitive records, including passport information, were stored on a retail platform.
Everest Ransomware Group and the Rise of Double Extortion
This attack was claimed by the Everest group, a known ransomware operation linked to the BlackByte family. Everest has shifted its tactics over time, moving from encryption-only attacks to a double extortion model. That means victims face not only locked systems, but the threat of public data leaks unless ransoms are paid.
Everest demands payment in Monero, a cryptocurrency designed to be untraceable. Unlike Bitcoin, Monero transactions are nearly impossible to follow. This choice reflects a growing trend among ransomware groups who aim to stay ahead of law enforcement efforts.
Previous Everest attacks have targeted multiple industries, from financial services to manufacturing. In each case, the group used pressure tactics and countdowns to extract payment quickly. Their use of AES and DES encryption methods suggests continued technical evolution.
The Under Armor data breach shows that retail companies are no longer safe from highly organized threat actors using advanced extortion techniques. With customer trust and brand reputation on the line, how companies respond to breaches matters more than ever.
Why Screen-Based Attacks Are the Next Frontier
“We do not know what specific tools were used in this breach,” commented Tim Royston-Webb, CEO, SentryBay. “But across the industry, threat actors are increasingly turning to AI-powered malware to bypass traditional defenses. This next generation of malware captures screen content frame by frame. Using Optical Character Recognition (OCR), it converts screenshots into structured data and extracts it using JSON. Anything visible on screen like customer records, financial data, or live application sessions becomes vulnerable.”
Even without accessing files, attackers can collect complete data records. Financial institutions, hospitals, and enterprise support teams are at high risk when working with sensitive material in browser-based or virtual environments.
The Under Armor data breach is another reminder that endpoint protection is critical in this evolving landscape.
SentryBay Blocks Screen Capture and Keystroke Attacks at the Source
SentryBay’s Armored Client neutralizes AI-powered screen capture threats before they begin. It prevents OCR-based malware from extracting content by blacking out screen regions at the system level. Even if screenshots are taken, the attacker sees only black pixels.
Armored Client also randomizes keystrokes before they reach the operating system. That stops keyloggers from capturing useful input, even in compromised environments.
As ransomware and data exfiltration tactics evolve, SentryBay ensures that what’s on screen stays protected.
