BMW claimed by Everest gang: Have luxury brands become the latest ransomware trend?
German high-end car manufacturer, the BMW group, was claimed by the Everest ransomware group on Wednesday, making it the second luxury auto brand to be targeted by hackers in less than a month.
-
Everest ransomware group targets BMW, Mini, and Rolls Royce, following Jaguar Land Rover’s recent hit.
-
The Russian-linked cybercriminals give BMW just two days to make contact and negoiate a ransom demand.
-
Luxury brands have become a rising trend for ransomware groups, with victims including Clarins, Gucci, Louis Vuitton, and Chanel.
Headquartered in Munich, the 109-year-old car and motorsport manufacturer appeared on the ransomware group’s dark leak blog on Sunday.
With very little information provided on the public portion of its onion site, Everest states that it has pilfered an undisclosed amount of “Critical BMW Audit Documents” from the luxury automaker’s servers.
The post also includes a countdown clock, dated September 14th, that, as of Wednesday, shows less than 24 hours left before “the recording” will become unavailable.
The cybercriminals also provide another countdown clock, with just over 48 hours on it, stating a “Company representative should follow the instructions to contact us before time runs out.”
BMW manufactures its own branded vehicles, including its Motorrad motorcycle division, as well as Mini and Rolls-Royce cars, which it acquired in 2003.
In 2024, the premier automaker produced more than 2.4 million cars worldwide, according to Best Selling Cars, with China making 30% of those purchases, and an annual revenue of over €142 million.
Everest did not reveal in its victim post, if any of the purported stolen data contains any private customer information.
Cybernews Senior Information Security Researcher Aras Nazarovas explained that "we need to wait until Everest releases a sample of the alleged solen data to get a better idea of the scope of the breach.”
However, Nazarovas points out that in the group’s leak post, “they mention the data is audit-related, which could mean lots of sensitive documents, but could also be a mistranslation, which is common for Everest.”
Cybernews has reached out to BMW for comment and is awaiting a response.
On August 31st, Jaguar Land Rover (JLR) was hit by a ransomware attack that forced the company to "proactively shut down” its systems, incapacitating the high-end auto manufacturer’s retail arm, as well as operations at multiple production facilities.
The cyberattack, since claimed by Salesforce and M&S hacker gangs Scattered Spider and Shiny Hunters, is moving into its third week, with JRL announcing on Wednesday it would continue to pause operations while restoration efforts continue at pace, telling staff to remain at home.
With close to 160,000 employees, the BMW Group website states it has over 30 manufacturing sites across 15 countries.
Everest follows luxury target trend
Global luxury manufacturers have been a huge get for hacker groups so far in 2025, exposing high-end customers with big bank accounts, who are tracked spending tens of thousands on their favorite brands.
Earlier this week, Everest posted the French luxury skincare giant Clarins on its leak site, claiming to have exfiltrated the sensitive details of over 600,000 of the company’s customers.
The cybercriminals claimed the stolen data covers the company’s customers in the USA, France, and Canada.
Also revealed this week, Kering, the parent of luxury fashion houses Gucci, Balenciaga, McQueen, Saint Laurent, and others, on Monday, confirmed it was the victim of a massive breach in April, claimed by Shiny Hunters, along with 7.4 million files of stolen customer data.
Multiple luxury brands have joined the fray – including French houses Louis Vuitton and Dior, part of the LVMH group, Chanel, and the Danish jewelry-maker Pandora – in what have become highly-publicized attacks designed, not only for financial gain, but to tarnish those brands' reputations.All the aforementioned luxury companies were believed to have been compromised in the Salesforce hacking campaign.
Who is Everest?
According to Cybernews’ dark web monitoring tool, Ransomlooker, Everest has listed 248 victims on its dark blog since 2023, with over 100 victims in the past 12 months, making it one of the most prolific cybercrime cartels.
First spotted in 2021, Everest first made headlines after the October 2022 attack on the American telecommunications behemoth AT&T. At the time, the group said it had access to AT&T’s entire corporate network.
Most recently, Everest claimed responsibility for an attack on Allegis Group, a multi-billion-dollar talent management group, and a spate of attacks targeting the Middle East, including Coca-Cola’s Middle East division, the Abu Dhabi Department of Culture and Tourism, and the Jordan Kuwait Bank (JKB).
The gang has also targeted US-based Pacific HealthWorks, the North American gourmet cookie shop chain Crumbl, email marketing behemoth Mailchimp, and the US hotel chain Radisson Country Inn and Suites.
The hacker cartel is believed to be connected to the BlackByte ransomware group.
