Contact
Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Cybersecurity is about sharing. Recognize the risk,
combat it, share your experiences, and encourage others
to do better than you.
Redhotcyber Banner Sito 320x100px Uscita 101125
Banner Desktop
Everest Ransomware Attacks McDonald’s, 861GB Data Stolen

Everest Ransomware Attacks McDonald’s, 861GB Data Stolen

21 January 2026 07:11

Yesterday, the Everest cybercriminal gang claimed responsibility for a cyberattack on McDonald’s on their Data Leak Site (DLS) . From the gang’s post, the cybercriminals claim to have 861GB of data exfiltrated from the company’s IT infrastructure and threaten to release it within eight days.

We don’t yet know whether this data is owned by the company, also because there is no press release regarding the incident on their website yet.

A countdown is active on the gang’s website, indicating that the post will be updated in one day. On that date, the gang will publish the list of files exfiltrated from the company’s IT infrastructure. The data will begin publishing after eight days.

To prove that access to the IT infrastructure was successful, the cyber gang provides a series of samples containing documents relating to the compromised company.

This, as RHC readers know, typically occurs before a ransom payment agreement has been finalized. By threatening to release the data in their possession, they increase pressure on the compromised organization, hoping for faster payment.

As we often report, anyone with normal PC skills can access the Darknet. This is important to highlight, as many claim the opposite, often in press releases following the publication of ransomware cybergang data, and this information is publicly available as open sources.

As we anticipated at the beginning of the article, at the time of writing there is no press release on the victim’s website warning of the cyber incident.

As is our custom, we’ll leave room for a statement from the company if they’d like to provide us with updates on this matter, and we’ll be happy to publish it in a dedicated article highlighting the issue.

RHC will monitor the development of the case and publish further news on the blog if there are any substantial developments. Anyone with knowledge of the matter who wishes to provide information anonymously can access it using the whistleblower’s encrypted email address.

What is ransomware as a service (RaaS)?

Ransomware is a type of malware that is injected into an organization to encrypt data and render systems unavailable. Once the data is encrypted, the criminals demand a ransom from the victim, paid in cryptocurrency, to decrypt it.

If the victim refuses to pay the ransom, the criminals will proceed with double extortion, namely the threat of publishing sensitive data previously exfiltrated from the victim’s IT infrastructure.

The Everest ransomware

The Everest ransomware emerged in the second half of 2018, carrying out attacks on several companies and large organizations, one example being the attack on the Brazilian government, more specifically on a network of the Attorney General of the National Treasury, these attacks were carried out in August 2021.

Everest ransomware is part of the Everest 2.0 family, which consists of Embrace, PainLocker, EvilLocker, and Hyena Locker ransomware.

The group uses the double extortion technique, seeking to increase the profits from their attacks. In this tactic, payment is demanded not only for the decryption key but also to protect the company’s data. This method is used by most ransomware.

The Everest ransomware uses spam email tactics. This tactic involves filling your spam folder with commercial emails from advertising companies, as this increases the chance that the malicious email will end up in your inbox instead of your spam folder.

These emails contain a Word or Excel file with “financial information” and a payload file containing malicious macros, which execute loaders to gain initial access to the system.

The cybergang was also seen not using ransomware, but conducting extortion exclusively by exfiltrating data from victims’ IT systems, without encrypting the contents but demanding a ransom for data deletion.

How to protect yourself from ransomware

Ransomware infections can be devastating to an organization, and data recovery can be a difficult and time-consuming process that requires highly trained operators for reliable recovery. Even without a data backup, many recovery attempts have been unsuccessful.

In fact, users and administrators are advised to take preventative security measures to protect their networks from ransomware infections , and they are in order of complexity:

  • Train staff through awareness courses;
  • Use a data backup and recovery plan for all critical information. Perform and test regular backups to limit the impact of data or system loss and speed up the recovery process. Keep in mind that network-connected backups can also be affected by ransomware. Critical backups should be isolated from the network for optimal protection.
  • Keep your operating system and all software up to date with the latest patches. Vulnerable applications and operating systems are the target of most attacks. Ensuring they are patched with the latest updates significantly reduces the number of exploitable entry points available to an attacker.
  • Keep your antivirus software up to date and scan all software downloaded from the Internet before running it;
  • Restrict users’ ability (permissions) to install and run unwanted software applications and enforce the principle of “least privilege” across all systems and services. Restricting these privileges can prevent malware from running or limit its ability to spread across the network;
  • Avoid enabling macros in email attachments. If a user opens the attachment and enables macros, the embedded code will run malware on the computer.
  • Do not follow unsolicited web links in emails ;
  • Never expose Remote Desktop Protocol (RDP) connections directly to the internet. If you need internet access, it must be mediated through a VPN;
  • Implement Intrusion Prevention Systems (IPS) and Web Application Firewalls (WAF) as perimeter protection around services exposed to the Internet.
  • Implement a natively automated XDR security platform , ideally supported by a 24/7 MDR service, enabling you to achieve complete and effective protection and visibility across endpoints, users, networks and applications , regardless of resources, team size or skill set, while also providing automated detection, correlation, analysis and response.

Both individuals and organizations are discouraged from paying the ransom, as even after payment, cyber gangs may not release the decryption key, or recovery operations may be subject to errors and inconsistencies.

Cybersecurity is a serious matter and today it can profoundly undermine a company’s business.

Today we need to immediately change our mindset and think of cybersecurity as an integral part of business, not just after a cybersecurity incident.

Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.

Cropped RHC 3d Transp2 1766828557 300x300
The editorial staff of Red Hot Cyber is composed of IT and cybersecurity professionals, supported by a network of qualified sources who also operate confidentially. The team works daily to analyze, verify, and publish news, insights, and reports on cybersecurity, technology, and digital threats, with a particular focus on the accuracy of information and the protection of sources. The information published is derived from direct research, field experience, and exclusive contributions from national and international operational contexts.