Everest Gang Claims 900GB Nissan Breach, Sets 5-Day Deadline

The Everest ransomware group claims to have stolen 900GB of internal data from Nissan Motor Corporation, posting proof samples to its dark web leak site on January 10. The Russia-linked cybercrime operation has given the automaker five days to respond before releasing the full dataset.

Nissan has not publicly confirmed or denied the breach. The company did not respond to requests for comment.

What Everest Claims to Have

The ransomware group shared six screenshots allegedly taken from the exfiltrated data. According to researchers at Cybernews who reviewed the samples, the evidence includes:

• Directory structures showing ZIP archives, text files, Excel spreadsheets, and CSV documents
• Spreadsheets listing dealership names, addresses, and program details
• File types including encrypted PGP files, suggesting the attackers may have grabbed backup archives
• References to what Everest describes as financial records, audit reports, and operational system folders

The samples don't definitively prove a breach of Nissan's core systems. But dealership data and operational records would be consistent with either direct network access or compromise of a connected business system.

Everest's Track Record

This isn't the group's first high-profile automotive claim. Everest previously targeted Chrysler over Christmas, claiming to have stolen over a terabyte of data including Salesforce records, customer service audio recordings, and recall case documentation.

The group has also claimed responsibility for breaches at ASUS, Iberia Airlines, Under Armour, Petrobras, and AT&T. When victims don't pay, Everest follows through—the ASUS dataset was dumped on Russian cybercrime forums after the deadline passed.

Everest operates as a ransomware-as-a-service platform, meaning affiliate operators conduct the actual intrusions while the core group provides infrastructure and handles extortion. This model makes attribution to specific attackers difficult, but the group's overall profile points to Russian-speaking operators.

Nissan's Ongoing Cybersecurity Challenges

If confirmed, this would be the third major cybersecurity incident affecting Nissan in recent months.

In December, the automaker disclosed that attackers accessed data on 21,000 customers through a breach of Red Hat's GitLab infrastructure. That incident was part of a larger compromise affecting multiple Red Hat enterprise customers.

Earlier in 2025, the Qilin ransomware group separately claimed to have exfiltrated 4TB from Nissan CBI, a design subsidiary in Tokyo. Prior to that, Nissan's Oceania division confirmed an Akira ransomware attack affecting over 100,000 customers in Australia and New Zealand.

The pattern suggests either persistent vulnerabilities in Nissan's security posture, weaknesses in connected vendor relationships, or both. Automotive supply chains are notoriously complex—a single manufacturer may have data relationships with hundreds of suppliers, dealers, and partners, each representing potential attack surface.

The 5-Day Clock

Everest's public deadline pressure is standard ransomware playbook. By announcing the breach publicly and setting a short timeline, the group maximizes pressure on Nissan's leadership to engage in negotiations.

Whether Nissan will pay, negotiate, or refuse remains unclear. The company's silence is typical for organizations in active extortion situations—legal counsel usually advises against public statements while negotiations (if any) are ongoing.

What's certain is that Everest has demonstrated willingness to dump stolen data when demands aren't met. If Nissan is genuinely compromised, 900GB of internal records appearing on cybercrime forums would create significant exposure for dealership partners, employees whose data may be included, and customers whose information flowed through affected systems.

Organizations doing business with Nissan or its dealership network should monitor for follow-up disclosures and be prepared for potential downstream exposure if the data surfaces publicly.