Everest gang claims BMW hack

Hacking group Everest has issued a ransom demand against BMW (as well as Mini and Rolls-Royce), claiming to have stolen “key audit documents” and setting timers with deadlines of 24-48 hours. This is the second attack on a premium automaker in less than a month, following the incident with Jaguar Land Rover (JLR), and part of a wider wave of attacks on luxury brands from Clarins to Kering (Gucci, Balenciaga, etc.).

• BMW’s entry appeared on the Everest darknet blog on September 14: the attackers threaten to make the page “inaccessible” after the timer expires and demand that a company representative contact them for instructions before the second timer expires.
• Everest does not detail the existence of personal customer data, but indicates “audit materials” — potentially confidential internal documents.
• In 2025, ransomware will target the luxury segment: public revelations about Clarins (600,000 customer data in the US, France, and Canada was reported), a large-scale leak at Kering was confirmed, mentions of incidents at LVMH (Louis Vuitton, Dior), Chanel, Pandora, etc.
• According to monitoring tools, Everest has recorded 248 victims since 2023 and more than 100 in the last 12 months, previously claiming attacks on AT&T, Mailchimp, Pacific HealthWorks, and Middle Eastern organizations.
• The motive is not only money: attacks on brands with a high reputation stake create information pressure, increase the likelihood of negotiations and ransom.

What this means for the market

1. Luxury brands have a large digital attack surface: global supply chains, numerous contractors, dealer networks.
2. Audit and compliance arrays are valuable prey: they contain risk maps, internal procedures and vulnerabilities.
3. Reputational blackmail works more powerfully than pure data encryption: public “counters” in onion blogs increase pressure on management.

• BMW Group: ~160 thousand employees, >30 production sites in 15 countries; in 2024 — >2.4 million cars, ~30% of sales in China; has sub-brands Mini and Rolls-Royce (since 2003).
• Everest active since 2021; attributed to ties to the BlackByte ecosystem. Typical TTP — dunk-and-blackmail: exfiltration, public entry on the leak site, timers, “samples” of data for validation, bargaining.
• Season 2025: a wave of attacks on the luxury sector (retail, cosmetics, fashion, auto), as well as corporations critically dependent on supply chains, which complicates the response.

The BMW case confirms: the luxury segment is a priority target for ransomers due to the high cost of downtime and reputational risks. Companies need enhanced supplier control, network segmentation, E2E logging of exfiltrations, regular table-top training of crisis communications, as well as public interaction rules in case of entries appearing in darknet blogs. Organizations working with audit arrays should implement KG-classification of sensitive documents, watermarking and DLP with behavioral triggers — this reduces the chances of successful blackmail.