By ByteBot
Under Armour’s 72 million customer records hit the dark web on January 18, 2026, after the Everest ransomware group leaked names, emails, birthdates, and purchase histories. The sports apparel giant refused to pay the ransom demand, but waited four days before publicly acknowledging the breach—drawing criticism from cybersecurity experts for poor disclosure practices. The incident reveals a hard truth for enterprises: modern ransomware doesn’t need to encrypt your files to hold you hostage, and your backups won’t save you.
The Attack Timeline
The breach occurred in late 2025, but Under Armour’s troubles began when Everest added the company to its dark web leak site around November. The ransom demand came with a seven-day deadline. Under Armour refused. On January 18, 2026, Everest made good on its threat, dumping 72.7 million records onto cybercrime forums. The company finally acknowledged the breach on January 22—four days after the public leak.
The stolen data included names, email addresses, dates of birth, geographic locations, and purchase history. Passwords and payment information weren’t compromised, which is good. However, that’s cold comfort when millions of customers’ personal data is now circulating on the dark web, available to anyone willing to pay for it or use it for phishing campaigns.
Ransomware Evolved: Data Theft Beats Encryption
Here’s what makes this breach a wake-up call: Everest didn’t encrypt anything. They just stole data and threatened to leak it. This isn’t ransomware as most people understand it—there were no locked files, no frantic restoration from backups, no IT teams scrambling to decrypt systems. Just data theft, extortion, and a public leak when the victim refused to pay.
The numbers tell the story. According to cybersecurity research, 96% of ransomware incidents now involve data exfiltration. Moreover, in 2025, half of all ransomware attacks didn’t bother with encryption at all. The old playbook—encrypt files, demand ransom, victims restore from backups—has been replaced with something more profitable and harder to defend against: steal first, extort later.
Why the shift? Because backups don’t protect against data leaks. You can restore your systems in hours, but you can’t un-leak customer data. The liability persists even after successful recovery. Ransomware groups figured out that threatening to publish stolen data creates more pressure than locking files ever did. GDPR fines, customer lawsuits, reputational damage—these consequences outlast any downtime.
The Disclosure Problem
Under Armour’s technical response was adequate—they secured systems, investigated the breach, and confirmed that payment data wasn’t compromised. Nevertheless, their communication response was terrible. Troy Hunt, CEO of Have I Been Pwned, called out the company’s lack of a formal disclosure statement as “unusual, especially given the size of the organisation, the scale of the breach and the amount of time that has passed.”
California’s new 2026 breach notification law requires companies to notify consumers within 30 days and the Attorney General within 15 days. Europe’s GDPR enforcers are prioritizing transparency this year. Under Armour’s four-day silence and minimal acknowledgment—just “aware of data breach claims”—falls short of what customers deserve and what regulators increasingly demand.
Here’s the thing about disclosure: transparency affects customer trust more than the breach itself. Early, honest communication preserves trust. Conversely, delays and minimization create backlash. Under Armour is the victim of a crime, yes—but they also failed their customers by not communicating promptly and clearly.
Never Pay the Ransom
Under Armour made the right call by refusing to pay. The data shows why: 80% of organizations that pay ransomware demands get hit by a second attack, and almost half are targeted by the same group again. Furthermore, only 60% of victims regain data access on the first payment, while 32% end up paying additional ransoms. Eight percent never recover their data at all.
The FBI doesn’t support paying ransoms, though it also doesn’t support a blanket ban. Payment should be an absolute last resort because it funds future criminal activity and marks your organization as a willing target. Additionally, there’s no guarantee the criminals will actually deliver—you’re trusting thieves to keep their word.
Everest doesn’t even need victims to pay anymore. The group operates three revenue streams: data extortion, selling network access to other criminals (initial access brokering), and an insider recruitment program where they pay employees for credentials or system access. Recent targets include Nissan (900GB stolen) and Dublin Airport (1.5 million records). They’re diversified enough that a single victim refusing to pay barely dents their business model.
What Actually Protects Against Data Theft
If backups don’t solve modern ransomware, what does? You need data exfiltration prevention layered with traditional backup strategies. That means data loss prevention (DLP) systems monitoring for unusual file transfers, network segmentation limiting lateral movement, and strict access controls—like restricting backup file access to backup software only.
Detection tools matter as much as prevention. AI-powered systems can identify when known hacker tools (Rclone, Rsync, FTP/SFTP) are being abused for data theft. Similarly, behavioral analysis spots anomalies, like files suddenly moving to unusual locations or external systems. Real-time endpoint monitoring catches exfiltration in progress, before terabytes leave your network.
Backups still matter—but they need to be immutable (write-once, preventing encryption or deletion), encrypted with AES-256, and air-gapped from your network. These protect against encryption-based ransomware and provide recovery options. However, understand this: they don’t stop data from being stolen in the first place.
By the time most organizations discover an intrusion, the data is already gone. Prevention and detection must be proactive, not reactive. The days of “we’ll just restore from backups” are over.
The Takeaway for Security Teams
Modern ransomware is about data theft, not encryption. Backups restore your systems but don’t prevent leaks. The liability from a data breach persists long after your infrastructure is back online. Under Armour’s 72 million leaked records prove that even major brands with security teams and resources aren’t immune.
The defense requires both prevention (DLP, segmentation, access controls) and detection (behavioral AI, endpoint monitoring, anomaly detection). Disclosure matters—communicate quickly, honestly, and clearly when breaches happen. Finally, never pay the ransom; the data shows it doesn’t work.
Your backups won’t save you anymore. It’s time to build defenses that actually address how ransomware works in 2026.
