861 GB Stolen: Inside the Alleged Everest Ransomware Breach of McDonald’s India

Aegiron 8 mins0

Executive Summary

In 2024, McDonald’s India became the subject of a ransomware extortion claim by the Everest ransomware group.
The attackers alleged they successfully infiltrated McDonald’s India’s internal network, exfiltrated approximately 861 GB of sensitive data, and later deployed ransomware to pressure the organization into paying a ransom.

The stolen data reportedly included customer information, internal financial records, franchise and partner databases, audit documents, contracts, and internal communications. This incident followed the now-standard double-extortion ransomware model, where data theft occurs before file encryption.

What This Incident Was Really About

This attack was not simply about locking computers. The encryption stage was only the final step.

The real objective was:

  • Long-term unauthorized access
  • Theft of high-value business and customer data
  • Maximum leverage through extortion threats

By the time ransomware was deployed, the attackers already had what they wanted.

How the Breach Likely Unfolded

1. Initial Access

The attackers gained access through one or more of the following highly probable entry points:

  • A compromised VPN or remote access portal with weak or reused credentials
  • Lack of multi-factor authentication on remote access
  • Exposure of an unpatched internet-facing system
  • Stolen credentials obtained through phishing or prior breaches

This was almost certainly not a zero-day exploit, but rather exploitation of existing security gaps.

2. Establishing Persistence

After gaining access, the attackers ensured they would not be easily removed:

  • Created or modified user accounts
  • Installed remote access tooling
  • Scheduled tasks and services to maintain access
  • Avoided noisy activity to evade detection

This allowed them to remain inside the network for an extended period.

3. Internal Reconnaissance

The attackers carefully mapped the environment:

  • Identified Active Directory structure
  • Located file servers, databases, and backup systems
  • Mapped finance, franchise, HR, and operations systems
  • Discovered high-privilege accounts

This phase is typically slow and deliberate.

4. Privilege Escalation

Using credential theft and misconfigurations, the attackers escalated privileges to:

  • Domain administrator level
  • Full access to critical systems
  • Ability to disable security controls

At this point, the environment was effectively compromised.

5. Data Staging and Exfiltration

Before any encryption occurred:

  • Large volumes of data were collected
  • Files were compressed and encrypted into archives
  • Data was staged internally
  • Approximately 861 GB was exfiltrated to attacker-controlled infrastructure

This step caused the most lasting damage.

6. Ransomware Deployment

Only after data theft was complete did the attackers:

  • Deploy the Everest ransomware payload
  • Encrypt systems and network shares
  • Delete backups and shadow copies
  • Drop ransom notes across affected systems

The ransomware served as leverage, not the primary objective.

Malware and Tools Used

Ransomware Payload

  • Custom Everest ransomware binary
  • Strong encryption (AES + RSA)
  • Targets Windows systems
  • Disables recovery options
  • Renames files and drops ransom instructions

Supporting Tooling

  • PowerShell and Windows Management Instrumentation
  • Credential dumping utilities
  • Compression and archiving tools
  • Secure file transfer mechanisms
  • Native system binaries to evade detection

Most tooling blended in with legitimate system activity.

Anti-Malware and Security Controls

While enterprise-grade antivirus or EDR was likely deployed:

  • Security tools were bypassed, disabled, or ignored
  • Alerts may not have been escalated in time
  • Admin-level access allowed attackers to neutralize defenses
  • Legitimate system tools were abused to avoid detection

Security presence alone was not enough to stop the attack.

Impacted Data and Systems

Customer Information

  • Names and contact details
  • Order or loyalty-related data depending on system exposure

Financial and Corporate Data

  • Internal financial reports
  • Audit documentation
  • Revenue and expense analysis

Franchise and Partner Information

  • Franchise agreements
  • Partner databases
  • Commercial contracts and invoices

Internal Operations

  • Emails and internal communications
  • Strategic and operational documents

Even if payment data was not affected, the data exposure itself presents major risk.

Indicators of Compromise (IOCs)

Host-Based IOCs

  • Large archive files created in temporary or public directories
  • Unknown executables launched from user or temp folders
  • Encrypted files with unusual extensions
  • Ransom note files appearing across systems

Process and Execution IOCs

  • PowerShell executed with hidden windows and policy bypass
  • Credential dumping behavior targeting LSASS
  • Backup deletion commands
  • Scheduled task creation for persistence

Account and Identity IOCs

  • New admin accounts created unexpectedly
  • Service accounts used interactively
  • VPN logins without MFA enforcement
  • Authentication activity outside normal hours

Network IOCs

  • Large outbound data transfers to unfamiliar destinations
  • Sustained encrypted outbound connections
  • Lateral movement via SMB and RDP
  • Internal systems communicating abnormally

Backup and Recovery IOCs

  • Backup services stopped or deleted
  • Shadow copies removed
  • Recovery logs erased or modified

Why This Incident Is Significant

  • The data volume indicates long dwell time
  • Franchise environments increase attack surface
  • Data theft creates lasting legal and reputational exposure
  • Encryption was only the final pressure tactic

This was a targeted, methodical intrusion, not random malware.

Summary

The attackers didn’t rush in and cause chaos.
They quietly entered, explored, copied what mattered, and only then locked systems to force payment.

By the time the ransomware appeared, the real damage was already done.

Final Takeaway

This incident demonstrates:

  • The evolution of ransomware into data-centric extortion
  • The importance of MFA, monitoring, and segmentation
  • How delayed detection dramatically increases impact

It is a textbook example of how modern ransomware groups operate against large, complex organizations.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.