Everest Ransomware Claims Massive 1TB Chrysler Data Heist in Holiday-Timed Cyberattack

Aegiron 9 mins0

Incident Overview

On December 25, 2025, the Everest ransomware group published a post on its dark-web leak site claiming it had breached systems belonging to Chrysler and exfiltrated 1,088 GB (over 1 terabyte) of internal data.

The date matters. Ransomware groups regularly time attacks around major holidays, when security and incident-response staffing is often reduced. Posting the claim on Christmas Day increases pressure on the victim while limiting immediate response options.

As of December 28, 2025, neither Chrysler nor its parent company Stellantis has publicly confirmed or denied the incident. At this stage, the claims remain unverified, which is common early in ransomware investigations.

What Data Everest Claims Was Stolen

Based on Everest’s leak-site description and screenshots reviewed by security researchers, the attackers allege access to four years of data (2021–2025).

Claimed Volume & Scope

  • Total data: 1,088 GB
  • Coverage period: 2021–2025
  • Salesforce / CRM data: 105+ GB

Allegedly Compromised Data Types

Customer Personal Information (PII)

  • Names
  • Phone numbers
  • Email addresses
  • Physical addresses

Vehicle & Ownership Records

  • VINs (Vehicle Identification Numbers)
  • Vehicle details and ownership information

CRM & Salesforce Data

  • Customer interaction histories
  • Call outcomes (voicemail left, callback scheduled, disconnected)
  • Detailed service timelines and agent notes

Recall Case Information

  • Customer recall conversations
  • Interpreter usage notes
  • Dealership coordination records
  • Appointment scheduling and follow-ups

Dealer Network & Internal Operations

  • Dealer coordination documentation
  • Internal FTP paths
  • References to internal tools and workflows

Employee / HR Data

  • Employee names
  • Corporate email addresses
  • Employment status (active or separated)
  • Activity timestamps

Audio Recordings

  • Everest claims possession of recorded customer service calls and has threatened to release them publicly if ransom demands are not met.

If these claims are accurate, the exposure would affect customers, employees, and dealership partners, with potential implications for privacy, fraud risk, and regulatory compliance.

Evidence Shown by the Attackers

To support its claims, Everest published screenshots that reportedly show:

  • Structured databases and internal spreadsheets
  • Directory trees from internal file servers
  • CRM and Salesforce exports
  • Agent work logs documenting customer calls and recall handling
  • Internal references to dealer networks, automotive brands, and recall programs

While screenshots alone do not prove the full scope of a breach, they are typically used to demonstrate real internal access, at least to some systems.

Who Is the Everest Ransomware Group?

Everest is a well-established ransomware operation, active since December 2020.

Background & Operations

  • Believed to be Russian-speaking (no confirmed state affiliation)
  • Transitioned from a traditional ransomware group into a hybrid model that also acts as an Initial Access Broker (IAB)
  • Known for aggressive double-extortion tactics

Technical Characteristics

  • Extortion model: Data theft plus encryption threats
  • Preferred payment: Monero (XMR) for anonymity
  • Encryption: AES/DES
  • File extension: .EVEREST
  • Victim count: 250+ since 2023, with more than 100 in the last 12 months

Common Attack Techniques

Initial Access

  • Phishing and stolen credentials
  • Credential stuffing
  • Exploitation of exposed or vulnerable public-facing applications
  • RDP compromise
  • Purchasing access from insiders (including profit-sharing offers)

Lateral Movement & Control

  • RDP using compromised accounts
  • Credential dumping with tools like ProcDump
  • Network discovery utilities
  • Command-and-control via Cobalt Strike and commercial remote-access tools (AnyDesk, Splashtop, Atera)

Notable Organizations Previously Linked to Everest Claims

Everest has publicly claimed responsibility for attacks against a wide range of high-profile targets, including:

  • NASA
  • Brazilian Government
  • Coca-Cola Europacific Partners
  • Collins Aerospace (September 2025 — disruptions reported at European airports)
  • AT&T (576,000 job applicant records claimed)
  • Dublin Airport (1.5 million passenger records claimed)
  • Svenska Kraftnät
  • Under Armour
  • Petrobras

This victim profile shows a clear focus on large enterprises, government entities, and critical infrastructure.

Important Context: Stellantis’ Earlier Breach

This incident comes only months after Stellantis confirmed a separate breach in September 2025, attributed to the ShinyHunters group. That earlier incident involved a third-party Salesforce environment and exposed customer contact data.

Although Stellantis stated that no financial or highly sensitive personal data was accessed at that time, the similarities are notable. The alleged Everest incident appears separate, but it reinforces concerns about CRM and third-party platform security across the automotive sector.

Current Status (as of December 28, 2025)

  • Official response: None from Chrysler or Stellantis
  • Leak-site timer: Active, with a threat of full public data release
  • Legal activity: Law firms are reportedly investigating potential class-action claims
  • Verification: Claims remain unconfirmed pending company disclosure or independent forensic validation

SOC & Incident Response Guidance

For security teams monitoring for related activity, Everest’s known tactics provide several useful detection points.

Detection Opportunities

  • Unusual or excessive access to Salesforce or CRM systems
  • Unauthorized remote-access tool installations
  • Signs of credential dumping or LSASS access
  • Abnormal RDP login patterns (time, source, or frequency)
  • Large outbound data transfers to unfamiliar destinations

Example KQL Query Concepts (Microsoft Sentinel)

// Detect potential credential dumping activity
DeviceProcessEvents
| where ProcessCommandLine has_any ("procdump", "lsass", "sekurlsa")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine

// Identify unusual RDP authentication patterns
SigninLogs
| where AppDisplayName == "Windows Sign In"
| where ResultType == 0
| summarize count() by UserPrincipalName, IPAddress, bin(TimeGenerated, 1h)
| where count_ > 10

These queries are not definitive on their own but can help surface early indicators of compromise consistent with Everest-style intrusions.

Final Takeaway

At this stage, the Chrysler incident remains a serious but unconfirmed ransomware claim. However, the scale of data alleged, the presence of Salesforce and CRM systems, and Everest’s established history with major global organizations make the situation one to watch closely.

Regardless of final confirmation, the case highlights ongoing risks around:

  • Holiday-timed ransomware attacks
  • Centralized CRM data stores
  • Third-party and supply-chain exposure

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.