The Everest ransomware group has allegedly breached Crumbl, the North American gourmet cookie franchise, and posted the company on its dark web leak site Wednesday. Alongside the post, the group shared two sample files that appear to originate from an internal employee database.
“The leak of your internal company documents contains a huge variety of personal documents and information of employees,” Everest wrote in a blog post. The group also listed details it claims to have obtained on more than 290,000 Crumbl employees.
Crumbl, headquartered in Utah, operates over 1,000 stores across all 50 U.S. states, Canada, and Puerto Rico, according to its official website.
An analysis of the two sample files suggests they include sensitive employee data such as full names, phone numbers, personal email addresses, job titles, birthdates, and photos. Everest further claims the compromised files contain store ID numbers, employee user IDs, employment designations (corporate vs. franchise), and FCM Authentication token IDs for crew members.
In a deviation from typical ransomware tactics, Everest did not leave a standard plaintext ransom note on Crumbl’s network. Instead, the group left what appears to be a voice message intended for Crumbl’s negotiators.
“A company representative should follow the instructions to contact us before time runs out,” Everest warned, adding a visible countdown timer that, as of Friday, showed just under four days remaining. The message stated the voice recording would be available until the deadline expires.
Who Is the Everest Group?
The Everest gang, believed to be linked to Russian threat actors, first appeared in July 2021. According to dark web monitoring service Ransomlooker, the group has claimed responsibility for 248 attacks since 2023, including 90 within the past year. Their recent activity includes a wave of attacks targeting organizations in the Middle East.
“Everest is quite bold in their targeting and doesn’t hesitate to go after sensitive sectors, government agencies, and hospitals,” said Martin Vigo, lead security researcher at AppOmni, in a public statement issued in May.
Vigo noted that Everest has evolved its tactics, shifting from encrypting systems to primarily stealing and leaking data. The group’s dark web leak site serves as a pressure tool, leveraging public exposure to force victims into negotiations.
“Victims are publicly named, and partial datasets are published to demonstrate the seriousness of the breach,” Vigo explained. “This creates reputational and legal pressure—especially for high-profile organizations—and increases the likelihood of a payout.”