Everest Ransomware Group Targets Petrobras in Data Breach
The Everest ransomware group has recently made headlines with two separate postings on its dark web leak site, both involving Petrobras, the Brazilian multinational corporation predominantly owned by the state and a major player in the petroleum sector headquartered in Rio de Janeiro.
Published on November 14, 2025, the first entry claims an extensive data breach that allegedly affects both Petrobras and its partner SAExploration. According to the group, they successfully extracted a database containing over 176 gigabytes of seismic navigation data, with more than 90 gigabytes directly belonging to Petrobras. This data encompasses critical technical details such as ship positioning, equipment configurations, hydrophone readings, and depth measurements. Additionally, the files reportedly include quality control documents, metadata, and processed reports spotlighting survey progress and initial findings from field operations.
Seismic surveys are pivotal in the oil and gas industry, requiring substantial investment for planning, data acquisition, and processing. Should competitors gain access to this granular information—down to the precision of ship maneuvering and node placement—they could potentially replicate Petrobras’s methodologies, reduce their operational costs, or gain strategic leverage in contract negotiations.
The second listing by Everest specifically highlights data from Petrobras’s Campos Basin seismic surveys, incorporating both 3D and 4D datasets. This segment is also reported to contain more than 90 gigabytes of sensitive documents, including documents detailing ship coordinates, source depths, shot pressures, and equipment alignment. Screenshots of the stolen data were shared by the group to validate their claims.
In addition to the data theft, Everest has issued an ultimatum for Petrobras, requiring a representative to initiate contact via the encrypted messaging platform Tox within four days. The group has provided a specific Tox ID, emphasizing the urgency of their request, and warns of subsequent actions if the deadline is not met, complete with a countdown timer to underline the seriousness of their demand.
The timing of these breaches coincides with Everest’s claims regarding a separate incident involving Under Armour, for which they assert to have stolen 343 gigabytes of sensitive information—including customer data, product records, and internal corporate documents. While the Under Armour incident primarily affects a consumer-facing brand, the implications of the Petrobras breach are likely to penetrate deeper into operational and competitive aspects of the energy sector.
As of the latest updates, Petrobras has not publicly addressed the allegations, and inquiries have been made to the company for further comment. This article will be adjusted accordingly to reflect any developments in the situation.
In examining the potential tactics used in these attacks, the MITRE ATT&CK framework provides insight into the adversary’s methods. Techniques such as initial access, possibly through phishing or exploiting vulnerabilities, might have been employed to breach the network. Moreover, persistence strategies could have been implemented to maintain access, while privilege escalation tactics may have enabled the actors to gain higher-level access to sensitive data crucial for their ransom demands.
This ongoing situation is a stark reminder of the ever-evolving landscape of cybersecurity threats, underscoring the need for robust measures to guard against potential breaches that can significantly disrupt operations and compromise sensitive information.
