[German]A reader has brought on September 18, 2025 some information to my attention that I covered in timely manner within my German blog. The Everest ransomware group lists BMW group as one of its victims. Everest claimed that a successful attack also resulted in the theft of internal documents (e.g., for auditing purposes). The incident dates back to September 14, 2025. I was able to view some documents since publishing my German blog post.
The Everest ransomware group
The Everest ransomware and the group of the same name have been active since December 2020 and have made a name for themselves in the world of cybercrime. The group's strategy includes attacking high-profile targets such as NASA, the Brazilian government, and, most recently, cosmetics manufacturer Clarins.
Everest is known for its double extortion tactic: not only is the victims' data encrypted, but the ransomware also extracts data and the group threatens to publish sensitive information if the ransom demands are not met.
In April 2025, this site concluded that Everest had since transformed itself into an initial access broker (IAB) that provides other groups with access to systems. The site contains a detailed profile of the Everest group and locates its members as having strong ties to "operations based in Russia," but also mentions a connection to the BlackByte ransomware group. However, the exact country of origin is currently still unconfirmed.
The group's victims are currently located in the US, Canada, and Europe. SocRadar also describes a profile of this ransomware group here. In almost five years, the group has targeted around 200 victims.
Regarding the following report, it should be noted that the Everest Group itself was apparently the victim of a hack (by an unknown actor) in April 2025 and subsequently took its Tor site offline. Security Affairs has published some brief notes on the incident. German site Golem has a more comprehensive article on this incident. The latest victim names could be an attempt to get back into the conversation.
BMW suspected Everest victim
A few hours ago, a blog reader sent me a private message on my social media channels pointing out reports that "BMW" had allegedly become an Everest victim. While researching this, I came across the following tweet containing this information..
So there is very little information available. Currently, the only information available is the claim made by the Everest Group on its Onion dark web page, which claims that the BMW Group (bmw.com) is a victim.
On the group's Onion page (see above), the group list of alleged victims includes Clarins (mentioned above) and, currently, BMW. The date of access to BMW systems is given as September 14, 2025. No data as evidence of the ransomware infection has been posted at the time, my German article went public (September 18, 2025, 5:00 a.m.).
I asked the German BMW press department regarding a statement about the claim by Everest , but I got not feedback till writing this English blog post.
On Sept. 19, 2025 i was able to view some samples. So far, little truly explosive information has been leaked by Everest. There are listings from directories such as the document names above – specifically LCX Warehouse Audit (BMW's new logistics center opened in Spartanburg, South Carolina, in 2022) – which point to an incident in the US. And I'm not sure if it hasn't affected a service provider such as change2target.com.
Information about BMW
Bayerische Motoren Werke Aktiengesellschaft (BMW) is a publicly traded automobile and motorcycle manufacturer based in Munich, Germany, which also operates as the BMW Group. With sales of €142 billion and around 159,000 employees in the 2024 financial year, BMW is one of Germany's largest commercial enterprises and, with annual sales of 2.45 million automobiles and 210,385 motorcycles in 2024, is one of the 15 largest motor vehicle manufacturers in the world and one of the top six in terms of sales. The BMW Group includes the Mini and Rolls-Royce car brands as well as the BMW sub-brands BMW M and BMW i.
