The Everest ransomware group has claimed responsibility for an attack against Complete Aircraft Group, a U.S.-based aviation manufacturing firm. The listing, posted to Everest's Tor-based leak site on April 20, 2026, alleges system encryption and threatens the publication of exfiltrated data if ransom demands are not met. The claim remains under review and has not yet been confirmed by the victim organization.
What Happened
On April 20, 2026, Everest added Complete Aircraft Group to its data-leak site hosted on the Tor network. The post asserts that the group successfully compromised internal systems, deployed encryption payloads against corporate assets, and exfiltrated proprietary data prior to encryption. Extortion notes reportedly accompany the intrusion, with a deadline for payment preceding any public data release. The posting was discovered shortly after publication and is consistent with Everest's established double-extortion playbook.
Complete Aircraft Group has not issued a public statement. U.S. authorities and sector-focused ISACs are understood to be reviewing the claim alongside the posted artifacts.
What Was Taken
Everest has not yet published sample files or a file tree on its leak page, which is typical during the initial negotiation window. Based on the group's prior victim disclosures and the target's sector, exposed data likely includes:
- Engineering documentation, CAD files, and aircraft maintenance records
- Supply chain contracts, vendor correspondence, and purchase orders
- Employee personally identifiable information (PII), payroll, and HR files
- Customer and fleet operator records, potentially including export-controlled material
- Financial records, insurance documents, and internal audit files
Volume and sensitivity will remain speculative until Everest publishes proof-of-compromise samples or the victim confirms the scope.
Why It Matters
Aviation manufacturing sits at the intersection of critical infrastructure, defense supply chains, and International Traffic in Arms Regulations (ITAR) scope. A confirmed compromise at a U.S. aircraft manufacturer carries implications beyond the direct victim: leaked engineering data can expose fleet operators to downstream safety and supply-chain risk, while PII loss triggers state breach notification obligations and potential FAA or DoD contractual reporting requirements.
Everest has steadily shifted from a pure ransomware operator to an initial-access-broker and data-extortion hybrid over the past two years, meaning even partial intrusions at this target may be monetized repeatedly through resale of credentials or network access.
The Attack Technique
Everest's observed tradecraft typically leverages valid account abuse for initial access, often purchased from brokers or harvested via infostealer logs, followed by RDP and SMB lateral movement, Cobalt Strike or Sliver for command-and-control, and rclone or MEGA for bulk exfiltration. Encryption is commonly staged after exfiltration to maximize extortion leverage. The specific intrusion vector used against Complete Aircraft Group has not been disclosed in the leak-site post.
What Organizations Should Do
- Audit external-facing assets, VPN concentrators, and RDP exposure; enforce phishing-resistant MFA on all remote access.
- Review infostealer log dumps for credentials tied to corporate email and SSO domains, and rotate any exposed secrets.
- Hunt for Everest TTPs in endpoint telemetry: rclone execution, unusual MEGA or cloud storage egress, and suspicious scheduled tasks.
- Segment engineering, ERP, and OT environments to limit lateral movement between manufacturing systems and corporate IT.
- Validate offline, immutable backups and exercise restoration for engineering document repositories and ERP databases.
- Aviation and defense suppliers should engage AV-ISAC and, where applicable, DIB-CS program channels for shared indicators.