Daily Dark Web
  • Home
  • Data Breaches
  • Inside the Adversary
    • Dark Web Informants
  • DDW Top Lists
  • Ransomware News
  • DarkWeb News
    • Vulnerability
    • Cyber Attacks
  • Unauthorized Accesses
  • About Us
No Result
View All Result
  • Home
  • Data Breaches
  • Inside the Adversary
    • Dark Web Informants
  • DDW Top Lists
  • Ransomware News
  • DarkWeb News
    • Vulnerability
    • Cyber Attacks
  • Unauthorized Accesses
  • About Us
No Result
View All Result
Daily Dark Web
No Result
View All Result
Home DarkWeb News & Services

Exclusive: Everest Ransomware Group Interview on Collins Aerospace Breach

November 6, 2025
Reading Time: 8 mins read
Exclusive: Everest Ransomware Group Interview on Collins Aerospace Breach

In late September 2025, a crippling cyber event brought European aviation to a standstill. Major airports, including London Heathrow, Brussels, and Berlin, were plunged into chaos as passenger processing systems were taken offline. The disruption centered on the MUSE (Multi-User System Environment) software, a critical platform from defense and aerospace giant Collins Aerospace (an RTX subsidiary) that manages check-in, boarding, and baggage.  

The official story, confirmed by the European Union Agency for Cybersecurity (ENISA) and an SEC filing from Collins’ parent company, RTX, was that this shutdown, which began on September 19, was caused by a “cybersecurity incident involving ransomware on systems that support its Multi-User System Environment (“MUSE”) passenger processing software.”. Some security researchers subsequently linked the attack to HardBit ransomware.  

However, in the days following the shutdown, the cybercrime organization Everest Ransomware Group claimed responsibility for the initial breach. This group is known for operating as an “encryption-less” ransomware organization, which means they do not encrypt victim data but instead specialize in data exfiltration for the purpose of extortion.

Everest claims they first gained access on September 10. The entry point wasn’t a new, sophisticated exploit. Instead, they allegedly used a set of leaked credentials. This username and password pair was reportedly stolen from an employee’s computer by an infostealer (RedLine) back in 2022 and was never changed. The credentials for the public-facing FTP server were:  

  • Server: ftp.arinc.com:22
  • User: aiscustomer
  • Password: muse-insecure 

From this access, Everest claims to have exfiltrated over 50GB of data, including:  

  • 1,533,900 personal records of passengers, including PNRs, flight details, and frequent flyer numbers.
  • A 17.5GB SQL dump containing details on 3,637 employees from various airlines, including full names, corporate emails, and aliases.
  • Extensive files on network, user, and application topology, including workstation naming conventions, device IDs, and application stack fingerprints (SkySpeed, GoNow, etc.).

They then entered into negotiations with an RTX representative on September 16.  

Here is the central conflict: Everest explicitly denies any involvement with ransomware. Instead, they allege that Collins Aerospace, already aware of Everest’s data theft, intentionally shut down its own servers on September 19 and publicly blamed “unspecified ransomware” in a coordinated effort to commit insurance fraud.  

This complex and contradictory scenario is further complicated by the UK’s National Crime Agency, which arrested a suspect in connection with the attack on September 24, though their affiliation remains unconfirmed. Meanwhile, Everest continued its operations, claiming new breaches on October 25 at Dublin Airport and Air Arabia.  

In light of these reports and the threat actor’s public claims, we initiated contact with the Everest Ransomware Group via an email address listed on their darknet website. We sent a list of 12 questions to get their official statement on the record, seeking to clarify their role, their alleged connection to HardBit, and the basis for their fraud allegations.

The group responded to our questions. We are publishing the interview in full to provide transparency and allow our readers to see the threat actor’s claims in their entirety, which can then be compared against the official statements and public evidence.

 

Q-1: To begin, could you provide an overview of the Everest group? What do you consider to be your group’s core mission?
– Everest: “Everest is a small group of IT specialists who study how large infrastructures manage their digital security. When companies handling critical data are careless, we draw attention to it. We focus on documents: analyzing files,logs, messages, email and other internal information helps show the real picture, not just the company’s words. We search for proof of mismanagement and wrongdoing that companies often try to cover up behind official statements. We do not use ransomware, we do not damage infrastructure, and we do not block systems. Our work involves analyzing, finding valuable documents, and publishing facts that companies usually try to hide”

 

Q-2: Are your operations purely financially driven, or are there geopolitical factors that influence your choice of targets? Can you clarify if Everest operates as a fully independent entity, or if you maintain affiliations with other groups or any state-level actors?
– Everest: “Everest is a commercial organization, and we don’t hide that. We earn money for our work, just like any professional who spends time, resources, and knowledge on their job. The financial part is needed to cover expenses, infrastructure, and risks. But money is not our only motivation. We work independently, without support or influence from governments or other groups. When we see systemic incompetence, carelessness, or outdated decisions that put millions of users at risk, we take action. First comes the business side, but behind it is a principle: we don’t ignore negligence that affects people’s safety. The situation with Collins Aerospace is not unique. Similar incidents happen regularly, and the reason is usually the same: careless management of infrastructure. The problem is not just this specific incident, but the overall approach to security, a culture that focuses on metrics rather than real protection of data.”

 

Q-3: Was Collins Aerospace or its parent, RTX, a specific target for your group, or was this discovery opportunistic?
– Everest: “The access to the FTP server came to us by chance. Seeing a major aerospace company storing operational data with such a weak password, which according to some researchers had already leaked online in 2022, was shocking. After that, our interest shifted from just technical to public. How can a company responsible for the safety of millions of passengers allow this kind of negligence?”

 

Q-4: Since the Collins Aerospace incident, you have also claimed breaches at Air Arabia and Dublin Airport. Is the aerospace and aviation sector a new strategic focus for your group, and if so, why?
– Everest: “No, aviation is not our main focus. The reason we highlight these cases is simple. In aviation, the results of carelessness are obvious right away. Thousands of flights are delayed and millions of passengers are affected. We point out these incidents because a single vulnerable server or a small configuration mistake can paralyze an entire transport system. It is not about choosing a target. It is about showing where the cost of negligence is most visible.”

 

Q-5: Public reports attribute the airport disruptions to HardBit ransomware, yet your group explicitly denies using ransomware. Investigations connect both of your names, Everest and HardBit, to the Collins Aerospace incident. Can you clarify this discrepancy? As a known Initial Access Broker, did you sell network access to a HardBit affiliate after your initial breach, or do you claim these were two entirely separate attacks?
– Everest: “We did not use any ransomware and no encryption took place. The link between Everest and HardBit might be someone’s mistake or a deliberate false report in the media. We did not sell or give anyone access to encrypt the systems. Our correspondence with Collins did not mention encryption at all. It was only about various operational details.”

 

Q-6: A suspect was arrested in the U.K. in connection with the Collins Aerospace attack. Can you confirm if this individual was affiliated with your group or your operational partners?
– Everest: “We have nothing to do with him. People often get arrested just for being loosely connected to leak sites or maybe being part of a chain of compromised proxy servers.”

 

Q-7: What criteria do you use to decide whether to exploit a breach yourselves, as you claim you did with Collins Aerospace, versus selling the access to a third party?
– Everest: “We haven’t practiced that in many years and don’t plan to”

 

Q-8: Your site featured a password-protected “News For CEO” section related to this incident. What specific information did you provide in that section, and what were the full negotiation terms and final requested financial amount?
– Everest: “This section was intended solely for the company’s leadership and will not be disclosed. We will keep the amount private. The main goal of the publication was to get acknowledgment of the incident and responsibility for it, without trying to hide what happened behind the loud label ‘ransomware’.”

 

Q-9: Regarding your public claim that Collins Aerospace was motivated by insurance fraud, what evidence or observations led you to this specific conclusion?
– Everest: “This is based on the timeline of events. They were aware of the issue for eight days before shutting down the servers. We are not stating it as a fact, but their behavior and timing look too coordinated to be a coincidence. The term “ransomware” says it all. It’s the easiest way to blame a virus and do whatever they wanted. Replacing old systems during such a big incident also let them get an insurance payout. They didn’t have to warn millions of people that moving to new systems would be slow, difficult, and expensive. This situation worked in their favor, avoiding millions in losses and lawsuits. Since they didn’t pay us, they now face potential class-action claims from millions of people. Insurance for a ransomware event must pay, while simply shutting down servers without a reason would not have triggered a payout. They set it up to benefit themselves. We don’t use ransomware, and everyone knows it. RTX made a big mistake by not checking this more carefully and probably didn’t expect us to make this public or show the correspondence.”

 

Q-10: We’ve observed several public events related to your infrastructure, including intermittent downtime after both the Collins and Colonial Pipeline claims, as well as a public defacement in April 2025. Could you comment on these operational challenges?
– Everest: “Most of the time these were DDoS attacks. We are prepared for that. The main thing is that the information we publish cannot be destroyed, even if the servers are shut down It stays online. After the April events, we updated the site and infrastructure, and it did not affect us at all”

 

Q-11: Why have you chosen to speak with the media about this attack? What message are you trying to send to the cybersecurity community, the public, and potential victims with the interview?
– Everest: “Staying silent only helps those who are trying to hide their mistakes. We show how systemic negligence affects real people’s lives. The Collins Aerospace case clearly demonstrates how closedness and careless security can lead to complete chaos”

 

Q-12: Finally, your group’s tactics have visibly shifted from deploying ransomware to primarily operating as an Initial Access Broker. What drove this strategic pivot, and what is Everest’s long-term plan?
– Everest: “I won’t repeat myself, the answer has already been given above. Thank you for the interview”

Tags: Air ArabiaAirportaviationCollins AerospacecybercrimeCyberSecuritydata extortiondata-breachDublin AirportENISAEverest Ransomware GroupExclusiveFTPHardBitInsurance FraudinterviewLeaked CredentialsMUSEransomwareRTXthreat actor
ShareTweet

Related Posts

BreachForums Announces VECT Partnership and Security Updates
DarkWeb News & Services

BreachForums Announces VECT Partnership and Security Updates

April 16, 2026
PalachPro Exclusive Interview: Lone Wolf Russian Hacker
Dark Web Informants

PalachPro Exclusive Interview: Lone Wolf Russian Hacker

April 13, 2026
Inside Keymous+: An Exclusive Interview
Inside the Adversary

Inside Keymous+: An Exclusive Interview

April 6, 2026
Exclusive Interview: 313 Team
Inside the Adversary

Exclusive Interview: 313 Team

April 1, 2026
NoName057(16) Exclusive Interview: The Pro-Russian Hacker Group Behind 1,500+ DDoS Attacks Speaks Out
Inside the Adversary

NoName057(16) Exclusive Interview: The Pro-Russian Hacker Group Behind 1,500+ DDoS Attacks Speaks Out

March 24, 2026
ShinyHunters Telegram Update Claims Second Leader Arrested
DarkWeb News & Services

ShinyHunters Telegram Update Claims Second Leader Arrested

February 5, 2026
Next Post
Doctor Alliance Hit by Ransomware Attack and Data Breach

Doctor Alliance Hit by Ransomware Attack and Data Breach

Iranian Payment System Shaparak Suffers Major Data Breach

Iranian Payment System Shaparak Suffers Major Data Breach

Recommended Stories

Spain’s Seguros Bilbao Allegedly Breached – 842,000 Citizens’ Data Leaked

Spain’s Seguros Bilbao Allegedly Breached – 842,000 Citizens’ Data Leaked

August 18, 2025
Major Dutch Flower Exporter D. Visser & Zonen BV Allegedly Breached – 28GB of Data for Sale

Major Dutch Flower Exporter D. Visser & Zonen BV Allegedly Breached – 28GB of Data for Sale

September 2, 2025
Indian Payment Gateway Airpay Allegedly Breached

Indian Payment Gateway Airpay Allegedly Breached

July 28, 2025

Popular Stories

  • SudamericaData Breach Exposes Over 1TB of Argentine Records

    SudamericaData Breach Exposes Over 1TB of Argentine Records

    0 shares
    Share 0 Tweet 0
  • Threat Actor Claims Sale of Dell Database Containing 49 Million Customer Records

    0 shares
    Share 0 Tweet 0
  • SUUMO, CHINTAI, At Home, HOME’S Suffer Data Breach

    0 shares
    Share 0 Tweet 0
  • Financial Tech Giant SilverLake Axis Allegedly Breached – 423GB of Data for Sale

    0 shares
    Share 0 Tweet 0
  • Telekom Serbia Investigates Leak of 160,000 Customer Records

    0 shares
    Share 0 Tweet 0
Daily Dark Web

Disclaimer: Daily Dark Web (DDW) is an independent media platform providing information, analysis, and reporting on cybersecurity, cyber incidents, and related digital developments. All content published on this website is for informational and journalistic purposes only. DDW does not support, endorse, or promote any illegal activities, threat actors, or organizations referenced in its content. Any statements, claims, or opinions expressed by third parties, including interview subjects, are their own and do not reflect the views of DDW. Such content may include unverified information and should be interpreted critically. DDW does not participate in, facilitate, or coordinate any activities discussed or referenced on this platform. Under no circumstances should any content be interpreted as encouragement, instruction, or endorsement of unlawful actions. All interactions and publications are conducted in the public interest to enhance awareness and understanding of the evolving cyber landscape.

No Result
View All Result
  • About Us
  • Home
  • Newsletter
  • Privacy Policy

Disclaimer: Daily Dark Web (DDW) is an independent media platform providing information, analysis, and reporting on cybersecurity, cyber incidents, and related digital developments. All content published on this website is for informational and journalistic purposes only. DDW does not support, endorse, or promote any illegal activities, threat actors, or organizations referenced in its content. Any statements, claims, or opinions expressed by third parties, including interview subjects, are their own and do not reflect the views of DDW. Such content may include unverified information and should be interpreted critically. DDW does not participate in, facilitate, or coordinate any activities discussed or referenced on this platform. Under no circumstances should any content be interpreted as encouragement, instruction, or endorsement of unlawful actions. All interactions and publications are conducted in the public interest to enhance awareness and understanding of the evolving cyber landscape.

Are you sure want to unlock this post?
Unlock left : 0
Are you sure want to cancel subscription?