In recent months, cybersecurity experts have observed a notable shift in the tactics used by ransomware and hacking groups. Instead of relying solely on data encryption to extort money from businesses, many cybercriminals are now focusing primarily on data exfiltration—stealing sensitive information and monetizing it through resale or public exposure. This evolving strategy was evident in the recent attack attributed to the Everest ransomware gang, which targeted data management firm Iron Mountain.
According to reports, Iron Mountain fell victim to what initially appeared to be a ransomware-style cyberattack in January 2026. The New Hampshire–based company, which specializes in data storage and records management, serves more than 240,000 customers across 61 countries and has been in operation since 1951. Given the nature and scale of its business, the organization holds vast amounts of sensitive corporate and customer data, making it an attractive target for cybercriminals.
The Everest ransomware group publicly claimed responsibility for the breach in the final week of January. The gang stated that it successfully infiltrated Iron Mountain’s servers and exfiltrated more than 1.4 terabytes of data, consisting largely of internal documents. Interestingly, the attackers admitted that the operation did not result in immediate financial gains. As a result, they announced their intention to sell the stolen information to interested parties and released screenshots as proof of possession.
Iron Mountain’s incident response team later investigated these claims and confirmed to cybersecurity news outlet BleepingComputer that unauthorized access had indeed occurred. The company acknowledged that a limited portion of its data was siphoned, primarily involving records associated with its marketing department.
Further investigation revealed that the breach was initiated through a phishing email attack. An employee’s credentials were compromised, allowing the attackers to gain fraudulent access to the internal network. This highlights, once again, the critical role of employee awareness and robust email security in preventing cyber intrusions.
What sets this incident apart is the attackers’ decision not to encrypt or lock down Iron Mountain’s systems, a hallmark of traditional ransomware attacks. This approach contrasts with tactics used by well-known ransomware groups such as LockBit and Qilin, which typically rely on encryption to disrupt operations and pressure victims into paying ransoms.
Security analysts believe this trend reflects a strategic calculation by modern cybercriminals. Data exfiltration alone can cause long-term damage, including regulatory penalties, reputational harm, and loss of customer trust. While encrypted data can often be restored through backups and disaster recovery plans, stolen data cannot be retrieved or erased once it resides on external servers.
Ultimately, whether through encryption or data exfiltration, the outcome often favors the attacker—underscoring the growing sophistication and adaptability of today’s cybercrime ecosystem.
Join our LinkedIn group Information Security Community!
