AkzoNobel: Anubis Ransomware Steals 170GB Passports, Client Agreements, Financial Records Leaked

• .What: Anubis ransomware breached an AkzoNobel US facility and exfiltrated 170GB (~170,000 files), publishing samples on its dark web leak site.
• .Who: AkzoNobel N.V. - Dutch multinational, world's 3rd-largest paint and coatings producer; EUR 10.2B revenue; 34,600 employees; 150+ countries; serves aerospace (Boeing, Airbus, BAE Systems, US military), automotive, marine, and industrial sectors.
• .How: Attack vector unconfirmed. Anubis affiliates typically exploit VPN vulnerabilities, spear-phishing, or stolen RDP credentials. In the January 2026 Copec S.A. attack, Anubis exploited a corporate VPN vulnerability for initial access.
• .Data: Passport scans, confidential client agreements, email addresses and phone numbers, private email correspondence, employee and financial records, material testing documents, internal technical specification sheets.
• .Actor: Anubis ransomware (RaaS - three-tier model with 80%/60%/50% affiliate commissions; 65 victims since December 2024).
• .Impact: 170GB exfiltrated from US facility; proprietary formulations and aerospace-sector technical specifications potentially exposed; breach occurs during pending $25B Axalta merger; regulatory notification obligations across multiple jurisdictions.

On March 1, 2026, threat intelligence platform FalconFeeds.io reported that AkzoNobel had been listed on the Anubis ransomware group's Tor-based leak site, with a claimed exfiltration of 170GB. On March 2, additional threat intelligence platforms - DeXpose, RedPacket Security, and Prism News - confirmed the listing.

Anubis published screenshots of select documents and a file listing as proof of access, but did not immediately publish the full data archive.

On March 3, BleepingComputer reported AkzoNobel's confirmation. A company spokesperson stated: "AkzoNobel has identified a security incident at one of our sites in the United States. The incident was limited to the respective site and was already contained.

" The company did not identify which of its 30+ North American manufacturing sites, technology labs, and offices was affected.

By March 9, Check Point Research included the breach in its weekly threat intelligence report, adding that stolen data included "employee and financial records" - a data category not mentioned in earlier reporting.

At the time of initial coverage, the leak was described as partial, with Anubis publishing samples rather than the full 170GB archive.

Anubis typically escalates pressure by progressively releasing data, writing "investigative articles" about victims, and threatening regulatory notifications.

AkzoNobel N.V. is headquartered in Amsterdam and listed on Euronext Amsterdam (AKZA), where it is a constituent of the AEX Index.

The company reported EUR 10.158 billion in revenue and EUR 1.444 billion in adjusted EBITDA for FY 2025. It employs approximately 34,600 people across more than 200 manufacturing facilities in 150+ countries. Key brands include Dulux, International, Sikkens, and Interpon.

AkzoNobel holds aerospace coating OEM approvals from over 60 manufacturers including Boeing, Airbus, BAE Systems, Bombardier, Cessna, and the US military. Its biggest US aerospace coatings production site is in Waukegan, Illinois.

On November 18, 2025, AkzoNobel announced an all-stock merger of equals with Axalta Coating Systems, creating a combined entity with approximately $17 billion in annual revenue and a $25 billion enterprise value.

The transaction is expected to close in late 2026 or early 2027. A cybersecurity breach of this scale during active merger due diligence creates material risk for both shareholder approval and regulatory clearance.

Anubis is a Ransomware-as-a-Service operation that emerged in late 2024, initially developed under the codename Sphinx. Early samples lacked both a Tor site and unique victim identifiers, indicating active development.

By December 2024, the operation launched publicly as Anubis, claiming its first victims: a healthcare provider in Victoria, Australia and a Canadian healthcare organization.

On February 23, 2025, a threat actor using the alias "superSonic" advertised Anubis affiliate programs on the RAMP underground forum. A second persona, "Anubis__media," established parallel presence on the XSS forum and X/Twitter. Both communicate exclusively in Russian.

KELA assesses the operators "may have been former affiliates of other ransomware groups" based on their sophistication.

In June 2025, Anubis added a data wiper to its arsenal - a tool that permanently destroys file contents by overwriting them to 0 KB while preserving filenames and directory structure, making recovery impossible even with a decryption key.

As of March 27, 2026, Anubis has claimed 65 victims. The top targeted sectors are healthcare (15 victims), manufacturing (13), and business services (6). Thirty of 65 victims are US-based.

Notable attacks include Copec S.A. - the Chilean energy conglomerate from which Anubis exfiltrated 6TB via a corporate VPN vulnerability and demanded $6 million (January 2026) - and Disneyland Paris, where the group claimed 64GB of construction and renovation files (June 2025).

Anubis operates three distinct affiliate programs with escalating operator involvement. Traditional RaaS: affiliates deploy the malware and retain 80% of ransom proceeds.

Data Ransom: affiliates provide exclusively stolen data (less than six months old); Anubis handles extortion via "investigative articles" and retains 40%.

Access Monetization: affiliates provide corporate credentials; Anubis handles exploitation, extraction, and negotiation - retaining 50%.

The "investigative article" method is Anubis's signature. The group conducts deep analysis of stolen data, writes a detailed exposé, and publishes it to a password-protected Tor page. The victim receives access and a negotiation link.

Failure to pay triggers public release on the "Anubis Blog" leak site, posting of the victim's name on X/Twitter, direct contact with the victim's customers, and - uniquely - threatened regulatory notifications to the UK ICO, US HHS, European Data Protection Board, Canada's Office of the Privacy Commissioner, and Australia's Office of the Australian Information Commissioner.

The malware is written in Go (Golang), producing statically compiled 64-bit Windows executables. Encryption uses ECIES (Elliptic Curve Integrated Encryption Scheme), a hybrid scheme combining elliptic-curve public-key cryptography with symmetric encryption.

The wiper mode (/WIPEMODE parameter) overwrites file contents to 0 KB while preserving filenames.

Pre-encryption, the malware terminates SQL Server, Veeam, BackupExec, Acronis, Symantec, and Windows Defender services; kills Excel and Word to release file locks; and deletes volume shadow copies.

The group explicitly excludes targets in post-Soviet/CIS states, BRICS member nations, educational institutions, government entities, and non-profits.

No law enforcement actions have been taken against Anubis as of March 2026.

Published samples on the Anubis leak site include:

Passport scans - employee identity documents containing photographs, signatures, nationality, date of birth, and passport numbers. Passport data is biometric-adjacent and cannot be changed. For affected employees, this creates permanent identity fraud risk.

Confidential client agreements - commercial terms, pricing, exclusivity arrangements with high-profile clients. For a company serving Boeing, Airbus, BAE Systems, and military customers, leaked client agreements could expose defense-sector commercial relationships.

Email addresses and phone numbers - enabling targeted spear-phishing and social engineering follow-on attacks against AkzoNobel employees and contacts.

Private email correspondence - internal communications revealing business strategies, decisions, and potentially privileged information relevant to the pending Axalta merger.

Employee and financial records - confirmed by Check Point Research; specifics undisclosed but may include salary data, bank details, tax identifiers, or benefits information.

Material testing documents - proprietary testing methodologies and product performance data. For a coatings manufacturer serving aerospace and defense, these documents may contain formulation data protected under trade secret law.

Internal technical specification sheets - product composition, chemical formulations, and manufacturing parameters. If related to aerospace or military coatings, these may constitute ITAR-controlled technical data.

The combination of passport scans, technical specifications, and client agreements from a company with active Boeing, Airbus, and US military OEM approvals elevates this beyond a standard ransomware data leak.

AkzoNobel's IP - its chemical formulations and testing data - is the core of its competitive advantage in a $175 billion global coatings market.

1. Initial Access - Exploitation of a VPN or internet-facing service at the affected US site, or spear-phishing with malicious attachments. Anubis affiliates have documented use of RDP, VPN exploitation, and pre-existing malware loaders for initial access.

In the January 2026 Copec S.A. attack, Anubis confirmed VPN vulnerability exploitation as the initial vector.

2. Insufficient Network Segmentation - The affected US site contained passport scans, global client agreements, financial records, and proprietary technical specifications.

A single site should not store this breadth of sensitive data types without segmentation between corporate, HR, R&D, and client-facing systems.

3. Excessive Data Co-location - 170,000 files spanning passports, client agreements, email archives, financial records, and technical IP were accessible from a single compromise point. This suggests flat network architecture or excessive shared drive permissions.

4. No Data Loss Prevention - 170GB sustained outbound transfer went undetected or was detected too late to prevent. Enterprise-grade DLP should flag sustained outbound transfers of this magnitude.

5. Inadequate Endpoint Detection - Anubis terminates Veeam, BackupExec, Acronis, Symantec, and Windows Defender as part of its kill chain. Robust EDR with tamper protection should detect and block coordinated service termination.

6. Passport Data Mishandling - Employee passport scans were stored at a US manufacturing facility with apparently insufficient access controls. Passport data requires encrypted storage with strict need-to-know access, not general availability on shared network resources.

• .GDPR (Netherlands - Lead Supervisory Authority: Autoriteit Persoonsgegevens) - AkzoNobel is a Dutch company processing EU employee passport data. Passport scans containing photographs trigger Article 9 special category data obligations. Article 5(1)(f) integrity and confidentiality principle violated. Article 32 security of processing obligations unmet (170GB exfiltration). Article 33 requires 72-hour notification to the Dutch DPA. Article 34 requires individual notification to affected data subjects for high-risk breaches. Fine exposure: up to EUR 20 million or 4% of annual global turnover (4% x EUR 10.158B = EUR 406 million theoretical maximum).

• .NIS2 Directive - AkzoNobel likely qualifies as an "important entity" under NIS2 as a large manufacturing enterprise. Requires 24-hour early warning to national CSIRT, 72-hour incident notification, and final report within one month. Non-compliance fines up to EUR 10 million or 2% of global turnover.

• .Euronext Amsterdam Market Abuse Regulation (MAR) - As an AEX Index constituent, AkzoNobel must promptly disclose inside information that could significantly affect share price. A breach during a pending $25B merger is potentially material information.

• .US State Breach Notification Laws - Passport and employee PII data trigger notification obligations in every US state. Most states require notification within 30-60 days.

• .SEC Disclosure (Foreign Private Issuer) - AkzoNobel files annual reports on Form 20-F with the SEC. Material cybersecurity incidents require disclosure within 4 business days of materiality determination. Materiality assessment is complicated by the pending Axalta merger.

• .ITAR / EAR (US Export Controls) - If leaked technical specifications relate to aerospace or military coatings, exposure of controlled technical data to unauthorized parties via a public leak site may constitute a violation of the International Traffic in Arms Regulations or Export Administration Regulations.

• .Anubis Regulatory Threat - Anubis explicitly threatens to report victim breaches to the ICO, HHS, EDPB, OPC, and OAIC. For AkzoNobel, this means potential proactive reporting to the EDPB by the threat actor - an unprecedented compliance pressure tactic.

1. Network Segmentation - Isolate HR/passport data, client agreements, financial records, and R&D technical specifications on separate network segments with strict inter-segment access controls. A single US site compromise should not expose all data types simultaneously.

2. Deploy Enterprise DLP with Exfiltration Alerting - 170GB sustained outbound transfer is detectable. Implement volume-based anomaly detection and mandatory encryption for outbound file transfers exceeding defined thresholds.

3. Encrypted Passport Storage with Strict Access Controls - Employee identity documents require AES-256 encrypted storage with role-based access limited to HR and legal personnel. Passport scans should never reside on general-purpose file shares.

4. VPN and Perimeter Hardening - Given Anubis's documented exploitation of VPN vulnerabilities (Copec S.A.), deploy MFA on all VPN gateways, maintain emergency patching cadence for internet-facing appliances, and implement zero-trust network access where possible.

5. Tamper-Resistant EDR - Deploy endpoint detection and response with anti-tamper capabilities that detect and block coordinated service termination (Veeam, BackupExec, Symantec) - a known Anubis pre-encryption behavior.

6. Trade Secret and ITAR Classification - For a company with Boeing, Airbus, and US military OEM approvals, implement data classification that identifies ITAR-controlled technical data and trade secret formulations, with DLP rules preventing exfiltration of classified materials.

The following gaps exist in the public record for this incident:

1. The initial access vector has not been disclosed by AkzoNobel or confirmed by any researcher - the assessment that it involved VPN exploitation, phishing, or stolen RDP credentials is based on Anubis's known TTPs, not incident-specific evidence.

2. Which of AkzoNobel's 30+ North American sites was breached has not been identified. In January 2026 - two months before the breach - AkzoNobel announced a EUR 50M investment to expand its Waukegan, Illinois aerospace coatings facility, its largest globally.

Whether the breached site is aerospace-related remains unknown.

3. Whether leaked technical specification sheets relate to aerospace or military coatings - and therefore constitute ITAR-controlled technical data - has not been confirmed through review of the published samples.

4. AkzoNobel's claim that the incident was "limited to the respective site" and "already contained" has not been independently verified through forensic analysis or third-party assessment.

5. The impact of the breach on the pending $25 billion Axalta merger - specifically whether it has triggered due diligence reassessment, regulatory scrutiny, or material disclosure obligations - has not been publicly addressed by either company.

BleepingComputer, TechRadar, Cybernews, Check Point Research, CySecurity News, SC Media, FalconFeeds, DeXpose, Prism News, RedPacket Security, DWM Magazine, USGlass Magazine, ransomware.live, Trend Micro, KELA Cyber, Sophos (Secureworks), Proven Data, Picus Security, AkzoNobel Investor Relations