Ransomware attack hits AkzoNobel division in the U.S.

The ICS Labs CTI identified that a U.S. division of AkzoNobel, a Dutch multinational in the paints and coatings sector, was targeted by a ransomware attack that resulted in the theft of approximately 170 GB of corporate data, according to information publicly disclosed by security researchers.

The attack was claimed by the Anubis Ransomware Group, which stated it had obtained around 170,000 files containing sensitive corporate information. The leak was initially disclosed by cybersecurity specialist Erik Westhovens.

The data was published on the group’s leak site, a common practice in extortion operations in which criminals threaten to release information if payment is not made.

Potentially Compromised Data

According to the criminal group, the stolen files include:

• Copies of employee passports

• Non‑disclosure agreements with customers and suppliers

• Corporate legal documents

• Internal financial reports

• Summaries and administrative data

Company Statement

A spokesperson for AkzoNobel told the BleepingComputer portal that the incident was identified and contained, emphasizing that the impact was limited to a single site within the organization and that the company is notifying affected parties. Additionally, it was highlighted that the appropriate authorities are being involved in the investigation. So far, the company has not publicly confirmed the full extent of the leak claimed by the group.

About the Anubis Group

The Anubis ransomware group has been active since December 2024 and operates under a Ransomware‑as‑a‑Service (RaaS) model.

Characteristics of the operation include:

• Affiliate programs for criminal partners

• Sale of initial access (Initial Access Brokers)

• Double‑extortion tactics with publication of stolen data

• Targeted attacks against large organizations

• An optional “wipe mode,” allowing malicious actors to erase victims’ files if the ransom is not paid

  
  

Recommendations for Security Teams

This incident highlights the need for organizations to strengthen their defenses against ransomware, given the increasing number of attacks conducted by groups like Anubis. Defense teams should perform recurring audits of privileged accounts and remote access. Additionally, companies should adopt network segmentation, multifactor authentication, and continuous monitoring to detect suspicious activity. Maintaining regular, tested offline backups is also increasingly important to ensure data and system recovery without depending on ransom payments. Finally, investing in employee security awareness training reduces the likelihood and impact of incidents similar to the one that affected AkzoNobel.

Latest Updates

• June 13, 2025: Trend Micro publishes a post about the Anubis ransomware.

• March 3, 2026: BleepingComputer reports on the AkzoNobel case, confirming the attack.

• March 7, 2026: CISO Advisor discusses the incident and leaked data on its blog.