The Everest ransomware group has claimed responsibility for a cyberattack on Mediclinic, a global hospital network with operations in South Africa, Switzerland, Namibia, and the UAE. The gang is threatening to leak stolen internal data unless its ransom demands are met.
Founded in 1983, Mediclinic generates $5.4 billion in annual revenue and is one of the largest private hospital groups in the regions where it operates. According to a post made by the threat actors on May 26, the hackers exfiltrated sensitive data involving 1,000 employees and approximately 4GB of confidential internal files.
“You have five days to contact us and make an agreement,”
the attackers warned in their dark web note.
“Otherwise, the data will be published.”
Alleged Stolen Data Includes Internal Documents and Employee Records
While Mediclinic has not yet responded publicly, the full extent of the breach remains unknown. However, Cybernews analysts noted the risk posed by the exposure of internal documents and employee information, particularly in a sector as sensitive as healthcare.
“This kind of breach, with internal and confidential documents accessed, is especially dangerous for employees,”
said Cybernews researchers.
If verified, the breach could facilitate identity theft, phishing schemes, and potentially further attacks on Mediclinic’s systems.
“As there could be documents about the company’s internal workings, this can open doors to further attacks on the infrastructure and possibly legal action against the company,”
the researchers added.
Everest Ransomware’s Growing Victim List
The Everest ransomware group has been active since mid-2021 and is believed to be associated with the Russia-linked BlackByte cartel. The gang has previously targeted large enterprises across different sectors using double extortion tactics—stealing data and threatening public leaks to force payment.
Notable claims by Everest include:
- Coca-Cola (May 2025) – Alleged theft of internal documents and data of nearly 1,000 employees
- AT&T (October 2022) – Claimed access to the corporate network
- 248 total victims listed on dark web trackers since 2023
The attack on Mediclinic marks another healthcare sector breach, highlighting the growing trend of ransomware attacks targeting medical and critical infrastructure.
Mediclinic has not released a statement at this time, and no confirmation has been made regarding payment or breach containment.
