TSYS Ransomware Attack by Everest (May 2026)

Claim Summary

On May 2, 2026, the Everest ransomware group allegedly added TSYS (Total System Services), a US-based payment processing subsidiary of Global Payments, to their leak site. The threat actor claims to have exfiltrated data from the Columbus, Georgia-headquartered financial technology company. As of this report, TSYS has not publicly confirmed or denied the breach. This claim remains unverified, and ransomware groups frequently exaggerate or fabricate victim data to pressure negotiations.

Threat Actor Profile

Everest is a ransomware group first observed in late 2020, known for double extortion tactics - encrypting systems and exfiltrating data to use as leverage. According to the HHS HC3 threat actor profile (August 2024), Everest has claimed 339 victims across multiple sectors, with a notable focus on healthcare and financial services. The group is operationally sophisticated, employing a range of tools including:

• Reconnaissance/Enumeration: SoftPerfect NetScan, ProcDump
• Lateral Movement/Persistence: Cobalt Strike, Metasploit, Meterpreter
• Remote Access: AnyDesk, Atera, Splashtop

Everest’s credibility is moderate - they have a track record of legitimate attacks but also post unverified claims. Their leak site is active, and they typically provide limited data samples to validate claims. The group’s TTPs suggest a structured intrusion lifecycle, often starting with phishing or exploiting public-facing vulnerabilities.

Alleged Data Exposure

Everest claims to have stolen data from TSYS, though the volume and nature of the data remain undisclosed. TSYS processes credit/debit card transactions, merchant services, and payment management for financial institutions globally. If the claim is valid, potential data types could include:

• Customer transaction records
• Merchant account details
• Internal financial documents
• Employee PII (names, emails, HR records)

No samples or proof of data have been publicly shared at this time. The group’s typical pattern involves posting a small portion of data to pressure victims into paying a ransom.

Potential Impact

If confirmed, this breach could have severe consequences:

• Regulatory Risk: TSYS operates under PCI DSS and financial regulations. A data breach could trigger fines, audits, and loss of compliance certifications.
• Reputational Damage: As a trusted payment processor, any compromise erodes client and consumer confidence.
• Operational Disruption: Everest’s encryption could disrupt transaction processing, merchant services, and payment settlement systems.
• Supply Chain Risk: TSYS’s clients include banks, credit unions, and retailers. Stolen data could be used for fraud, identity theft, or targeted attacks against downstream partners.

What to Watch For

• Official Confirmation: Monitor TSYS and Global Payments for breach notifications or SEC filings.
• Leak Site Activity: Check if Everest posts data samples to validate their claim.
• Dark Web Chatter: Look for threat actors selling or sharing any TSYS-related data.
• YARA Rules: Security teams can leverage existing Everest detection rules from public repositories (e.g., rule-based detection for Cobalt Strike beacons, Meterpreter payloads, or AnyDesk installations). No specific TSYS-related YARA rules are available yet.

Disclaimer

This report is based on unverified claims from the Everest ransomware group’s leak site. Yazoul Security has not independently confirmed the breach, data exfiltration, or any system compromise at TSYS. Ransomware groups routinely exaggerate or fabricate victim data to pressure ransom payments. All information should be treated as intelligence leads requiring further verification. No PII, data samples, or access credentials are included in this report. For official updates, refer to TSYS or Global Payments communications.

For further intelligence on Everest TTPs, refer to the HHS HC3 profile at https://www.aha.org/system/files/media/file/2024/08/hc3-tlp-clear-threat-actor-profile-everest-ransomware-group-august-20-2024.pdf. For Yazoul Security advisories, visit /intel/ or /advisory/.