Executive Summary
In early March 2026, AkzoNobel, a leading multinational paint and coatings company, experienced a cyberattack at one of its U.S. sites. The Anubis ransomware group claimed responsibility, asserting they had exfiltrated 170GB of sensitive data, including confidential client agreements, personal employee information, and internal technical documents. AkzoNobel confirmed the breach, stating it was contained to the specific site and that the impact was limited. The company is collaborating with relevant authorities and has initiated notifications to affected parties.
This incident underscores the evolving tactics of ransomware groups like Anubis, which have expanded their operations to include data exfiltration and destruction, increasing pressure on victims. Organizations must remain vigilant, as such attacks highlight the critical need for robust cybersecurity measures and incident response plans to mitigate potential damages.
Why This Matters Now
The AkzoNobel breach highlights the escalating threat posed by ransomware groups employing data exfiltration and destruction tactics. Organizations must prioritize comprehensive cybersecurity strategies to protect sensitive information and maintain operational integrity.
Attack Path Analysis
The Anubis ransomware group initiated the attack on AkzoNobel's U.S. site through a spear-phishing email, leading to the execution of malicious payloads. Upon gaining access, the attackers escalated privileges to administrative levels, enabling them to disable security mechanisms and access sensitive data. They then moved laterally across the network to identify and compromise additional systems. Establishing command and control channels, the attackers exfiltrated approximately 170GB of confidential data. Finally, they encrypted the data and threatened to leak it, applying pressure on AkzoNobel to meet their ransom demands.
Kill Chain Progression
Initial Compromise
Description
The attackers gained initial access through a spear-phishing email containing malicious attachments or links, leading to the execution of the Anubis ransomware payload.
MITRE ATT&CK® Techniques
Techniques identified for SEO/filtering; may be expanded with full STIX/TAXII enrichment later.
Phishing
Access Token Manipulation: Create Process with Token
Data Encrypted for Impact
Data Destruction
Inhibit System Recovery
Valid Accounts
File and Directory Discovery
Service Stop
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Protect stored cardholder data
Control ID: 6.4.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity Management
Control ID: Identity Pillar
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Chemicals
Paint manufacturers face critical ransomware exposure requiring enhanced zero trust segmentation, encrypted traffic protection, and egress security against data exfiltration attacks.
Manufacturing
Industrial operations vulnerable to lateral movement and privilege escalation attacks necessitating multicloud visibility, threat detection capabilities, and secure hybrid connectivity solutions.
Consumer Goods
Brand portfolio companies require comprehensive anomaly detection and kubernetes security to protect confidential client agreements and prevent unauthorized data disclosure incidents.
International Trade/Development
Global operations across 150+ countries demand cloud-native security fabric and inline IPS protection against ransomware-as-a-service attacks targeting multinational infrastructure.
Sources
- Paint maker giant AkzoNobel confirms cyberattack on U.S. sitehttps://www.bleepingcomputer.com/news/security/paint-maker-giant-akzonobel-confirms-cyberattack-on-us-site/Verified
- Anubis Ransomware Encrypts and Wipes Files, Making Recovery Impossible Even After Paymenthttps://thehackernews.com/2025/06/anubis-ransomware-encrypts-and-wipes.htmlVerified
- Anubis Ransomware Packs a Wiper to Permanently Delete Fileshttps://www.securityweek.com/anubis-ransomware-packs-a-wiper-to-permanently-delete-files/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Implementing Aviatrix Zero Trust CNSF could have significantly limited the Anubis ransomware group's ability to escalate privileges, move laterally, and exfiltrate data within AkzoNobel's network.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While initial access via phishing may still occur, subsequent malicious activities would likely be constrained, reducing the attacker's ability to exploit the network.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges would likely be constrained, reducing their capacity to disable security mechanisms and access sensitive data.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement would likely be restricted, reducing their ability to compromise additional systems within the network.
Control: Multicloud Visibility & Control
Mitigation: The establishment of command and control channels would likely be detected and disrupted, reducing the attacker's ability to maintain persistent access.
Control: Egress Security & Policy Enforcement
Mitigation: The exfiltration of large volumes of data would likely be detected and blocked, reducing the risk of data loss.
The attacker's ability to encrypt and threaten to leak data would likely be constrained, reducing the effectiveness of their ransom demands.
Impact at a Glance
Affected Business Functions
- Research and Development
- Supply Chain Management
- Customer Relationship Management
Estimated downtime: N/A
Estimated loss: N/A
Confidential agreements with high-profile clients, email addresses and phone numbers, private email correspondence, passport scans, material testing documents, and internal technical specification sheets.
Recommended Actions
Key Takeaways & Next Steps
- • Implement advanced email filtering and user training to mitigate spear-phishing attacks.
- • Enforce strict privilege management and regular audits to prevent unauthorized privilege escalation.
- • Deploy network segmentation and monitoring to detect and prevent lateral movement.
- • Establish robust command and control detection mechanisms to identify and disrupt unauthorized communications.
- • Implement data loss prevention strategies and regular backups to mitigate the impact of data exfiltration and encryption.
