Anubis lists AkzoNobel on leak site; company has not confirmed intrusion

Security trackers reported that the Anubis ransomware group publicly listed AkzoNobel on a ransomware leak site on March 2, 2026, raising immediate questions about potential data exposure at the global paints and coatings company headquartered in the Netherlands. AkzoNobel has not publicly confirmed any intrusion, and the initial monitoring report is truncated, ending with the fragment "The listing was discovered and aggregate," complicating independent verification.

Ransomware researchers say leak-site postings can signal genuine breaches or be part of bluff campaigns that inflate victim counts. Paubox examined a recent actor, 0APT, that claimed roughly 200 victims in its first week but published sample artifacts and placeholder file trees that led researchers to question many of its claims. Paubox cautioned that "Being listed on 0APT's data-leak site does not confirm a breach occurred, so organizations should investigate before triggering formal notification procedures." The company also advised that "Organizations should engage their incident response team and legal counsel before taking any action or making contact with the group."

At the same time, other recent cases show how quickly leak-site listings can translate into operational pain. Cisco Talos researchers described the emergence of a group called RA Group, which appeared on April 22 and, within a week, had compromised three U.S. organizations and one in South Korea. RA Group listed victims on April 27 and April 28 and used a double extortion pattern in which data are encrypted and stolen to increase pressure for payment. Talos observed customized ransom notes that threaten "a leak of sample files within three days and a full release of stolen data within a week, if the ransom isn't paid." Talos also described the group's use of Babuk ransomware source code as "highly customized," and security firms including Check Point have flagged Babuk-derived strains as fast and dangerous.

Blockchain and intelligence analysts underscore how interconnected and evolving the criminal ecosystem has become. TRM Labs has documented rebrandings and laundering overlaps among actors such as Frag, Akira, Fog, Sarcoma, and Termite, noting shared wallet clusters and bridge services used between late 2024 and June 2025. TRM singled out Termite as a closed group linked to Babuk variants and cited notable victims including supply chain vendor Blue Yonder and Australian fertility clinic Genea, from which Termite allegedly exfiltrated 940 gigabytes of sensitive patient data. Those incidents illustrate the concrete downstream harms that leak-site postings can presage: disrupted supply chains, service outages, and exposures of highly sensitive personal information with direct consequences for patients and communities.

For health systems, social service providers, and smaller businesses, the stakes extend beyond corporate balance sheets. Disruption to a global supplier of industrial coatings could cascade into delayed facility maintenance, stalled infrastructure projects, and slowed deliveries of coated components used in medical equipment and transportation—effects that disproportionately burden under-resourced hospitals and communities. Security firms therefore urge organizations tied to a listed company to treat a leak-site posting as an urgent lead to investigate, while regulators and policymakers should consider clearer standards for rapid, evidence-based notification and support for affected community services.

As of March 2, 2026, AkzoNobel has not issued a public confirmation or denial of an intrusion. Security researchers and incident responders recommend that any organization seeing its name on a leak site compile forensic artifacts, engage incident response and legal counsel, and coordinate with law enforcement before responding to extortion demands.