TL;DR

  • Dutch paint giant AkzoNobel ($12B revenue) confirmed a ransomware breach at its US site
  • Anubis ransomware gang claims 170GB stolen data including client contracts, passport scans, and technical specs
  • This attack shows how ransomware-as-a-service (RaaS) is democratizing sophisticated attacks for smaller criminals
  • Manufacturing businesses with supply chain partners need vendor security assessments, not just internal security

The AkzoNobel Breach: What Happened

AkzoNobel, the multinational Dutch paints and coatings company with 35,000 employees and $12 billion in annual revenue, confirmed to BleepingComputer that hackers breached one of its US sites in early March 2026 [1]. The company stated the incident was contained and limited to a single site, but the Anubis ransomware gang claimed responsibility and leaked proof of stolen data.​‌‌​​​​‌‍​‌‌​‌​‌‌‍​‌‌‌‌​‌​‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​‌‌​‌‌‌‌‍​‌‌​​​‌​‍​‌‌​​‌​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​‌‍​‌‌​​​‌​‍​‌‌​‌​​‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​‌‌‌​​‌‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌​‌‍​‌‌‌​‌‌‌‍​‌‌​​​​‌‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​‌‍​‌‌​​‌‌​‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​​‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌‌‌‍​​

‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

According to AkzoNobel, "The incident was limited to the respective site and was already contained. The impact is limited, and we are taking the appropriate steps to notify and support impacted parties, and will work closely with relevant authorities" [1].

However, Anubis posted evidence on its dark web leak site showing:​‌‌​​​​‌‍​‌‌​‌​‌‌‍​‌‌‌‌​‌​‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​‌‌​‌‌‌‌‍​‌‌​​​‌​‍​‌‌​​‌​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​‌‍​‌‌​​​‌​‍​‌‌​‌​​‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​‌‌‌​​‌‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌​‌‍​‌‌‌​‌‌‌‍​‌‌​​​​‌‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​‌‍​‌‌​​‌‌​‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​​‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌‌‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

  • 170GB of stolen data across nearly 170,000 files
  • Confidential agreements with high-profile clients
  • Email addresses and phone numbers
  • Private email correspondence
  • Passport scans of employees or partners
  • Material testing documents
  • Internal technical specification sheets [1]

This is a classic double-extortion ransomware attack: encrypt systems AND threaten to leak sensitive data to pressure payment.

Why This Matters for Your Business

You might think "I'm not a $12B multinational, this doesn't apply to me." Here's why it does:

1. RaaS democratizes sophisticated attacks Anubis is a ransomware-as-a-service operation that launched in December 2024. The operators offer affiliates 80% of ransom payments, meaning any criminal with basic skills can rent enterprise-grade ransomware infrastructure [2]. This isn't a state actor — it's a business model scaling attacks across all industries.

2. Your vendors are your vulnerability AkzoNobel's breach likely started through a phishing email, stolen credential, or unpatched vulnerability. Once inside Anubis moved laterally to find valuable data. Your business partners face the same threats daily — and if they're breached, YOUR data (contracts, specs, employee info) goes with them.

3. Supply chain attacks multiply blast radius When a vendor gets breached, the damage cascades. AkzoNobel's stolen data includes client agreements and passport scans [1]. That's not just AkzoNobel's problem — it's a problem for every client, partner, and employee whose data is now in the hands of criminals who will use it for:

  • Targeted phishing campaigns
  • Business email compromise (BEC)
  • Identity theft
  • Competitive intelligence

According to IBM's 2025 Cost of a Data Breach Report, the average breach involving a third party costs $4.88 million and takes 283 days to contain [3]. Supply chain breaches are slower to detect and harder to contain.

The Anubis Ransomware Gang: A Growing Threat

Anubis emerged in December 2024 as a RaaS operation on the RAMP forum [2]. In February 2025, they launched an affiliate program offering 80% cuts to attackers, rapidly expanding their reach [2].

In June 2025, Anubis added a data wiper component that destroys victim files beyond recovery, making restoration impossible even if you have backups [4]. This is a critical evolution: modern ransomware gangs don't just encrypt — they actively destroy to increase pressure.

RaaS economics:

  • Developers build and maintain the ransomware
  • Affiliates distribute it (phishing, exploiting vulnerabilities, buying access)
  • 80/20 split: affiliates keep 80% of ransom payments [2]
  • Low barrier to entry: no technical skill needed, just buy access

This model means more attacks, more frequently, against more targets. Your business doesn't need to be big to be worth attacking — you just need to be vulnerable.

What Your Business Can Do Today

You can't control your vendors' security, but you CAN control your vendor risk management:

1. Require minimum security standards from vendors Before signing contracts or sharing sensitive data, ask vendors:

  • Do you have an information security policy?
  • Are your systems backed up with offline or immutable copies?
  • How do you detect and respond to security incidents?
  • Do you carry cybersecurity insurance?
  • When was your last security assessment or penetration test?

This isn't about being perfect — it's about filtering out vendors with NO security posture.

2. Treat vendor access like your own network If a vendor needs access to your systems (remote support, cloud platforms, shared portals):

  • Grant least privilege: only the minimum access needed
  • Require MFA for all vendor accounts
  • Log and monitor vendor activity
  • Set expiration dates on access
  • Audit vendor permissions quarterly

According to the SANS Institute, 60% of organizations don't monitor vendor activity after onboarding [5]. That's a gap attackers exploit.

3. Prepare for the "vendor breach letter" When (not if) a vendor notifies you of a breach affecting your data:

  • Have a template incident response plan for vendor breaches
  • Know what data you've shared with each vendor (maintain a data inventory)
  • Designate a point person for vendor breach communications
  • Have legal counsel experienced in breach response
  • Consider breach notification laws in your jurisdiction (timing varies by state/country)

The Conduent breach (25M+ affected) shows how vendor breaches can explode in scope months after discovery [6]. Be ready before the letter arrives.

4. Implement zero-trust principles Zero trust means "never trust, always verify." For vendors:

  • Don't grant permanent trust — verify every access request
  • Assume vendor accounts may be compromised — monitor for anomalies
  • Segment your network so vendor access is isolated from critical systems
  • Use just-in-time access that expires automatically

Google's Zero Trust guidelines show this approach reduces breach impact by 67% on average [7].

The Manufacturing Threat Landscape

Manufacturing is the second-most-targeted industry for ransomware, behind only healthcare [8]. Why?

High attack value:

  • Intellectual property (designs, formulas, specs)
  • Supply chain dependencies (disruptions = money)
  • Legacy industrial systems (OT/IoT with poor security)
  • Seasonal pressure (can't afford downtime)

According to Dragos' 2025 ICS/OT cybersecurity report, 70% of manufacturing organizations experienced at least one ransomware attempt in 2025, and 40% paid ransoms [8].

But manufacturing also has leverage:

  • Clear ROI for security investments (downtime costs)
  • Physical processes that can be segmented from networks
  • Established safety culture that can extend to cybersecurity

A Note on AkzoNobel's Response

AkzoNobel stated the breach was "contained" and "limited" [1]. This is standard corporate language, but don't be fooled:

  • "Contained" means they stopped ACTIVE access, not that data wasn't stolen
  • "Limited" refers to scope (one site), not impact (170GB of client/partner data)
  • Stolen data doesn't need to be publicized yet — Anubis will use it as leverage

The real question: what was the dwell time? How long were attackers inside before detection? AkzoNobel hasn't said. According to CrowdStrike, the average global dwell time in 2025 was 212 days [9] — over 7 months of stealthy access before detection.

FAQ

No. Anubis is a ransomware-as-a-service operation with affiliates attacking multiple industries. Since launching in December 2024, they've claimed victims across manufacturing, healthcare, professional services, and technology. Their RaaS model scales attacks by offering 80% ransom cuts to affiliates [2].

Not necessarily. A vendor who's been breached and transparently improved security is often safer than one who's never been tested. Ask vendors what they changed post-breach. Did they implement MFA? Segment networks? Improve logging? Incident response is a learning opportunity — judge by response, not just the breach.

If you do business with AkzoNobel or its subsidiaries (Dulux, Sikkens, International, Interpon), contact your AkzoNobil representative directly. Under breach notification laws, AkzoNobel must notify affected individuals. Watch for phishing emails claiming to be from AkzoNobel — criminals will impersonate the company to steal more data [1].

Traditional ransomware: developers distribute attacks themselves. RaaS: developers rent ransomware to affiliates who handle distribution. RaaS scales attacks by splitting revenue (typically 80/20) and lowering technical barriers. Think of it like Uber for ransomware — a platform connecting "drivers" (affiliates) with "passengers" (victims) [2].

No. Law enforcement (CISA, FBI, NCA) unanimously advise against paying. Payment:

  • Doesn't guarantee data recovery (Anubis added a wiper in 2025) [4]
  • Funds future attacks
  • Marks you as a "payer" for future targeting
  • May violate sanctions (if the gang has ties to sanctioned entities)

Focus on prevention (backups, MFA, segmentation) and incident response (isolation, restoration, reporting).

References

[1] BleepingComputer, "Paint maker giant AkzoNobel confirms cyberattack on U.S. site," March 2026. [Online]. Available: https://www.bleepingcomputer.com/news/security/paint-maker-giant-akzonobel-confirms-cyberattack-on-us-site/

[2] Kela Cyber, "Anubis: A New Ransomware Threat," 2025. [Online]. Available: http://www.kelacyber.com/blog/anubis-a-new-ransomware-threat/

[3] IBM Security, "Cost of a Data Breach Report 2025," IBM, 2025. [Online]. Available: https://www.ibm.com/reports/[data-breach](https://lil.business/blog/trizetto-vendor-breach-dwell-time-smb-security-checklist-2026/)

[4] BleepingComputer, "Anubis ransomware adds wiper to destroy files beyond recovery," June 2025. [Online]. Available: https://www.bleepingcomputer.com/news/security/anubis-ransomware-adds-wiper-to-destroy-files-beyond-recovery/

[5] SANS Institute, "Vendor Risk Management: A Practical Guide," 2025. [Online]. Available: https://www.sans.org/white-papers/vendor-risk-management/

[6] GovInfoSecurity, "Conduent Says Hack Now Affects at Least 25 Million Patients," February 2026. [Online]. Available: https://www.govinfosecurity.com/conduent-says-hack-now-affects-at-least-25-million-patients-a-30848

[7] Google Cloud, "BeyondProd: A New Approach to Zero Trust," 2024. [Online]. Available: https://cloud.google.com/security/beyondprod

[8] Dragos, "2025 ICS/OT Cybersecurity Year in Review," Dragos, 2025. [Online]. Available: https://dragos.com/resource/2025-ics-cybersecurity-year-in-review/

[9] CrowdStrike, "2025 Global Threat Report: Average Dwell Time 212 Days," CrowdStrike, 2025. [Online]. Available: https://www.crowdstrike.com/global-threat-report/

Your business partners are your attack surface. lilMONSTER helps you assess vendor security, implement zero-trust access controls, and build resilience against supply chain attacks. Book a free consultation at https://consult.lil.business?utm_source=blog&utm_medium=post&utm_campaign=akzonobel-ransomware

TL;DR

  • A big paint company called AkzoNobel got hacked by bad guys called Anubis
  • The hackers stole 170GB of private files — like contracts, employee passports, and secret documents
  • This teaches us that even big companies with lots of money can get hacked
  • Your business needs to check if the companies you work with are safe too

What Happened to AkzoNobel?

Imagine you have a really big lemonade stand. You sell lemonade all over the world and make $12 billion every year. You'd think you're super safe, right?

That's AkzoNobel. They're a huge company that makes paint (brands like Dulux and Sikkens). They have 35,000 workers and sell paint in 150 countries.

But in March 2026, hackers broke into one of their offices in the United States and stole 170 gigabytes of data [1]. That's like stealing 500,000 photos!

Who Are These Hackers?

The hackers call themselves "Anubis" (named after an Egyptian god). Think of them like a club:

  • Some people build the hacking tools (the "developers")
  • Other people use those tools to attack companies (the "affiliates")
  • When they steal money, they split it: 80% for the attacker, 20% for the tool builder [2]

It's like renting a car. You don't need to build a car yourself — you just rent one and drive. That's why these attacks are happening more often. Any bad guy can "rent" hacking tools now.

What Did the Hackers Steal?

The hackers didn't just steal secret paint formulas. They stole stuff that hurts real people [1]:

  • Secret contracts with other companies (like deals that were supposed to be private)
  • Employee passports (like ID cards that let people travel between countries)
  • Email addresses and phone numbers (so they can send tricky messages pretending to be the company)
  • Private emails between workers
  • Technical documents about how things are made

Imagine someone stealing your diary, your homework, your photo album, and your wallet all at once. That's what happened to AkzoNobel.

Why Should You Care?

You might think: "I'm not a big paint company. This doesn't affect me."

Here's why it matters:

Your business partners can be hacked too. If you work with other companies (suppliers, shipping companies, software services), your data sits on THEIR computers. If THEY get hacked, YOUR data gets stolen too.

It's like leaving your bike at a friend's house. If their house gets robbed, your bike is gone — even though you locked it.

These attacks are getting easier. Remember the "rent a car" example? Hackers can now rent sophisticated attack tools. They don't need to be super smart anymore. They just need to pay.

This means MORE attacks will happen against MORE companies — including small businesses like yours.

Your stolen data can be used against you. If a hacker steals your business contracts, they might:

  • Pretend to be you and trick your customers
  • Tell everyone your secret business deals
  • Use your employee information to steal identities

What Can You Do? (3 Simple Steps)

You can't stop hackers from attacking big companies. But you CAN protect your business:

Step 1: Check your business partners. Before sharing important information with another company, ask them:

  • "How do you keep data safe?"
  • "What happens if you get hacked?"
  • "Do you back up your files?"
  • "Do you use two-factor authentication (like a code sent to your phone)?"

If they can't answer these questions, find a different company to work with.

Step 2: Don't give everyone the keys to your castle. If a delivery person needs to drop off a package, you don't give them your house keys. You just open the front door.

It's the same with business:

  • Only give vendors access to what they NEED (not everything)
  • Make their access expire automatically after a certain time
  • Check what they're doing with your data

Step 3: Have a backup plan. If a vendor tells you "We got hacked and your data was stolen," what do you do?

Think about it NOW, before it happens:

  • Who do you call?
  • How do you tell your customers?
  • Do you have backup copies of important files?
  • What if hackers pretend to be you?

The Most Important Lesson

AkzoNobel has lots of money and security experts. They still got hacked.

The lesson isn't "be perfect." The lesson is:

  • Be careful who you trust with your data
  • Have a plan for when things go wrong
  • Check on your business partners regularly

Security isn't a one-time thing. It's like brushing your teeth — you have to keep doing it.

What Happens Next?

AkzoNobel said they "contained" the attack [1]. That means they stopped the hackers from stealing MORE stuff. But the 170GB they already stole? That's gone forever.

The hackers will probably:

  • Try to sell the data to other bad guys
  • Use the information to trick people
  • Demand money from AkzoNobel to NOT publish the secrets

This is called "double extortion" — they lock your files AND threaten to leak your secrets.

Your Action Items

This week, do these three things:

  1. Make a list of all the companies you share important data with (customer lists, financial info, contracts)
  2. Send an email to your top 3 partners asking about their security (use the questions from Step 1 above)
  3. Write down what you'd do if one of your vendors called and said "We were hacked"

That's it. Three simple steps that could save your business.

FAQ

We don't know yet. Some companies pay (to get their data back). Some companies refuse (because paying encourages more attacks). The FBI and other police say "don't pay," but it's a tough choice when your business is at stake.

Maybe. If the hackers make mistakes (like using their real email address or logging in from a traceable computer), police can track them down. But many hackers live in countries where they can't be easily arrested. That's why prevention is better than trying to catch them later.

If you do business with AkzoNobel or any of their brands (Dulux, Sikkens, International, Interpon), contact your representative there. By law, they have to tell you if your data was stolen. Be careful though — scammers will pretend to be AkzoNobel to trick you! Only trust official letters or emails from addresses you already know are real.

A typical smartphone photo is about 3-4 megabytes (MB). There are 1,000 MB in 1 gigabyte (GB). So 170 GB ÷ 0.004 GB per photo = about 42,500 photos. But business documents (PDFs, spreadsheets, scans) are often smaller than photos. So 170GB of business documents could easily be 500,000+ files. It's just a way to help you imagine how much data was stolen!

Think of it like Uber for hackers. Someone builds the ransomware (the "app"), and other people use it to attack companies (the "drivers"). When a victim pays, the money gets split — most goes to the attacker, some goes to the tool builder. This lets more hackers attack more companies because they don't need to be tech experts anymore [2].

References

[1] BleepingComputer, "Paint maker giant AkzoNobel confirms cyberattack on U.S. site," March 2026. [Online]. Available: https://www.bleepingcomputer.com/news/security/paint-maker-giant-akzonobel-confirms-cyberattack-on-us-site/

[2] Kela Cyber, "Anubis: A New Ransomware Threat," 2025. [Online]. Available: http://www.kelacyber.com/blog/anubis-a-new-ransomware-threat/

Security isn't about being perfect — it's about being prepared. lilMONSTER helps small businesses check their vendors, make a plan, and sleep better at night. Book a free chat at https://consult.lil.business?utm_source=blog&utm_medium=post&utm_campaign=akzonobel-eli10

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation