Anubis Ransomware Lists Disneyland Paris as New Victim

The infamous Anubis ransomware gang has listed Disneyland Paris as its latest victim. Hackread.com can confirm that the group posted details of the alleged breach on its dark web leak site, stating that the stolen data archive totals 64GB.

Anubis is a ransomware-as-a-service (RaaS) operation that surfaced in December 2024, evolving from an earlier test version named “Sphinx.” It has no connection to the Android banking trojan or Python backdoor that share the same name.

The gang offers profit-sharing models for its affiliates: 80% from encrypted ransom payments, 60% from data leaks, and 50% from access resales. Trend Micro recently reported that the group is using a “Built-in Wiper,” a feature that completely erases/wipes off data from compromised systems.

Regarding the Disneyland Paris incident, the group described it as “the largest data leak in the history of Disneyland Park.” They stated that 39,000 files related to construction and renovation activities at the park were obtained. According to them, the data was acquired during a breach involving one of Disneyland’s partner companies.

Screenshot from the Anubis Ransomware gang’s dark web leak blog (Image credit: Hackread.com)

“During the leak of data of the partner company, 39,000 files related to the construction and renovation of the Disneyland Paris location ended up in our hands,” the group wrote.

To support their claim, the operators announced they would release a portion of the data within the next five hours. So far, images and videos have been uploaded to their site, allegedly showing detailed drawings of various park attractions.

The archive, as per Anubis’ claims includes plans for Frozen, Crush’s Coaster, Pirates of the Caribbean, Big Thunder Mountain, Autopia, Buzz Lightyear, Orbitron, Casey Jr., Phantom Manor, Ratatouille, and more.

Additional images show engineering-related work at the site. To stress the significance of the breach, the group noted that Disneyland typically signs NDAs with employees, strictly prohibiting them from sharing internal material publicly.

Screenshot from the Anubis Ransomware gang’s dark web leak blog (Image credit: Hackread.com)

However, the post does not specify whether any customer or visitor information is included in the files. It also does not clarify if a ransom demand has been issued to Disneyland Paris. On its official Twitter (now X) account, the group was seen bragging about the incident on June 12, 2025.

For now, the breach remains unverified. Hackread.com has contacted Disneyland Paris for comment. This article will be updated if a response is received.