Ransomware victim disclosure
← All victimsPaul Mitchell Russia (paulmitchell.ru)
listed as paulmitchell.ru · Claimed by Malas · listed 3 years ago
Status timeline
- ListedApr 9, 2023
- Data leakeddate unknown
At a glance
- Group
- Malas
- Status
- Data leaked
- Country
- Russia
- Sector
- Retail & Consumer
- Listed on leak site
- Apr 9, 2023
About the victim
AI dossier — public-source company profilepaulmitchell.ru is a Russian online retailer selling professional hair care and beauty products, operating under the Paul Mitchell brand alongside other professional lines such as Kemon, Laros Beauty, Cotril, and Actyva. The store is based in Moscow and accepts orders 24/7, with order processing on weekdays from 10:00 to 18:00. It sells shampoos, conditioners, styling products, and hair care accessories to both salon professionals and end consumers.
- Industry
- Professional Hair Care & Beauty Products Retail
- Address
- 125167, Россия, Москва, проезд Аэропорта, дом 8, строение 8, помещение II, комната 2
Attack summary
Severity: medium — Data has been published and a known Zimbra vulnerability was exploited, suggesting email server compromise and likely exfiltration of business communications and possibly customer data; however, no specific regulated data types (e.g., financial, medical) or scale are confirmed, and no ransom amount or detailed data inventory was disclosed.The Malas ransomware group claims to have compromised paulmitchell.ru by exploiting a Zimbra vulnerability, with the disclosure status recorded as data_published, indicating exfiltration or publication of data has occurred. No specific data types or volume were described in the leak post.
Data the group says was taken
AI dossier — extracted from the leak post- Email server data (via Zimbra)
- Business communications
- Customer order records (potential)
- Employee/contact information (potential)
What the group claims
using Zimbra vulnerability
Sources
Source
Indexed 3 years agoThis page surfaces a public ransomware disclosure indexed by Darkfield. Original posts come from the operator's own leak site; we cross-check against ransomware.live, RansomLook and RansomWatch where applicable. Share this URL freely.
Is this your supplier? Your competitor? You?
Pro plans monitor your domain, corporate emails, and crypto wallets across every new ransomware leak-site post, breach dump and Telegram callout — alerts within 5 minutes.

