Skip to content
Ransomware group

Everest

Everest is a Russia-linked ransomware operation active since at least 2020 that has operated as a ransomware-as-a-service and double-extortion enterprise.

Profile source: Mallory opens in a new tab

Everest

Family profile

Everest is a Russia-linked ransomware operation active since at least 2020 that has operated as a ransomware-as-a-service and double-extortion enterprise. The group is known for stealing data, encrypting victim systems, and threatening public release of stolen information to coerce payment. Reporting has also associated Everest with initial access brokerage activity, indicating that the operation has at times monetized network footholds in addition to ransomware deployment.

Everest has targeted organizations across North America, Europe, and Asia, with victims spanning government, healthcare, telecommunications, aviation, manufacturing, energy, finance, and other enterprise sectors. Publicly claimed victims and incident reporting indicate broad opportunistic targeting rather than a narrow vertical focus, although healthcare and critical business operations have featured prominently in observed cases.

Initial access has been associated with exploitation of vulnerable public-facing applications, phishing, and the use of stolen credentials. In intrusions attributed to Everest, data theft may occur earlier in the attack chain through tooling separate from the ransomware payload itself. This distinction is important because technical analysis of at least one live Everest encryptor sample found no built-in exfiltration capability despite extortion claims of large-scale data theft.

The Everest encryptor has been observed as a .NET executable protected with ConfuserEx and designed primarily for defense evasion, process disruption, network reachability, and file encryption. Observed behaviors include mutex-based single-instance execution, geofencing to avoid systems configured with Commonwealth of Independent States language or locale settings, termination of security and analysis tools, disabling of Windows Defender Controlled Folder Access, deletion of shadow copies, removal of backup-related data, and removal of the anti-ransomware tool Raccine. The malware has also demonstrated an unusual use of Wake-on-LAN broadcasts to wake sleeping devices so they can be encrypted.

For encryption, Everest has been observed using AES-128 for file data and RSA-1024 to protect encryption keys. It encrypts smaller files fully and larger files partially to accelerate impact across large environments. After encryption it appends a dedicated Everest extension to affected files, drops ransom notes in impacted locations, and can self-delete after execution.

Everest is best understood as an extortion-focused criminal operation whose public claims may at times overstate the capabilities of the ransomware binary itself. Its operational model combines conventional ransomware deployment with data-theft pressure and public leak-site coercion, making it a persistent threat to enterprise environments and third-party supply chains.

Ransomware.live

Operational record

View group record ↗

Credential Theft

  • ProcDump

Discovery Enum

  • SoftPerfect NetScan

Offsec

  • Cobalt Strike
  • Metasploit
  • Meterpreter

RMM Tools

  • AnyDesk
  • Atera
  • Splashtop

Reported operators

Threat actors

2 named in public reporting
EVEREST

"This latest blog documents the TTPs employed by a group who were observed deploying Everest ransomware during a recent incident response engagement."

Black-Byte

"This latest blog documents the TTPs employed by a group who were observed deploying Everest ransomware during a recent incident response engagement."

MITRE ATT&CK

Everest in ATT&CK

32 distinct techniques

Reporting

Research mentioning Everest

Jul 9
Cyber Security News

Everest Ransomware Claims 1 TB Data Theft But Encryptor Shows No Exfiltration Code

A new technical breakdown of the Everest ransomware family reveals a strange contradiction at the heart of one of its recent attack claims.

May 11
Checkpoint Research

The State of Ransomware - Q1 2026 - Check Point Research

Japan (21 victims): The Gentlemen (6 victims) + Everest (4 victims) + Nightspire (3 victims).

Apr 22
Cybernews

Hackers target US banking giants Frost Bank and Citizens Bank​ | Cybernews

The Everest ransomware-as-a-service (RaaS) operation has been active since at least 2020, running a double-extortion model. This means the Russia-linked attackers steal data, encrypt systems, and threaten to publish everything if the victim doesn't pay.

Mar 11
Ahnlab Asec

Ransom & Dark Web Issues Week 2, March 2026 - ASEC

"KillSec and Everest ransomware attacks targeting a South Korean exhibition management platform and an elevator manufacturer"

Mar 5
Osint Team

After LockBit: The Ransomware Market Never Shrinks | by privacyinsightsolutions.com | Mar, 2026 | OSINT Team

"The Everest group stole data on 72.7 million customers..."

Mar 1
Security Affairs

Security Affairs newsletter Round 565 by Pierluigi Paganini - INTERNATIONAL EDITION

Everest ransomware hits Vikor Scientific’s supplier, data of 140,000 patients stolen

Feb 27
Cyfirma News

Weekly Intelligence Report - 13 February 2026 - CYFIRMA

Recently, we observed that Everest Ransomware attacked and published the data of Shinwa Co., Ltd on its dark web website.

Feb 24
Security Affairs

Everest ransomware hits Vikor Scientific 's supplier, data of 140,000 patients stolen

"The Everest ransomware group has claimed responsibility for a cyberattack on Vikor Scientific, now operating as Vanta Diagnostics."

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.