Credential Theft
- ProcDump
Everest is a Russia-linked ransomware operation active since at least 2020 that has operated as a ransomware-as-a-service and double-extortion enterprise.
Profile source: Mallory opens in a new tabEverest
Everest is a Russia-linked ransomware operation active since at least 2020 that has operated as a ransomware-as-a-service and double-extortion enterprise. The group is known for stealing data, encrypting victim systems, and threatening public release of stolen information to coerce payment. Reporting has also associated Everest with initial access brokerage activity, indicating that the operation has at times monetized network footholds in addition to ransomware deployment.
Everest has targeted organizations across North America, Europe, and Asia, with victims spanning government, healthcare, telecommunications, aviation, manufacturing, energy, finance, and other enterprise sectors. Publicly claimed victims and incident reporting indicate broad opportunistic targeting rather than a narrow vertical focus, although healthcare and critical business operations have featured prominently in observed cases.
Initial access has been associated with exploitation of vulnerable public-facing applications, phishing, and the use of stolen credentials. In intrusions attributed to Everest, data theft may occur earlier in the attack chain through tooling separate from the ransomware payload itself. This distinction is important because technical analysis of at least one live Everest encryptor sample found no built-in exfiltration capability despite extortion claims of large-scale data theft.
The Everest encryptor has been observed as a .NET executable protected with ConfuserEx and designed primarily for defense evasion, process disruption, network reachability, and file encryption. Observed behaviors include mutex-based single-instance execution, geofencing to avoid systems configured with Commonwealth of Independent States language or locale settings, termination of security and analysis tools, disabling of Windows Defender Controlled Folder Access, deletion of shadow copies, removal of backup-related data, and removal of the anti-ransomware tool Raccine. The malware has also demonstrated an unusual use of Wake-on-LAN broadcasts to wake sleeping devices so they can be encrypted.
For encryption, Everest has been observed using AES-128 for file data and RSA-1024 to protect encryption keys. It encrypts smaller files fully and larger files partially to accelerate impact across large environments. After encryption it appends a dedicated Everest extension to affected files, drops ransom notes in impacted locations, and can self-delete after execution.
Everest is best understood as an extortion-focused criminal operation whose public claims may at times overstate the capabilities of the ransomware binary itself. Its operational model combines conventional ransomware deployment with data-theft pressure and public leak-site coercion, making it a persistent threat to enterprise environments and third-party supply chains.
Ransomware.live
Reported operators
"This latest blog documents the TTPs employed by a group who were observed deploying Everest ransomware during a recent incident response engagement."
"This latest blog documents the TTPs employed by a group who were observed deploying Everest ransomware during a recent incident response engagement."
MITRE ATT&CK
Reporting
A new technical breakdown of the Everest ransomware family reveals a strange contradiction at the heart of one of its recent attack claims.
Japan (21 victims): The Gentlemen (6 victims) + Everest (4 victims) + Nightspire (3 victims).
The Everest ransomware-as-a-service (RaaS) operation has been active since at least 2020, running a double-extortion model. This means the Russia-linked attackers steal data, encrypt systems, and threaten to publish everything if the victim doesn't pay.
"KillSec and Everest ransomware attacks targeting a South Korean exhibition management platform and an elevator manufacturer"
"The Everest group stole data on 72.7 million customers..."
Everest ransomware hits Vikor Scientific’s supplier, data of 140,000 patients stolen
Recently, we observed that Everest Ransomware attacked and published the data of Shinwa Co., Ltd on its dark web website.
"The Everest ransomware group has claimed responsibility for a cyberattack on Vikor Scientific, now operating as Vanta Diagnostics."
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.