Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Matrix Botnet

The Everest Team (Ransomware) – Threat Actor

February 11, 2025
Reading Time: 3 mins read
in Threat Actors
The Everest Team (Ransomware) – Threat Actor

The Everest Team

Other Names

Everest Ransomware Group

Location

Russia

Date of Initial Activity

2020

Suspected Attribution 

Ransomware Group

Targeted Countries

Brazil

United States

Motivation

Financial Gain
Data Theft

Software

Database
Servers

Overview

The Everest ransomware group, active since at least 2020, has emerged as one of the most notorious and evolving cybercriminal organizations in the global threat landscape. Known for its sophisticated tactics, the group initially focused on data exfiltration before transitioning into ransomware operations, targeting high-profile victims across various industries. Everest’s operations are marked by their advanced technical skills and adaptability, which allow them to effectively breach networks, exfiltrate sensitive information, and deploy ransomware. Over time, the group has expanded its reach and refined its methods, increasingly targeting critical sectors such as healthcare, energy, and government entities. One of the most concerning aspects of Everest’s operations is its shift towards Initial Access Broker (IAB) activities. By recruiting corporate insiders and offering cash incentives for access to vulnerable networks, the group has created a multifaceted approach to cyber extortion. This evolution demonstrates a clear departure from traditional ransomware tactics, as Everest not only deploys ransomware but also offers a service to other threat actors by brokering initial access to compromised networks. This expanded role in the cybercriminal ecosystem makes Everest a significant player in the world of ransomware and cyber extortion.

Common targets

  • Public Administration
  • Health Care and Social Assistance
  • Brazil
  • United States

Attack Vectors

Software Vulnerabilities

Phishing

How they operate

In addition to RDP, Everest has demonstrated proficiency in using various remote access tools (RATs), such as Shell, VNC, HVNC, and VPN access via RDP. These tools, which are often acquired from other malicious actors or insiders, give the group a significant advantage by providing multiple entry points into a network. Their continued use of RDP and RATs reflects a growing reliance on remote access rather than traditional phishing attacks, allowing the group to bypass some of the more typical network defenses employed by organizations. Once Everest gains access to a system, the group employs a variety of tools for reconnaissance and credential harvesting to escalate their privileges within the network. Tools such as ProcDump are used to capture copies of the LSASS process, enabling the attackers to extract valuable credentials. Everest is also known to create copies of the NTDS database, which contains critical Active Directory data, providing further opportunities for lateral movement and privilege escalation. These actions are taken to maximize the group’s ability to access more systems and spread their operations within the network, ensuring they are able to carry out ransomware deployment effectively. To further enhance their persistence and avoid detection, Everest is highly skilled at covering their tracks. The group routinely removes tools, output files, and data collection archives from compromised hosts, ensuring there is no trace of their activities left behind. This careful attention to detail allows Everest to maintain a foothold in compromised networks, sometimes for months at a time, while they continue to exfiltrate sensitive data and deploy ransomware. The group also uses advanced network discovery tools, such as netscan.exe and SoftPerfect Network Scanner, to map out the network’s topology, identify additional targets, and plan the next stages of their attack. When it comes to data exfiltration, Everest has been known to use legitimate software, such as WinRAR, to archive stolen data on file servers. Once the data is archived, it is transferred out of the network to an external location for ransom or sale. The group’s data extortion tactics are part of a broader strategy that involves not only encrypting files but also threatening to release sensitive information unless the victim meets their ransom demands. This combination of ransomware deployment and data theft increases the pressure on organizations to comply, as they risk both operational disruption and reputational damage. In conclusion, the technical operations of the Everest ransomware group are characterized by a highly coordinated and multi-faceted approach. From exploiting weak credentials to leveraging advanced tools for lateral movement and persistence, the group’s tactics are both versatile and dangerous. By acting as an Initial Access Broker and offering services to other cybercriminals, Everest continues to refine its operations, making it one of the most dangerous and persistent ransomware groups in the cybercriminal ecosystem. Organizations across the globe must stay vigilant and invest in robust security measures to defend against this evolving threat.   References:
  • HC3: Threat Actor Profile
Tags: BrazilEverest Ransomware GroupHealth CareInitial Access BrokerRansomwareRATRussiaThe Everest TeamThreat ActorsUnited StatesVulnerabilities
ADVERTISEMENT

Related Posts

Storm-1811 (Cybercriminal) – Threat Actor

Storm-1811 (Cybercriminal) – Threat Actor

March 2, 2025
CopyCop (State-Sponsored) – Threat Actor

CopyCop (State-Sponsored) – Threat Actor

March 2, 2025
Storm-0539 – Threat Actor

Storm-0539 – Threat Actor

March 2, 2025
Void Manticore (Storm-0842) – Threat Actor

Void Manticore (Storm-0842) – Threat Actor

March 2, 2025
Unfading Sea Haze – Threat Actor

Unfading Sea Haze – Threat Actor

March 2, 2025
Ikaruz Red Team – Threat Actor

Ikaruz Red Team – Threat Actor

March 2, 2025

Latest Alerts

X Scam Targets Crypto Users with Fake Ads

FBI Warns Cybercriminals Exploit Routers

FreeDrain Phishing Steals Crypto Funds

CoGUI Targets Consumer and Finance Brands

COLDRIVER Hackers Target Sensitive Data

Cisco Fixes Flaw in IOS Wireless Controller

Subscribe to our newsletter

    Latest Incidents

    LockBit Ransomware Data Leaked After Hack

    Spanish Consumer Group Faces Cyberattack

    Education Giant Pearson Hit by Data Breach

    Masimo Cyberattack Disrupts Manufacturing

    Cyberattack Targets Tepotzotlán Facebook

    West Lothian Schools Hit by Ransomware

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial