|
| |
| |
| |
| |
| |
| Financial Gain
Data Theft |
| |
Overview
The Everest ransomware group, active since at least 2020, has emerged as one of the most notorious and evolving cybercriminal organizations in the global threat landscape. Known for its sophisticated tactics, the group initially focused on data exfiltration before transitioning into ransomware operations, targeting high-profile victims across various industries. Everest’s operations are marked by their advanced technical skills and adaptability, which allow them to effectively breach networks, exfiltrate sensitive information, and deploy ransomware. Over time, the group has expanded its reach and refined its methods, increasingly targeting critical sectors such as healthcare, energy, and government entities.
One of the most concerning aspects of
Everest’s operations is its shift towards Initial Access Broker (IAB) activities. By recruiting corporate insiders and offering cash incentives for access to vulnerable networks, the group has created a multifaceted approach to cyber extortion. This evolution demonstrates a clear departure from traditional ransomware tactics, as Everest not only deploys ransomware but also offers a service to other threat actors by brokering initial access to compromised networks. This expanded role in the cybercriminal ecosystem makes Everest a significant player in the world of ransomware and cyber extortion.
Common targets
- Public Administration
- Health Care and Social Assistance
- Brazil
- United States
Attack Vectors
Software Vulnerabilities
Phishing
How they operate
In addition to RDP, Everest has demonstrated proficiency in using various remote access tools (RATs), such as Shell, VNC, HVNC, and VPN access via RDP. These tools, which are often acquired from other malicious actors or insiders, give the group a significant advantage by providing multiple entry points into a network. Their continued use of RDP and RATs reflects a growing reliance on remote access rather than traditional phishing attacks, allowing the group to bypass some of the more typical network defenses employed by organizations.
Once Everest gains access to a system, the group employs a variety of tools for reconnaissance and credential harvesting to escalate their privileges within the network. Tools such as ProcDump are used to capture copies of the LSASS process, enabling the attackers to extract valuable credentials. Everest is also known to create copies of the NTDS database, which contains critical Active Directory data, providing further opportunities for lateral movement and privilege escalation. These actions are taken to maximize the group’s ability to access more systems and spread their operations within the network, ensuring they are able to carry out ransomware deployment effectively.
To further enhance their persistence and avoid detection, Everest is highly skilled at covering their tracks. The group routinely removes tools, output files, and data collection archives from compromised hosts, ensuring there is no trace of their activities left behind. This careful attention to detail allows Everest to maintain a foothold in compromised networks, sometimes for months at a time, while they continue to exfiltrate sensitive data and deploy ransomware. The group also uses advanced network discovery tools, such as netscan.exe and SoftPerfect Network Scanner, to map out the network’s topology, identify additional targets, and plan the next stages of their attack.
When it comes to data exfiltration, Everest has been known to use legitimate software, such as WinRAR, to archive stolen data on file servers. Once the data is archived, it is transferred out of the network to an external location for ransom or sale. The group’s data extortion tactics are part of a broader strategy that involves not only encrypting files but also threatening to release sensitive information unless the victim meets their ransom demands. This combination of ransomware deployment and data theft increases the pressure on organizations to comply, as they risk both operational disruption and reputational damage.
In conclusion, the technical operations of the Everest ransomware group are characterized by a highly coordinated and multi-faceted approach. From exploiting weak credentials to leveraging advanced tools for lateral movement and persistence, the group’s tactics are both versatile and dangerous. By acting as an Initial Access Broker and offering services to other cybercriminals, Everest continues to refine its operations, making it one of the most dangerous and persistent ransomware groups in the cybercriminal ecosystem. Organizations across the globe must stay vigilant and invest in robust security measures to defend against this evolving threat.
References:
