The Everest Team | |
Other Names | Everest Ransomware Group |
Location | Russia |
Date of Initial Activity | 2020 |
Suspected Attribution | Ransomware Group |
Targeted Countries | Brazil United States |
Motivation | Financial Gain |
Software | Database |
Overview
Common targets
- Public Administration
- Health Care and Social Assistance
- Brazil
- United States
Attack Vectors
Software Vulnerabilities
Phishing
How they operate
In addition to RDP, Everest has demonstrated proficiency in using various remote access tools (RATs), such as Shell, VNC, HVNC, and VPN access via RDP. These tools, which are often acquired from other malicious actors or insiders, give the group a significant advantage by providing multiple entry points into a network. Their continued use of RDP and RATs reflects a growing reliance on remote access rather than traditional phishing attacks, allowing the group to bypass some of the more typical network defenses employed by organizations.
Once Everest gains access to a system, the group employs a variety of tools for reconnaissance and credential harvesting to escalate their privileges within the network. Tools such as ProcDump are used to capture copies of the LSASS process, enabling the attackers to extract valuable credentials. Everest is also known to create copies of the NTDS database, which contains critical Active Directory data, providing further opportunities for lateral movement and privilege escalation. These actions are taken to maximize the group’s ability to access more systems and spread their operations within the network, ensuring they are able to carry out ransomware deployment effectively.
To further enhance their persistence and avoid detection, Everest is highly skilled at covering their tracks. The group routinely removes tools, output files, and data collection archives from compromised hosts, ensuring there is no trace of their activities left behind. This careful attention to detail allows Everest to maintain a foothold in compromised networks, sometimes for months at a time, while they continue to exfiltrate sensitive data and deploy ransomware. The group also uses advanced network discovery tools, such as netscan.exe and SoftPerfect Network Scanner, to map out the network’s topology, identify additional targets, and plan the next stages of their attack.
When it comes to data exfiltration, Everest has been known to use legitimate software, such as WinRAR, to archive stolen data on file servers. Once the data is archived, it is transferred out of the network to an external location for ransom or sale. The group’s data extortion tactics are part of a broader strategy that involves not only encrypting files but also threatening to release sensitive information unless the victim meets their ransom demands. This combination of ransomware deployment and data theft increases the pressure on organizations to comply, as they risk both operational disruption and reputational damage.
In conclusion, the technical operations of the Everest ransomware group are characterized by a highly coordinated and multi-faceted approach. From exploiting weak credentials to leveraging advanced tools for lateral movement and persistence, the group’s tactics are both versatile and dangerous. By acting as an Initial Access Broker and offering services to other cybercriminals, Everest continues to refine its operations, making it one of the most dangerous and persistent ransomware groups in the cybercriminal ecosystem. Organizations across the globe must stay vigilant and invest in robust security measures to defend against this evolving threat.
References:
