Everest Ransomware profile traces its evolution from a December 2020 operation to a recent shift toward Initial Access Broker activities and data-leak threats, highlighting high-profile targets like NASA and the Brazilian government and noting ties to past groups such as Black-Byte and Ransomed. The piece also outlines operational TTPs, including Lateral Movement, Credential Access, and C2 via Cobalt Strike, plus mitigation strategies and the platform’s role in threat intelligence. Hashtags: #EverestRansomware #InitialAccessBroker #BlackByte #SKF #NASA #BrazilianGovernment #XSSForum #Breached #Ransomed #AnyDesk #TeamViewer #CobaltStrike
Keypoints
- Everest Ransomware has evolved since its 2020 emergence, transitioning from encryption-focused attacks to initial access brokerage and data-leak threats.
- Notable targets include NASA and the Brazilian government, with data-leak sites becoming inaccessible after the Colonial Pipeline incident and a shift toward less risky cybercrime.
- Operational TTPs include lateral movement via compromised credentials and RDP, credential access using LSASS and NTDS copies, defense evasion through artifact removal, network discovery with netscan tools, data collection and archiving, and C2 via Cobalt Strike and remote access tools.
- The group has transitioned to direct access sales as an Initial Access Broker, targeting US, Canada, and Europe and offering profit-sharing with insiders who facilitate intrusions.
- Everest has historical associations with Black-Byte and Ransomed, with activity on Breached and XSS Forum, suggesting a broader collaboration ecosystem.
- Mitigation guidance emphasizes backups, security awareness, patching, segmentation, access controls, endpoint protection, IR planning, audits, and backup testing; SOCRadar promotes its threat intelligence platform for proactive monitoring.
MITRE Techniques
- [T1021.001] Remote Services – The group uses legitimate compromised user accounts and Remote Desktop Protocol (RDP) to move laterally across networks. ‘The group uses legitimate compromised user accounts and Remote Desktop Protocol (RDP) to move laterally across networks.’
- [T1059.001] PowerShell – Cobalt Strike beacons on compromised hosts through PowerShell commands. ‘Cobalt Strike beacons on compromised hosts through PowerShell commands.’
- [T1003.001] LSASS Memory – ProcDump to create copies of the LSASS process for credential dumping. ‘ProcDump to create copies of the LSASS process.’
- [T1003.003] NTDS – Creating copies of the NTDS database containing Active Directory data. ‘They also create copies of the NTDS database, containing valuable Active Directory data.’
- [T1070.004] Indicator Removal on Host – Removal of tools, reconnaissance output files, and data collection archives to cover tracks. ‘routinely removes tools, reconnaissance output files, and data collection archives from compromised hosts.’
- [T1046] Network Service Scanning – Network discovery using netscan.exe, netscanpack.exe, and SoftPerfect Network Scanner. ‘network discovery using tools such as netscan.exe, netscanpack.exe, and SoftPerfect Network Scanner.’
- [T1560] Archive Collected Data – Data is archived (WinRAR) on file servers for exfiltration. ‘The group installs WinRAR on file servers to archive data for exfiltration.’
- [T1041] Exfiltration Over C2 Channel – Data exfiltration using file-transfer capabilities of tools like Splashtop. ‘Data exfiltration is conducted using the file transfer capabilities of tools like Splashtop.’
- [T1486] Data Encrypted for Impact – Double extortion involving encryption and exfiltration of data (historically), highlighting pressure to pay. ‘a double extortion technique, where they not only encrypt the victim’s data but also exfiltrate sensitive information.’
Indicators of Compromise
- [Domain] context – SKF.com – SKF.com identified as a victim in victim announcements related to Everest Ransomware data leaks.
Read more: https://socradar.io/dark-web-profile-everest-ransomware/