Overview:
The Everest ransomware group, active since at least December 2020, is a sophisticated threat actor that has evolved its tactics over time. Initially focused on data extortion and ransomware operations, Everest has increasingly transitioned into an Initial Access Broker (IAB), selling access to compromised networks to other malicious actors. While previously linked to the Russia-based BlackByte ransomware group and showing collaboration with Ransomed, its current operations primarily involve data leak threats, with less emphasis on ransomware deployment. The group has demonstrated a particular interest in the healthcare sector, targeting medical imaging providers and causing significant disruption and financial losses.
Known Aliases:
While “Everest” is the primary identifier, the provided text does not list any known aliases for this group.
Country of Origin:
The report strongly suggests a link to Russia-based operations, particularly through its connection to the BlackByte ransomware group. However, the precise country of origin remains unconfirmed and requires further investigation. The group’s targets span the US, Canada, and Europe, suggesting a global reach rather than being confined to a single nation.
Known High-Profile Victims:
- Colonial Pipeline (May 2021): A high-profile ransomware attack that led to the inaccessibility of Everest’s data leak site (DLS). The specific extent of Everest’s involvement is not fully detailed.
- NASA and Brazilian Government: The group has targeted these high-profile Government entities, demonstrating their capability to compromise organizations of significant size and security posture.
- US Surgical Facility (July 2024): A recent attack on a New York-based surgical facility with USD $17 million in revenue. Over 450 GB of data, including patient and physician records, were allegedly exfiltrated. This highlights Everest’s continued focus on the healthcare sector.
- SKF.com (September 4, 2023): A victim shared by both Everest and Ransomed, indicating potential collaboration between the groups.
MITRE ATT&CK Tactics and Techniques:
- Initial Access: T1133 (External Remote Services) – Exploiting insecure external services.
- Execution: T1059.001 (PowerShell) and T1059.003 (Windows Command Shell) – Using legitimate tools for malicious purposes.
- Lateral Movement: T1021.001 (Remote Services: RDP) – Leveraging RDP for lateral movement within compromised networks.
- Persistence: T1543.003 (Create or Modify System Process: Windows Service) – Installing remote desktop software as services for persistence.
- Credential Access: T1003.001 (OS Credential Dumping: LSASS Memory) and T1003.003 (OS Credential Dumping: NTDS) – Dumping credentials from LSASS and the NTDS database.
- Defense Evasion: T1070.004 (Indicator Removal on Host: File Deletion) – Removing traces of their activity.
- Discovery: T1046 (Network Service Discovery) – Using network scanning tools.
- Collection: T1560.001 (Archive Collected Data: Archive via Utility) – Archiving data using WinRAR.
- Command and Control: T1071.001 (Application Layer Protocol: Web Protocols) and T1219 (Remote Access Software) – Using Cobalt Strike and remote access tools.
- Exfiltration: T1041 (Exfiltration Over C2 Channel) – Exfiltrating data via Splashtop.
- Impact: T1486 (Data Encrypted for Impact) – Encrypting data (though this is less prevalent in recent operations).
Malware Strains Used:
The primary ransomware strain used by Everest is referred to as “Everest ransomware”. It uses AES and DES encryption algorithms and appends the “.EVEREST” extension to encrypted files. However, the group’s activities have shifted towards IAB operations, reducing its direct use of its own ransomware. The group also leverages various legitimate tools for malicious purposes, including:
- ProcDump: For credential dumping.
- netscan.exe, netscanpack.exe, SoftPerfect Network Scanner: For network discovery.
- WinRAR: For data archiving.
- Cobalt Strike: For command and control.
- PowerShell: For executing commands.
- AnyDesk, Splashtop Remote Desktop, Atera: For secondary C2 and data exfiltration.
Common Methods of Infiltration:
Everest employs a multi-faceted approach to infiltration:
- Exploiting Weak or Stolen Credentials: Gaining initial access through compromised user accounts and weak passwords.
- Purchasing Initial Access: Acting as an IAB, the group purchases access to corporate networks from other threat actors.
- Recruiting Insiders: Offering financial incentives to corporate insiders to provide remote access to networks.
- Remote Desktop Protocol (RDP) Exploitation: Exploiting vulnerabilities in RDP configurations.
- Leveraging Various Remote Access Tools: Utilizing tools like TeamViewer, AnyDesk, and RDP to gain access.
