Table of Contents
Everest ransomware has emerged as a significant threat, particularly to the healthcare sector. Operating as a Ransomware-as-a-Service (RaaS) group, Everest distinguishes itself by not always deploying ransomware directly. Instead, they often act as an "initial access broker," gaining unauthorized access to networks and selling this access to other cybercriminals, who then carry out the ransomware deployment. This tactic complicates attribution and defense, making Everest a key player in the broader ransomware ecosystem. The group has been active since 2020, and their increasing focus on healthcare, as highlighted by the U.S. Department of Health and Human Services (HHS), warrants a detailed examination.
Origins & Evolution
Everest ransomware first appeared in December 2020, initially employing a double extortion tactic, encrypting files and threatening to leak stolen data. Over time, their operational strategy has evolved. A key shift occurred when Everest transitioned into an initial access broker (IAB) role, selling access to compromised networks rather than solely relying on deploying their own ransomware. More recently, they've pivoted further, primarily focusing on data exfiltration and sales, abandoning encryption in many cases.
The group is believed to be Russian-speaking, though specific state sponsorship remains unconfirmed. Their data leak sites went offline after the high-profile Colonial Pipeline attack (which they were involved in, even if not the primary actors), likely as a risk-mitigation strategy. This indicated a move towards less conspicuous cybercrimes, focusing on data theft and sale. Their evolution highlights the adaptability of cybercriminal groups in response to law enforcement pressure and changing profitability landscapes.
There has been speculation regarding potential connections or relationships between Everest and other ransomware groups. They were previously associated with the BlackByte ransomware group and have demonstrated collaboration with the Ransomed group, even sharing victim announcements. Everest maintained an active presence on forums like XSS, and formerly on Breached, suggesting ongoing involvement in the cybercriminal community, and potential for future collaborations or resurgences.
Tactics & Techniques
Everest's operational methodology follows a multi-stage process, often described using the "cyber kill chain" model. Their tactics, techniques, and procedures (TTPs) have evolved, reflecting their shift towards data brokerage and exfiltration.
Initial Access: Everest employs several methods to gain initial entry into target networks:
* Compromised User Accounts: They utilize stolen or compromised credentials, often obtained through phishing or credential stuffing attacks. Learn about types of phishing attacks.
* Remote Access Tools: They target remote access software like RDP (Remote Desktop Protocol), VPNs (Virtual Private Networks), and other tools, exploiting vulnerabilities or using weak credentials. They are known to look for access through shell, vnc, hvnc, and RDP with VPN.
* Insider Threats: As an IAB, Everest actively seeks insiders within target organizations, offering profit-sharing for providing network access (primarily in the US, Canada, and Europe). They accept access via TeamViewer, AnyDesk, and RDP.
Lateral Movement: Once inside the network, Everest uses compromised accounts and RDP to move laterally, seeking out valuable data and systems.
Credential Access: They employ tools like ProcDump to extract credentials from the LSASS process and access the NTDS database, further escalating their privileges.
Defense Evasion: To avoid detection, Everest removes tools and logs after completing their operations.
Discovery: Everest utilizes network scanning tools (e.g.,
netscan.exe) to discover potential targets and map the network environment.Collection: Before exfiltration, data is often archived using tools like WinRAR.
Command and Control (C2): While Everest historically relied heavily on Cobalt Strike (using PowerShell commands and beacons), they also employ secondary C2 methods, including AnyDesk, Splashtop, and Atera. This use of legitimate tools makes detection more challenging, as they blend in with normal network activity.
Exfiltration: Data is exfiltrated using the file transfer capabilities of tools like Splashtop, or through cloud services.
Impact: While initially using double extortion (encryption and data leak threats), Everest's primary impact now stems from data leaks and sales. They do not consistently encrypt data in their current operational model.
Targets or Victimology
Everest has demonstrated a diverse targeting profile, impacting various sectors and regions. However, a noticeable increase in attacks against the healthcare sector has been observed since 2021, with medical imaging providers being a frequent target.
Political Motivations: Primarily financial gain, derived from selling stolen data or access. While there's no definitive proof of state sponsorship, their Russian-speaking origins and past targets (e.g., the Brazilian government) suggest potential alignment with broader geopolitical interests, even if indirect.
Potential Impact:
* Data Breach: Exposure of sensitive patient data, intellectual property, and confidential business information. Recent healthcare data breaches have surged.
* Operational Disruption: While less reliant on encryption, the theft of critical data can still disrupt operations, particularly in healthcare.
* Reputational Damage. The fallout of a public data leak can have severe and long-lasting effects on reputation and lead to significant financial losses.
Targeted Industries:
* Healthcare: A major focus, especially medical imaging providers.
* Technology: Previously targeted, including high-profile attacks (like NASA).
* Government: Past targets include government entities.
* Energy: The Colonial Pipeline incident highlights their involvement in attacks against critical infrastructure.
* Supply Chain: The attack on a New York surgery center underscores their impact on service vendors, leading to downstream effects.
Targeted Regions:
* United States: A primary focus.
* Europe: Targeted, especially in their IAB activities.
* Canada: Targeted.
* Middle East: Historical targets.
* Brazil: Previous attacks against government targets.
Attack Campaigns
Early Campaigns (2020-2021): Initial operations involved double extortion attacks, targeting various sectors, including NASA and the Brazilian government.
Colonial Pipeline (2021): Everest played a role in the Colonial Pipeline attack, although not as the main actor. This event led to the shutdown of their data leak sites, indicating a strategic shift.
Shift to IAB (from Nov 2022): Everest increasingly focused on gaining initial access and selling it to other ransomware groups. They actively recruited insiders to facilitate access.
Healthcare Targeting (2021-Present): A significant increase in attacks on healthcare organizations, particularly medical imaging providers.
New York Surgery Center (Recent): A notable attack on a surgical facility in the U.S., resulting in the alleged exfiltration of 450 GB of data, including sensitive physician and patient information. A 24-hour negotiation deadline was imposed. This attack, and the group's threat to sell the stolen data, demonstrates their current operational focus.
Collaboration with Ransomed (Sept 2023): Jointly announced the compromise of SKF.com, indicating collaboration between different cybercriminal groups.
HHS Assessment: Everest is potentially linked to at least 20 health sector incidents between April 2021 and July 2024.
Defenses
Combating the threat posed by Everest ransomware, particularly in its current form as a data broker, requires a multi-faceted approach that combines proactive security measures with robust incident response capabilities.
Network Monitoring: Implement robust network monitoring, specifically looking for indicators of Cobalt Strike activity (beaconing, unusual PowerShell commands). Set alerts for any activation of Cobalt Strike, as this is a favored tool of Everest. Consider using a SIEM for better monitoring.
Strong Authentication: Implement multi-factor authentication (MFA) for all critical systems and remote access points.
Credential Management: Enforce strong password policies and regularly audit user accounts for any signs of compromise.
Remote Access Security: Secure remote access tools (RDP, VPNs) with strong authentication, limit access to authorized users, and monitor logs for suspicious activity. Disable unused remote access ports.
Vulnerability Management: Regularly scan for and patch vulnerabilities, especially in remote access software and operating systems.
Email Security: Implement robust email security measures to prevent phishing attacks, including disabling hyperlinks in emails. Understanding SPF records is crucial for email security.
Data Loss Prevention (DLP): Implement DLP solutions to monitor and prevent the unauthorized exfiltration of sensitive data.
Security Awareness Training: Train employees to recognize and avoid phishing attempts and social engineering tactics.
Incident Response Plan: Develop and regularly test an incident response plan to handle potential ransomware attacks or data breaches effectively.
Data Backups: Maintain regular, offline backups of critical data, and ensure they are tested for restorability, and implement the 3-2-1 rule (3 copies, 2 different media, 1 offsite).
Cybersecurity Performance Goals: Implement voluntary healthcare cybersecurity performance goals, as recommended by the AHA. This could include measures like network segmentation, endpoint detection and response (EDR), and regular security audits.
Threat Intelligence: Stay informed about the latest TTPs of Everest and other ransomware groups through threat intelligence feeds and security advisories.
Refer to Official Guidance: Healthcare Organizations should consult the HHS HC3 threat actor profile and FBI guidelines. Patch management is also crucial.
Conclusion
Everest ransomware group represents a significant and evolving threat, particularly to the healthcare sector. Their shift from direct ransomware deployment to acting as an initial access broker, and now primarily focusing on data exfiltration and sales, demonstrates the adaptability of cybercriminal operations. The group's use of legitimate tools like Cobalt Strike, combined with their focus on credential theft and remote access vulnerabilities, makes detection and prevention challenging. Organizations, especially those in healthcare, must implement robust, multi-layered security measures, prioritize network monitoring, and stay informed about the latest threat intelligence to effectively mitigate the risk posed by Everest and similar threat actors.
Found this article interesting? Keep visit thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this.
You may also like these articles:
Arun KL
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
- February 28, 2025
- February 28, 2025
- February 28, 2025
- February 28, 2025
Learn Something New with Free Email subscription
Learn Something New with Free Email subscription
Subscribe
Subscribe
Subscribe
Subscribe
- February 28, 2025
- February 28, 2025
- February 28, 2025
- February 28, 2025
