Everest

Threat Actor updated 2 months ago (2024-11-29T14:50:14.858Z)
Download STIX
Preview STIX
Everest is a threat actor group known for its malicious activities, including ransomware attacks and unauthorized access to various organizations' networks. This Russian-speaking entity was first observed operating as an initial access broker in November 2021. The group has targeted a broad range of sectors including healthcare, construction and engineering, financial services, legal and professional services, manufacturing, and government. They exploit weak or stolen credentials to gain access to multiple systems within a target organization and use tools like ProcDump to create copies of the LSASS process, enabling them to extract additional credentials. Everest is also known to utilize legitimate cybersecurity threat simulation tools such as Cobalt Strike to facilitate their attacks. In 2021, the French law firm Cabinet Remy Le Bonnois paid the Everest group $30,000 to resolve an attack. In October, Cybernews reported that Everest claimed to have hacked AT&T and was selling access to the corporate network in the U.S. Furthermore, the group reportedly had an insider within the Illinois court system, granting them unrestricted access to confidential documents and sensitive data. This information was based on a statement made by Everest on a dark web forum, accompanied by screenshots allegedly showing their access to the court's systems. The ransomware strain used by Everest has been linked to the EverBe 2.0 family and, more recently, to the Russia-based ransomware group BlackByte. As an initial access broker, Everest sells unauthorized access to other cybercriminals who conduct ransomware attacks. This evolution into an 'initial access broker' signifies their role in the underground Russian ransomware economy, facilitating ransomware attacks by initially gaining unauthorized access to victim organizations through means such as credential theft. The American Hospital Association issued a warning about Everest threats following an alert from HHS HC3.
Description last updated: 2024-10-17T11:40:39.743Z
What's your take? (Question 1 of 0)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.