Everest ransomware is a notorious cybercriminal group that has been active since December 2020. They target organizations across different industries and regions, with high-profile victims including NASA and the Brazilian Government.
The Russian-speaking group claims to have access to sensitive system data and often demands a ransom in exchange for not releasing the stolen information, a tactic known as double extortion. Everest ransomware is known for its data exfiltration capabilities and has been linked to other ransomware families like Everbe 2.0 and BlackByte.
The group does not only leak information, they sell access to the infected network. This means that the compromised organizations have to deal with multiple infections and repeated attacks simultaneously.
SalvageData experts recommend proactive data security measures, such as regular backups, strong cybersecurity practices, and keeping software up to date, to protect against ransomware attacks. And, in case of a ransomware attack, contact our ransomware recovery experts immediately.
The Everest ransomware is a type of malware that specifically targets organizations across various industries and regions. It encrypts the victim’s files, rendering them inaccessible, and demands a ransom payment in exchange for the decryption key.
Experts believe it is part of the Black-Byte family and was previously linked to the Everbe 2.0 family.
The Everest ransomware group has been active since at least December 2020 and has been involved in data breaches, initial access brokering, and ransom demands. The ransomware has been observed using legitimate compromised user accounts and Remote Desktop Protocol (RDP) for lateral movement. They have also targeted several government offices of states, including Argentina, Peru, and Brazil.
Confirmed Name
Threat Type
Encrypted Files Extension
Ransom Demanding Message
The message is usually displayed as a pop-up window or a text file that appears on the desktop or in folders containing encrypted files.
Is There a Free Decryptor Available?
No, there’s no public decryptor for Everest ransomware.
Distribution methods
Consequences
The ransom message displayed by Everest ransomware may vary depending on the variant used. The ransom message displayed by Everest ransomware does not have a specific file name.
The message is displayed as a pop-up window or a text file that appears on the desktop or in folders containing encrypted files.
If you realize you’re a ransomware victim, contacting SalvageData ransomware removal experts provides you with a secure data recovery service and ransomware removal after an attack.
Phishing emails are a common method used by attackers to distribute the Everest ransomware. The attackers send emails that appear to be from a legitimate source, such as a bank or a company, and contain a malicious attachment or a link to a website that hosts the malware. Once the victim clicks on the attachment or the link, the malware is installed on their system.
Exploit kits are automated programs used by cybercriminals to exploit known vulnerabilities in systems or applications. They can be used to secretly launch attacks while victims are browsing the web, with the goal being to download and execute some type of malware.
The Everest ransomware attackers use exploit kits to exploit vulnerabilities in victims’ systems and install the malware. The exploit kits can be delivered through malicious websites or emails.
Remote Desktop Protocol (RDP) is a protocol that allows a person to remotely control a computer that is attached to the internet. The remote person sees whatever is on the screen of the computer they are controlling, and their keyboard and mouse act just like the ones physically attached to the remote computer.
However, RDP has become a favorite target for ransomware attacks, and malicious cyber actors have developed methods of identifying and exploiting vulnerable RDP sessions via the Internet to steal identities and login credentials, then install and launch ransomware attacks. Attackers use brute-force password-guessing attacks to find RDP login credentials.
Malicious downloads are a type of malware distribution method that involves tricking users into downloading and installing malware-infected software or files.
The attackers Everest ransomware actors use fake software updates or downloads to trick victims into downloading and installing the malware. The malicious downloads can be delivered through emails or websites.
Once the malware is installed on victims’ systems, it encrypts their files using AES and DES algorithms and adds the “.EVEREST” extension to the encrypted files. The attackers then display a ransom message that contains instructions on how to contact them and pay the ransom to obtain the decryption key.
Everest ransomware employed a combination of legitimate compromised user accounts and Remote Desktop Protocol (RDP) for lateral movement within the network infrastructure.
To gain access to additional credentials, the threat actor utilized ProcDump, which was used to create a copy of the LSASS process.
This resulted in the creation of a file. Furthermore, a copy of the NTDS database was also generated and stored as a file named ntds.dit.zip.
Throughout the course of the incident, the threat actor consistently removed various tooling, reconnaissance output files, and data collection archives from compromised hosts as a means to evade detection.
Upon compromising a new host, the threat actor engaged in network discovery activities. This was predominantly accomplished through the use of tools such as netscan.exe, netscanpack.exe, and SoftPerfectNetworkScannerPortable.exe.
By conducting network scans, the threat actor aimed to identify potential targets of interest and compile a list for potential ransomware deployment.
One notable action taken by the threat actor was the installation of the WinRAR application on a file server. This application was then utilized to archive data, preparing it for eventual exfiltration.
The primary command and control mechanism employed by the threat actor was Cobalt Strike. Additionally, a Metasploit payload was discovered within the path C:\Users\Public\l.exe.
In addition to these primary methods, the threat actor also deployed several Remote Access Tools as a secondary command and control method. These tools were further utilized for establishing persistence, with the installation of these tools as services.
Remote Access Tools used
To exfiltrate data from the compromised network, the threat actor leveraged the file transfer capabilities of Splashtop.
Do not pay the ransom! Contacting a ransomware removal service can not only restore your files but also remove any potential threat.
The first step to recovering from an Everest attack is to isolate the infected computer by disconnecting it from the internet and removing any connected device. Then, you must contact local authorities. In the case of US residents and businesses, it is the local FBI field office and the Internet Crime Complaint Centre (IC3).
To report a ransomware attack you must gather every information you can about it, including:
However, if you prefer to contact professionals, then do nothing. Leave every infected machine the way it is and ask for an emergency ransomware removal service. Restarting or shutting down the system may compromise the recovery service. Capturing the RAM of a live system may help get the encryption key, and catching a dropper file, i.e. file executing the malicious payload, might be reverse-engineered and lead to decryption of the data or understanding how it operates.
You must not delete the ransomware, and keep every evidence of the attack. That’s important for digital forensics so experts can trace back to the hacker group and identify them. It is by using the data on your infected system that authorities can investigate the attack and find the responsible. A cyber attack investigation is not different from any other criminal investigation: it needs evidence to find the attackers.
A Cyber Incident Response is the process of responding to and managing a cybersecurity incident. An Incident Response Retainer is a service agreement with a cybersecurity provider that allows organizations to get external help with cybersecurity incidents. It provides organizations with a structured form of expertise and support through a security partner, enabling them to respond quickly and effectively during a cyber incident.
An incident response retainer offers peace of mind to organizations, offering expert support before and in the aftermath of a cybersecurity incident. An incident response retainer’s specific nature and structure will vary according to the provider and the organization’s requirements. A good incident response retainer should be robust but flexible, providing proven services to enhance an organization’s long-term security posture.
If you contact your IR service provider, they can take over immediately and guide you through every step in the ransomware recovery. However, if you decide to remove the ransomware yourself and recover the files with your IT team, then you can follow the next steps.
You can identify which ransomware infected your machine by the file extension (some ransomware uses the file extension as their name), using a ransomware ID tool, or it will be on the ransom note. With this information, you can look for a public decryption key.
You can also check the ransomware type by its IOCs. Indicators of Compromise (IOCs) are digital clues that cybersecurity professionals use to identify system compromises and malicious activities within a network or IT environment. They are essentially digital versions of evidence left at a crime scene, and potential IOCs include unusual network traffic, privileged user logins from foreign countries, strange DNS requests, system file changes, and more. When an IOC is detected, security teams evaluate possible threats or validate its authenticity. IOCs also provide evidence of what an attacker had access to if they did infiltrate the network.
Before recovering your data, you must guarantee that your device is ransomware-free and that the attackers can’t make a new attack through exploit kits or other vulnerabilities. A ransomware removal service can delete the ransomware, create a forensics document for investigation, eliminate vulnerabilities, and recover your data.
Backups are the most efficient way to recover data. Make sure to keep daily or weekly backups, depending on your data usage.
If you don’t have a backup or need help removing the ransomware and eliminating vulnerabilities, contact a data recovery service. Paying the ransom does not guarantee your data will be returned to you. The only guaranteed way you can restore every file is if you have a backup. If you don’t, ransomware data recovery services can help you decrypt and recover the files.
SalvageData experts can safely restore your files and prevent Everest ransomware from attacking your network again. Contact our experts 24/7 for ransomware recovery services.
Preventing ransomware is the best solution for data security. is easier and cheaper than recovering from them. Everest ransomware can cost your business’s future and even close its doors.
These are a few tips to ensure you can avoid ransomware attacks:
In a recent data recovery service case, the SalvageData recovery team achieved a remarkable feat…
A corrupted database on PS4 occurs when the system's organized data collection becomes damaged or…
Encountering a black or blank screen on your Windows computer can be frustrating and alarming.…
LockBit ransomware has emerged as one of the most dangerous and prolific cyber threats in…
Recovery mode is a crucial feature for troubleshooting and restoring an iPad when it encounters…
Whether you’re a professional juggling important work documents or an individual cherishing irreplaceable memories, safeguarding…