everest
Group profile
Everest ransom group collects and analyzes information about their victims. They specialize in customer privacy data, financial information, databases, credit card information, and more. The Everest ransom group leaks the victim's data to the darknet and they announced that any victim that will not contact them will suffer from a data leak and they will not delete hist files for future usage.
MITRE ATT&CK TTPs
Stealth
T1027Obfuscated Files or Information
Binary protected with ConfuserEx: rename obfuscation, constants encryption, integer confusion, and modified module .cctor.
T1027.007Obfuscated Files or Information: Dynamic API Resolution
All non-corlib native API calls resolved at runtime via LoadLibrary / GetProcAddress rather than static imports.
T1078.003Valid Accounts: Local Accounts
Implicit current-user impersonation used for net use \\<unc> connections to discovered network shares without explicit credential passing.
T1112Modify Registry
Multiple HKCU/HKLM registry writes: LongPathsEnabled, LocalAccountTokenFilterPolicy, EnableLinkedConnections (share access), WallPaper (ransom note), AppName\PublicKey (encryption key storage).
T1140Deobfuscate/Decode Files or Information
Runtime decryption of UserStrings via <Module>.m using GZip decompression followed by Base64 decoding.
T1480Execution Guardrails
Global <GUID> mutex enforces single-instance execution; CIS culture/LCID geo-fence prevents execution on CIS-locale systems.
T1564Hide Artifacts
Process self-DACL set to deny-Everyone via KZsyzkgZlDQw.UB, preventing other processes from inspecting or terminating the ransomware process.
T1622Debugger Evasion
Memory-pig killer heuristic: processes consuming more than 250 MB are terminated, targeting sandbox environments and active debuggers.
Discovery
T1018Remote System Discovery
ARP table parsed via arp -a; ARP-driven Wake-On-LAN packets sent to discovered hosts to bring them online before encryption.
T1135Network Share Discovery
Network shares enumerated via net view, NetDfsEnum, WNetEnumResource*, Win32_Share WMI class, and Win32_NetworkConnection.
T1518.001Software Discovery: Security Software Discovery
Anti-analysis kill list matched against ProcessName and MainWindowTitle to identify and terminate security/analysis tools.
T1614.001System Location Discovery: System Language Discovery
CIS culture/LCID check used as exclusion geo-fence; execution aborts if system locale matches CIS-region languages.
Lateral Movement
T1021.002Remote Services: SMB/Windows Admin Shares
net.exe use \\<unc> executed over discovered SMB shares to access and encrypt remote file systems.
Command and Control
T1071.001Application Layer Protocol: Web Protocols
WebClient.DownloadData referenced in Helpers.DownloadUrl — present in code but not reachable at runtime (inert code path).
Impact
T1486Data Encrypted for Impact
AES-128-CBC PKCS#7 / NoPadding (large files) encryption of all eligible files on local drives, mounted unlettered volumes, and LAN shares.
T1489Service Stop
ServiceController.Stop called against ~100 services (AV, backup, MSSQL, Exchange, MBAM, Veeam, Acronis, etc.) combined with sc config <svc> start=disabled to prevent restart.
T1490Inhibit System Recovery
VSS deletion via PowerShell or vssadmin, SRRemoveRestorePoint, backup file deletion (del /s /q), Recycle Bin removal (rd /s /q), Restart Manager used to force-shutdown apps locking target files.
Recent victims
showing 50 of 365| Date | Website / victim | Sector | Country |
|---|---|---|---|
| 2026-05-29 |  Asopagos S.A.asopagos.com | Not Found | CO |
| 2026-05-29 | Е ЕРМ | Business Services | |
| 2026-05-28 |  Spedition Kernspedition-kern.com | Transportation/Logistics | DE |
| 2026-05-28 |  Advanced Psychiatry Associatesadvancedpsychiatryassociates.com | Healthcare | US |
| 2026-05-28 |  Sidra Kuwait Hospitalsidrakwhospital.com | Healthcare | KW |
| 2026-05-28 |  VVO Financevvo.de | Financial Services | DE |
| 2026-05-28 | A AKM | Not Found | JP |
| 2026-05-28 |  TransferZtransferz.com | Transportation/Logistics | US |
| 2026-05-28 |  L&P Aestheticsfortheface.com | Healthcare | US |
| 2026-05-07 | R Rehab Clinics Group Ltd | Healthcare | GB |
| 2026-05-05 | S Studio Marchi - Studio Professionale Associato | Business Services | IT |
| 2026-05-03 |  Fiservfiserv.com | Financial Services | US |
| 2026-05-02 |  Symcorsymcor.ca | Business Services | CA |
| 2026-05-02 |  TSYStsys.com | Financial Services | US |
| 2026-05-02 |  Epiq Globalepiqglobal.com | Business Services | US |
| 2026-04-30 | L Liberty Mutual Insurance | Financial Services | US |
| 2026-04-30 |  Moraemorae.com | Technology | US |
| 2026-04-28 | I Indonesia's Customs Analytics Platform | Public Sector | ID |
| 2026-04-28 |  Super AIsuper.ai | Technology | DE |
| 2026-04-20 |  Nutrabionutrabio.com | Agriculture and Food Production | US |
| 2026-04-20 |  Umiles Groupumilesgroup.com | Business Services | ES |
| 2026-04-20 |  Complete Aircraft Groupcomplete-aircraft.com | Manufacturing | US |
| 2026-04-20 |  Tokopartstokoparts.com | Consumer Services | ID |
| 2026-04-20 |  Citizens Bankcitizensbank.com | Financial Services | US |
| 2026-04-20 |  Frost Bankfrostbank.com | Financial Services | US |
| 2026-04-13 |  K Subsea Groupksubsea-group.com | Energy | SG |
| 2026-04-01 | N Nissan | Manufacturing | JP |
| 2026-03-31 |  Parque Eólico Toabrépetoabre.com | Energy | PA |
| 2026-03-31 |  PT Brantas Abiprayabrantas-abipraya.co.id | Construction | ID |
| 2026-03-30 |  Straight Line Logisticsstraight-line-transport.com | Transportation/Logistics | AE |
| 2026-03-15 |  Evaluate a Norstella companynorstella.com | Not Found | NO |
| 2026-03-10 |  First Priority Group1fpg.com | Manufacturing | US |
| 2026-03-06 |  Hyundai Elevatorhyundaielevator.co.kr | Manufacturing | KR |
| 2026-02-28 |  UD Trucksudtrucks.co.jp | Manufacturing | JP |
| 2026-02-25 | 1 111 | Not Found | |
| 2026-02-24 |  Boltechboltech.pl | Manufacturing | PL |
| 2026-02-17 | A Atlas Air: MUSE INSECURE | Transportation/Logistics | US |
| 2026-02-11 |  Tsunami Tsolutionstsunamitsolutions.com | Technology | US |
| 2026-02-06 |  Atlas Airatlasair.com | Transportation/Logistics | US |
| 2026-02-02 |  Polycompolycom.com | Technology | US |
| 2026-02-02 |  Iron Mountainironmountain.com | Business Services | US |
| 2026-02-01 |  Shinwa Co Ltdshinwa.co.jp | Construction | JP |
| 2026-02-01 |  Hosowaka Micron Grouphosokawamicron.co.jp | Manufacturing | JP |
| 2026-02-01 |  Stelliumstellium.com | Business Services | GB |
| 2026-02-01 |  Acu Trans Solutions LLCacutranssolutions.com | Transportation/Logistics | US |
| 2026-02-01 |  SIGMA Processing Groupsigma-pa.de | Not Found | DE |
| 2026-01-21 |  Bolttechbolttech.com | Technology | SG |
| 2026-01-20 | C Ciena | Telecommunication | US |
| 2026-01-20 | V Virginia Records - Database leaked | Not Found | BG |
| 2026-01-20 |  McDonalds Indiamcdindia.com | Hospitality and Tourism | IN |