LIVE
LATEST THREAT: Space Bears: The Data Extortion Group With a Corporate Aesthetic and MSSQL Focus THREAT ALERT ACTIVE
Intelligence DB / Group Profile Everest

Everest Ransomware Group Profile: Data Extortion, Access Sales, and Government Targeting

Everest (EverestTeam) began as a data extortion operation in 2020, added encryption in later campaigns, and has persistently targeted government, healthcare, and energy sectors. This profile covers their TTPs, affiliate structure, victim patterns, and current operational status.

By Ransomware Tracker ·
EverestEverestTeamransomwaredata extortionaccess brokergovernmenthealthcareenergyRaaSdark web
Threat Level
8/10
Sectors Targeted
government
healthcare
energy
manufacturing
finance
Ransomware Family
Everest

Everest (also known as EverestTeam) operates in an interesting position in the ransomware ecosystem: part data extortion group, part access broker. They claim victims, negotiate ransoms, and leak data when negotiations fail — but they also sell network access to other threat actors, generating revenue from compromises that never result in a ransomware deployment. This dual model makes them harder to track than pure-play ransomware groups and gives them resilience that single-revenue operations lack.

Active since at least October 2020, Everest has maintained consistent operations through periods when larger groups faced law enforcement disruption, positioning themselves in the mid-tier of the ecosystem below LockBit and Cl0p but above newer entrants.

Operational History

Everest emerged initially as a data extortion group — stealing data and threatening publication without deploying encryption. This approach reduces operational complexity (no decryptor infrastructure required) and avoids some of the law enforcement attention that encryption-based ransomware attracts. A victim whose data is stolen can still restore operations; they’re then pressured purely on the reputational and regulatory cost of data publication.

The group later incorporated encryption into some campaigns, shifting between pure extortion and ransomware-plus-extortion depending on the target and their negotiation leverage. Their leak site on .onion publishes victim data in stages — initial sample, then escalating volume — to increase pressure during negotiations.

A distinctive element of Everest’s model: they explicitly sell access to compromised networks rather than always deploying their own tools. This positions them in the initial access broker (IAB) market as well as the extortion market, and means that some Everest-attributed initial access leads to other groups’ ransomware deployments rather than Everest’s own operations.

Target Sectors and Geography

Everest has shown persistent interest in government entities at the national and state/regional level, healthcare organisations, and energy sector targets. Their victim list has included US government contractors, South American government agencies, healthcare systems, and critical infrastructure operators.

Notable claimed victims have included entities connected to NASA, US federal contractors, Brazilian government agencies, and healthcare systems in North America. The group doesn’t appear to operate under geopolitical constraints that restrict specific nation targeting — they’ve claimed victims across the Americas, Europe, and Asia-Pacific.

High-value targets with large data assets and reputational sensitivity to data exposure are the consistent thread, rather than any particular technical characteristic of the victim environment.

TTPs

Initial access: Everest primarily uses purchased or independently obtained initial access rather than novel exploitation. Common entry points include:

  • Exploited VPN and remote access vulnerabilities (including unpatched Fortinet, Pulse/Ivanti, and Citrix flaws)
  • Phishing and social engineering leading to credential theft
  • Purchased access from IABs
  • Remote Desktop Protocol (RDP) exposed to the internet with weak or reused credentials

Post-exploitation: Once inside, Everest actors conduct standard privilege escalation and lateral movement — credential harvesting, Active Directory enumeration, and domain controller compromise before staging exfiltration. They prioritise reaching the point where they can threaten the entire environment, not just individual systems.

Exfiltration: Data is staged and transferred to external infrastructure before any encryption or overt extortion demand. Exfiltration via cloud storage services (Mega, cloud drives) and FTP has been observed. The data exfiltration step is non-negotiable for Everest — it’s the primary leverage mechanism.

Negotiation: Everest uses a standard negotiation platform accessed via their dark web portal. Negotiation sessions have been documented running for weeks. They frequently set short initial deadlines and then extend them contingent on communication progress. As with most groups, the actual final settlement amount frequently falls below the initial demand.

Affiliate and Access Broker Operations

Everest’s dual model complicates attribution and impact assessment. When Everest sells access they’ve obtained to another group, the eventual ransomware deployment may be attributed to the buyer’s RaaS family rather than to Everest — meaning Everest’s reach and impact is likely undercounted by victim counts on their own leak site.

The group appears to operate with a small core team and a limited affiliate network rather than the open affiliate recruitment model used by RaaS operations like RansomHub. This limits scale but also reduces the operational security risk of having large numbers of affiliates who might get arrested and cooperate with law enforcement.

Current Status and Threat Level

Everest maintained operations through the significant law enforcement actions against LockBit, ALPHV/BlackCat, and other groups in 2024 and early 2025. As affiliates from disrupted operations sought new platforms, mid-tier groups including Everest experienced increased activity.

Their leak site continues to list new victims. No decryptor is publicly available for Everest ransomware. Law enforcement has not publicly announced action against the group.

Threat level for target sectors: Medium-High. Organisations in government contracting, healthcare, and energy should treat Everest as an active threat actor rather than a theoretical one. Their access broker operations mean that an Everest initial access event may precede a different group’s ransomware deployment.

Detection and Response Considerations

Given Everest’s reliance on purchased and opportunistically obtained access, standard perimeter hardening is the highest-leverage defensive measure: patching internet-facing systems — particularly VPN gateways and remote access platforms — on an accelerated timeline, MFA on all remote access, and RDP hardening (VPN-only access, account lockout policies).

If Everest is identified in an environment, assume data exfiltration has already occurred or is in progress regardless of whether encryption has been deployed. Incident response scope should include identifying what data was accessible from compromised accounts rather than focusing solely on restoring systems.

// Related Intelligence
Group Profile

Space Bears: The Data Extortion Group With a Corporate Aesthetic and MSSQL Focus

Group Profile

Underground Ransomware: Group Profile

Group Profile

Termite Ransomware: Group Profile, Babuk Origins, and High-Impact Supply Chain Targeting