Everest Ransomware Group: Evolution, Modus Operandi, and Major Operations

November 17, 2025

Since emerging in late 2020, the Everest ransomware group has evolved into a multifaceted and persistent cyber-extortion threat. Initially centered on data theft, the group gradually shifted toward full ransomware operations and later expanded into the role of an Initial Access Broker, selling footholds into corporate networks to other cybercriminals. Everest’s activities span several high-value sectors—including industrial gas, aerospace, and global consumer brands—demonstrating the group’s persistent targeting of organizations whose operational, economic, or reputational stakes are high. This report outlines Everest’s evolution, technical behaviors, and several of its most consequential attacks, offering a consolidated view of a threat actor whose influence has grown steadily across the global ransomware ecosystem.

Evolution of the Everest Ransomware Group

The Everest ransomware group emerged in December 2020 and has since developed into a hybrid threat actor combining data extortion, ransomware deployment, and the monetization of network access. Initially dedicated to data exfiltration alone, Everest later embraced full ransomware operations, employing a strain linked first to the EverBe 2.0 family and later associated with Russia-based BlackByte operators. Everest maintained a visible extortion infrastructure through its data leak site (DLS), which briefly went offline after the disruption surrounding the Colonial Pipeline incident in 2021, before reappearing as the group restructured. By 2023, Everest increasingly rebranded itself as an Initial Access Broker, openly advertising for corporate network access across North America and Europe. Their requests covered shell, VNC, HVNC, RDP with VPN, and various remote-access software footholds—demonstrating reliance on purchased or stolen credentials rather than bespoke intrusion exploits. Reports also tied them to attempts to recruit insiders, though more commonly they acquire access from other malicious operators.

Technical Tradecraft and Operational Behavior

Everest operates with a pragmatic toolset centered on credential abuse and remote-access tooling. For lateral movement, the group relies on legitimate compromised accounts and Remote Desktop Protocol. Credential harvesting is systematic using ProcDump to copy LSASS and collecting NTDS databases to map Active Directory layouts.

Reconnaissance reflects a preference for simplicity, using netscan.exe, netscanpack.exe, and SoftPerfect Network Scanner to map internal networks. WinRAR is deployed to compress large datasets prior to exfiltration, while AnyDesk, Splashtop, and Atera act as persistence mechanisms and secondary C2 channels. Cobalt Strike remains the primary command-and-control framework, executed through PowerShell beacons.

Data exfiltration is conducted before encryption, with files encrypted via AES and DES and appended with the “.EVEREST” extension. The group consistently removes tools, logs, and temporary files to limit forensic visibility. No public decryptor exists.

Targeting Strategy and Sectoral Impact

Everest’s victimology illustrates a consistent interest in high-visibility or strategically significant organizations. Their operations span critical infrastructure, industrial manufacturing, aerospace and defense, and high-volume consumer brands whose exposure of user data could trigger major regulatory and reputational fallout.

Everest is not the most technically sophisticated ransomware crew, but it has carved out a durable niche by blending consistent intrusion techniques with aggressive extortion and an expanding access-broker marketplace. The group’s resilience comes from its ability to adapt, outsource access operations, and target sectors where the pressure to resolve an intrusion is uniquely acute.

Case Study: SIAD Group – Industrial Gas Sector Breach

In Italy, Everest claimed a major compromise of SIAD Group, an industrial gas company deeply integrated into national infrastructure. The group announced possession of 159GB of sensitive operational data and threatened to leak the material unless demands were met.
For a sector where service continuity and operational safety are paramount, the breach highlighted vulnerabilities that extend across Europe’s industrial and energy-related ecosystems.

This incident underscored how ransomware activity increasingly intersects with critical infrastructure, creating risks that far exceed financial damages and raising concerns about systemic exposure within industrial control environments.

Case Study: Collins Aerospace – A Strategic Aerospace Intrusion

Everest also targeted Collins Aerospace, a major U.S. aviation and defense contractor. The attackers exfiltrated sensitive technical and operational information and publicly leaked portions to maximize pressure.
Given Collins Aerospace’s role in the defense supply chain, the breach raised concerns about national-security exposure, particularly regarding proprietary defense-related technologies.

Analysis suggests a combination of phishing for initial access and subsequent lateral movement into high-value systems, exploiting weaknesses in cloud posture and internal segmentation. The incident illustrates Everest’s ability to compromise deeply embedded contractors within national defense ecosystems.

Case Study: Under Armour – Large-Scale Consumer Data Exposure

In the commercial sector, Everest claimed responsibility for a large-scale breach at Under Armour, asserting the theft of 343GB of internal company data. Though the full content remains unverified, the volume suggests potential exposure of millions of customer records, raising concerns about identity theft and regulatory repercussions.

Under Armour mobilized internal and external cybersecurity teams to assess the damage, reflecting a familiar pattern across Everest intrusions: prolonged uncertainty for victims as they determine what was taken and how deeply networks were penetrated.

Conclusion

Everest’s operational trajectory reflects the professionalization of mid-tier ransomware groups. While not the most technically advanced, Everest has built a resilient model centered on credential theft, modular tools, outsourced access, and high-impact victim selection. Their operations against SIAD Group, Collins Aerospace, and Under Armour demonstrate their capacity to affect critical infrastructure, defense supply chains, and global consumer markets alike. As the broader ransomware ecosystem evolves, Everest remains a persistent and adaptive threat actor whose activity exemplifies the ongoing risks posed by organized cyber-extortion groups.