Searchlight Cyber publishes report on Everest ransomware group

On June 29, England-based Searchlight Cyber, a dark web intelligence company, announced that it has published new research on the Everest Ransomware group.

The Everest ransomware group has been around since at least December 2020, targeting organizations across a number of industries and regions but with a particular concentration in the Americas and capital goods, health, and the public sector. It has listed 92 organizations on its dark web leak site and is perhaps most infamous for targeting AT&T and several South American governments.

Searchlight Cyber’s Ransomware Spotlight report focuses on the Everest groups’ increasing output as an “Initial Access Broker” – a cybersecurity term for criminals who sell backdoors into organizations to other criminals but don’t carry out the attack themselves. This behavior is extremely rare among ransomware groups, as a ransomware attack would typically make more money than selling initial access.

The Everest ransomware group often deletes its advertisements from its leak site, which means that other security professionals might not be aware of how frequently the group is acting as an Initial Access Broker.

The report explores several reasons why Everest group may have moved towards being an Initial Access Broker, including trying to keep a low profile from law enforcement, a loss of personnel, or as a different monetization tactic. It also gives an overview of the Everest group’s dark web presence – including its use of dark web hacking forums such as XSS to promote its attacks, the group’s victimology based on the companies it posts on its dark web blog, and known TTPs for the group.

Source: Searchlight Cyber

If you enjoyed this article, please consider becoming a paid subscriber. Your support helps keep our site ad-free.