I think there's an issue with my storage device, but I'm not sure Start a free evaluation →
I need help getting my data back right now Call now (800) 972-3282
Everest ransomware is a notorious cybercriminal group that has been active since December 2020. They target organizations across different industries and regions, with high-profile victims including NASA and the Brazilian Government.
The Russian-speaking group claims to have access to sensitive system data and often demands a ransom in exchange for not releasing the stolen information, a tactic known as double extortion. Everest ransomware is known for its data exfiltration capabilities and has been linked to other ransomware families like Everbe 2.0 and BlackByte.
The group does not only leak information, they sell access to the infected network. This means that the compromised organizations have to deal with multiple infections and repeated attacks simultaneously.
SalvageData experts recommend proactive data security measures, such as regular backups, strong cybersecurity practices, and keeping software up to date, to protect against ransomware attacks. And, in case of a ransomware attack, contact our ransomware recovery experts immediately.
What kind of malware is Everest?
The Everest ransomware is a type of malware that specifically targets organizations across various industries and regions. It encrypts the victim’s files, rendering them inaccessible, and demands a ransom payment in exchange for the decryption key.
Experts believe it is part of the Black-Byte family and was previously linked to the Everbe 2.0 family.
The Everest ransomware group has been active since at least December 2020 and has been involved in data breaches, initial access brokering, and ransom demands. The ransomware has been observed using legitimate compromised user accounts and Remote Desktop Protocol (RDP) for lateral movement. They have also targeted several government offices of states, including Argentina, Peru, and Brazil.
Everything we know about Everest Ransomware
- Everest virus
- Crypto Virus
- Files locker
- Double extortion
Encrypted Files Extension
Ransom Demanding Message
The message is usually displayed as a pop-up window or a text file that appears on the desktop or in folders containing encrypted files.
Is There a Free Decryptor Available?
No, there’s no public decryptor for Everest ransomware.
- Phishing emails
- Exploit kits
- Remote Desktop Protocol (RDP) compromised
- Malicious downloads
- Files are encrypted and locked until the ransom payment
- Data leak
- Leaves the network open for new simultaneous attacks
- Double extortion
What is in the Everest ransom note
The ransom message displayed by Everest ransomware may vary depending on the variant used. The ransom message displayed by Everest ransomware does not have a specific file name.
The message is displayed as a pop-up window or a text file that appears on the desktop or in folders containing encrypted files.
If you realize you’re a ransomware victim, contacting SalvageData ransomware removal experts provides you with a secure data recovery service and ransomware removal after an attack.
How does Everest ransomware infect a machine or network?
Phishing emails are a common method used by attackers to distribute the Everest ransomware. The attackers send emails that appear to be from a legitimate source, such as a bank or a company, and contain a malicious attachment or a link to a website that hosts the malware. Once the victim clicks on the attachment or the link, the malware is installed on their system.
Exploit kits are automated programs used by cybercriminals to exploit known vulnerabilities in systems or applications. They can be used to secretly launch attacks while victims are browsing the web, with the goal being to download and execute some type of malware.
The Everest ransomware attackers use exploit kits to exploit vulnerabilities in victims’ systems and install the malware. The exploit kits can be delivered through malicious websites or emails.
Remote Desktop Protocol (RDP) compromised
Remote Desktop Protocol (RDP) is a protocol that allows a person to remotely control a computer that is attached to the internet. The remote person sees whatever is on the screen of the computer they are controlling, and their keyboard and mouse act just like the ones physically attached to the remote computer.
However, RDP has become a favorite target for ransomware attacks, and malicious cyber actors have developed methods of identifying and exploiting vulnerable RDP sessions via the Internet to steal identities and login credentials, then install and launch ransomware attacks. Attackers use brute-force password-guessing attacks to find RDP login credentials.
Malicious downloads are a type of malware distribution method that involves tricking users into downloading and installing malware-infected software or files.
The attackers Everest ransomware actors use fake software updates or downloads to trick victims into downloading and installing the malware. The malicious downloads can be delivered through emails or websites.
How does Everest ransomware work
Once the malware is installed on victims’ systems, it encrypts their files using AES and DES algorithms and adds the “.EVEREST” extension to the encrypted files. The attackers then display a ransom message that contains instructions on how to contact them and pay the ransom to obtain the decryption key.
Everest ransomware employed a combination of legitimate compromised user accounts and Remote Desktop Protocol (RDP) for lateral movement within the network infrastructure.
To gain access to additional credentials, the threat actor utilized ProcDump, which was used to create a copy of the LSASS process.
This resulted in the creation of a file. Furthermore, a copy of the NTDS database was also generated and stored as a file named ntds.dit.zip.
Throughout the course of the incident, the threat actor consistently removed various tooling, reconnaissance output files, and data collection archives from compromised hosts as a means to evade detection.
Upon compromising a new host, the threat actor engaged in network discovery activities. This was predominantly accomplished through the use of tools such as netscan.exe, netscanpack.exe, and SoftPerfectNetworkScannerPortable.exe.
By conducting network scans, the threat actor aimed to identify potential targets of interest and compile a list for potential ransomware deployment.
One notable action taken by the threat actor was the installation of the WinRAR application on a file server. This application was then utilized to archive data, preparing it for eventual exfiltration.
Command and Control
The primary command and control mechanism employed by the threat actor was Cobalt Strike. Additionally, a Metasploit payload was discovered within the path C:\Users\Public\l.exe.
In addition to these primary methods, the threat actor also deployed several Remote Access Tools as a secondary command and control method. These tools were further utilized for establishing persistence, with the installation of these tools as services.
Remote Access Tools used
- Splashtop Remote Desktop
To exfiltrate data from the compromised network, the threat actor leveraged the file transfer capabilities of Splashtop.
Do not pay the ransom! Contacting a ransomware removal service can not only restore your files but also remove any potential threat.
How to handle an Everest ransomware attack
The first step to recovering from an Everest attack is to isolate the infected computer by disconnecting it from the internet and removing any connected device. Then, you must contact local authorities. In the case of US residents and businesses, it is the local FBI field office and the Internet Crime Complaint Centre (IC3).
To report a ransomware attack you must gather every information you can about it, including:
- Screenshots of the ransom note
- Communications with threat actors (if you have them)
- A sample of an encrypted file
However, if you prefer to contact professionals, then do nothing. Leave every infected machine the way it is and ask for an emergency ransomware removal service. Restarting or shutting down the system may compromise the recovery service. Capturing the RAM of a live system may help get the encryption key, and catching a dropper file, i.e. file executing the malicious payload, might be reverse-engineered and lead to decryption of the data or understanding how it operates.
You must not delete the ransomware, and keep every evidence of the attack. That’s important for digital forensics so experts can trace back to the hacker group and identify them. It is by using the data on your infected system that authorities can investigate the attack and find the responsible. A cyber attack investigation is not different from any other criminal investigation: it needs evidence to find the attackers.
1. Contact your Incident Response provider
A Cyber Incident Response is the process of responding to and managing a cybersecurity incident. An Incident Response Retainer is a service agreement with a cybersecurity provider that allows organizations to get external help with cybersecurity incidents. It provides organizations with a structured form of expertise and support through a security partner, enabling them to respond quickly and effectively during a cyber incident.
An incident response retainer offers peace of mind to organizations, offering expert support before and in the aftermath of a cybersecurity incident. An incident response retainer’s specific nature and structure will vary according to the provider and the organization’s requirements. A good incident response retainer should be robust but flexible, providing proven services to enhance an organization’s long-term security posture.
If you contact your IR service provider, they can take over immediately and guide you through every step in the ransomware recovery. However, if you decide to remove the ransomware yourself and recover the files with your IT team, then you can follow the next steps.
2. Identify the ransomware infection
You can identify which ransomware infected your machine by the file extension (some ransomware uses the file extension as their name), using a ransomware ID tool, or it will be on the ransom note. With this information, you can look for a public decryption key.
You can also check the ransomware type by its IOCs. Indicators of Compromise (IOCs) are digital clues that cybersecurity professionals use to identify system compromises and malicious activities within a network or IT environment. They are essentially digital versions of evidence left at a crime scene, and potential IOCs include unusual network traffic, privileged user logins from foreign countries, strange DNS requests, system file changes, and more. When an IOC is detected, security teams evaluate possible threats or validate its authenticity. IOCs also provide evidence of what an attacker had access to if they did infiltrate the network.
3. Remove the ransomware and eliminate exploit kits
Before recovering your data, you must guarantee that your device is ransomware-free and that the attackers can’t make a new attack through exploit kits or other vulnerabilities. A ransomware removal service can delete the ransomware, create a forensics document for investigation, eliminate vulnerabilities, and recover your data.
4. Use a backup to restore the data
Backups are the most efficient way to recover data. Make sure to keep daily or weekly backups, depending on your data usage.
5. Contact a ransomware recovery service
If you don’t have a backup or need help removing the ransomware and eliminating vulnerabilities, contact a data recovery service. Paying the ransom does not guarantee your data will be returned to you. The only guaranteed way you can restore every file is if you have a backup. If you don’t, ransomware data recovery services can help you decrypt and recover the files.
SalvageData experts can safely restore your files and prevent Everest ransomware from attacking your network again. Contact our experts 24/7 for ransomware recovery services.
Prevent the Everest ransomware attack
Preventing ransomware is the best solution for data security. is easier and cheaper than recovering from them. Everest ransomware can cost your business’s future and even close its doors.
These are a few tips to ensure you can avoid ransomware attacks:
- Keep your operating system and software up-to-date with the latest security patches and updates. This can help prevent vulnerabilities that can be exploited by attackers.
- Use strong and unique passwords for all accounts and enable two-factor authentication whenever possible. This can help prevent attackers from gaining access to your accounts.
- Be cautious of suspicious emails, links, and attachments. Do not open emails or click on links or attachments from unknown or suspicious sources.
- Use reputable antivirus and anti-malware software and keep it up-to-date. This can help detect and remove malware before it can cause damage.
- Use a firewall to block unauthorized access to your network and systems.
- Limit user privileges to prevent attackers from gaining access to sensitive data and systems.
- Educate employees and staff on how to recognize and avoid phishing emails and other social engineering attacks.