ALL MENU

Technology
S2W's Technology
AI
Big Data
Security
Products
SAIP
QUAXAR
XARVIS
EYEZ
Services
AI Data Consulting
Penetration Testing
Incident Response
Request for Intelligence
Resources
Event
Webinar
SIS
Conference
About S2W
About S2W
History
News

QUICK LINKS

Resources
  • Research
  • Threat Intelligence Reports
Threat Group Profiling: Everest
2026.01.13

✅ Report Title: Threat Group Profiling: Everest



✅ Executive Summary:


- Everest is a threat group active since late 2020 that combines data extortion with the sale of compromised corporate access, initially targeting the legal sector before expanding across multiple countries and industries.



📌 Who Is the Everest Group?


- Everest is a threat group that began operations between November and December 2020.


- In December 2020, a leak site under the name “Everest ransom team” was made publicly available.


- Following the Colonial Pipeline attack, ransomware activity was banned on major hacking forums, leading to the suspension of Everest’s leak site operations in May 2021.

  - Colonial Pipeline Attack: In May 2021, Colonial Pipeline, a major U.S. fuel pipeline operator, suspended operations after a ransomware attack. The FBI announced that the attack was attributed to DarkSide, a ransomware group believed to be based in Russia.


- In addition to leaking stolen data from victim organizations, Everest has also been observed operating as an Access Broker by selling compromised corporate access.


- In April 2025, the group’s leak site became inaccessible after being attacked, and its homepage was defaced by unknown actors with a satirical warning message.



📌 Major Targeted Countries


- Everest primarily targeted the United States and European countries.


- Attack activity has also been observed in Asian countries, including Japan, China, Taiwan, Thailand, Vietnam, and South Korea.



📌 Major Targeted Industries


- From 2020 to 2022, Everest mainly targeted the legal services sector.

  - During this period, more than 35% of identified victims were associated with the legal industry.


- The group later expanded its targeting scope, and in October 2025, an airport in Ireland and a major U.S. telecommunications company were listed on the group’s leak site.


- In December 2025, indications of infection were identified at a computer manufacturing company in Taiwan.


- On January 10, 2026, a Japanese automotive company (Company N) was identified as a potential victim of an attack attributed to the Everest group. The group claimed to have obtained 900 GB of data, uploaded six sample images, and announced that the full dataset would be released eight days later.



Everest group leak site



📌 Exploited Vulnerabilities and Attack Patterns


- The Everest ransomware is known to be a variant of the Everbe ransomware that was active between 2018 and 2020.


- The ransomware encrypts files using AES (Advanced Encryption Standard), one of the most widely adopted encryption standards, and then encrypts the AES decryption key using RSA.

  - Encrypted files are known to have the EVEREST extension appended.


- Everest abuses ProcDump, a diagnostic tool provided by Microsoft, to extract memory contents from the LSASS (Local Security Authority Subsystem Service) process in order to steal system login credentials.


- The group also creates a copy of the database containing Active Directory information stored in NTDS (New Technology Directory Services).

  - Active Directory: A Windows-based directory service used to centrally manage user accounts and access permissions within an organization.




🧑‍💻 Author: S2W TALON


👉 Contact us: https://s2w.inc/en/contact


*The full report is available upon request or with a subscription to the S2W platform.


News Highlights
Weekly Darkweb in December W5
2026.01.07
Previous
News Highlights
Weekly Darkweb: January 2026, Week 1
2026.01.14
Next
List