When is a ransomware group not a ransomware group?
This “Ransomware Spotlight” report from the Searchlight Cyber threat intelligence team looks at the Everest ransomware group, which has been observed taking the unusual step of acting as an Initial Access Broker.
The Everest ransomware group has been around since at least December 2020, targeting organizations across a number of industries and regions but with a particular concentration in the Americas and capital goods, health, and the public sector.
Searchlight Cyber researchers have observed that the Everest group has increased its output as an Initial Access Broker (IAB). This IAB activity, first observed by researchers in November 2021, is extremely rare among ransomware groups.
Everest frequently deletes its access advertisements from its leak site, which could misrepresent how frequently it is acting as an IAB. By capturing deleted posts in our dark web investigation platform, Cerberus, our analysts have observed a marked increase in IAB activity.
Download the report to find out
- About the Everest ransomware group – including its victimology, its dark web presence, and its known tactics.
- MITRE ATT&CK Tactics, Techniques and Procedures (TTPs) – observed for the Everest group.
- Analysis of the group’s IAB activity – including a timeline of Initial Access Broker posts made by the groups on dark web forums.
- Examples of the ransomware group’s Initial Access Broker posts – including those it has since deleted from the dark web.
- Hypotheses as the why the ransomware group is acting as an Initial Access Broker – including to avoid law enforcement action or to generate extra revenue.