Dark Web Intelligence Shows Everest Ransomware Group Increasing Initial Access Broker Activity

Searchlight Cyber publishes report on the dark web activity of the Everest ransomware group

Washington DC, US & Portsmouth, UK – June 29, 2023:

Searchlight Cyber, the dark web intelligence company, has published new research on the Everest Ransomware group. The findings were shared in a written report, available to Ransomware Spotlight subscribers, and a webinar hosted by the Searchlight Cyber threat intelligence team.

The Everest ransomware group has been around since at least December 2020, targeting organizations across a number of industries and regions but with a particular concentration in the Americas and capital goods, health, and the public sector. It has listed 92 organizations on its dark web leak site, and is perhaps most infamous for targeting AT&T and several South American governments.

Searchlight Cyber’s Ransomware Spotlight report focuses on the Everest groups’ increasing output as an “Initial Access Broker” – a cybersecurity term for criminals who sell backdoors into organizations onto other criminals but don’t carry out the attack themselves. This behavior is extremely rare among ransomware groups, as a ransomware attack would typically make more money than selling initial access.

The Everest ransomware group frequently deletes its advertisements from its leak site, which means that other security professionals might not be aware of how often the group is acting as an Initial Access Broker.

The report explores several reasons why Everest group may have moved towards being an Initial Access Broker, including trying to keep a low profile from law enforcement, a loss of personnel, or as a different monetization tactic. It also gives an overview of the Everest group’s dark web presence – including its use of dark web hacking forums such as XSS to promote its attacks, the group’s victimology based on the companies it posts on its dark web blog, and known TTPs for the group.

Click here to subscribe to Ransomware Spotlight and receive a copy of the Everest ransomware group report.

Click here to watch the on demand webinar “Ransomware spotlight on Everest group: Unveiling the latest dark web ransomware trends”.


About Searchlight Cyber

Searchlight Cyber provides organizations with relevant and actionable dark web intelligence, to help them identify and prevent criminal activity. Founded in 2017 with a mission to stop criminals acting with impunity on the dark web, we have been involved in some of the world’s largest dark web investigations and have the most comprehensive dataset based on proprietary techniques and ground-breaking academic research. Today we help government and law enforcement, enterprises, and managed security services providers around the world to illuminate deep and dark web threats and prevent attacks. To find out more visit slcyber.io or follow Searchlight Cyber on LinkedIn and Twitter.