Everest
Everest is a Russia-linked ransomware-as-a-service (RaaS) operation active since at least 2020. It is consistently described as a double-extortion group: operators exfiltrate data, encrypt systems, and threaten to leak or sell stolen information if victims do not pay. The reporting also states that Everest has expanded into initial access brokerage, including selling network footholds to other threat actors.
The group has been publicly associated with numerous victim claims across sectors and geographies, including finance, healthcare, aviation, energy, manufacturing, retail, and technology. Reported or claimed victims in the provided content include Frost Bank, Citizens Financial Group, Under Armour, Petrobras, Dublin Airport, Iberia, Vikor Scientific/Vanta Diagnostics via third-party provider Catalyst RCM, Polycom/HP Poly-linked systems, Hosokawa Micron Corporation, and others. In healthcare-related reporting, Everest claimed theft of internal documents, EMRs, patient information, billing data, and PDF databases from Vikor Scientific and affiliated labs; the related incident was reported as affecting 139,964 individuals. In financial-sector reporting, Everest claimed large datasets from Frost Bank and Citizens, though both organizations stated the exposure originated from a third-party vendor and said they had no evidence of unauthorized access to their own internal networks.
Everest operates a Tor-based leak site and uses timed publication deadlines as part of extortion. Examples in the content include six-day, seven-day, eight-day, and nine-day countdowns before alleged public release. The group has claimed theft volumes such as 343 GB in the Under Armour case, approximately 90 GB in the Polycom-linked case, and 159 GB in the SIAD Group claim. In some cases, screenshots or sample data were posted to support claims, although multiple reports note that some allegations were unverified or lacked independent confirmation.
Behavior and tradecraft directly mentioned in the content include data theft prior to encryption, public leak-site shaming, and in at least one victim report, advice to monitor for lateral movement and Cobalt Strike-related activity following an Everest compromise. The content also notes that the same defacement message later seen in the May 2025 LockBit panel compromise had previously been used in a compromise of Everest’s dark web leak site, indicating Everest itself was at one point targeted by an unknown actor.
Targeting reflected in the provided material spans the United States, Europe, Japan, South Korea, and Brazil, with impacts or claims involving banks, airlines and airports, diagnostic and laboratory services, industrial firms, and major consumer brands. Only high-confidence details from the supplied content indicate Everest is best characterized as an active, high-volume double-extortion ransomware operation with broad sector targeting, leak-site-based coercion, and occasional overlap with third-party/supply-chain compromise scenarios.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"This latest blog documents the TTPs employed by a group who were observed deploying Everest ransomware during a recent incident response engagement."
"This latest blog documents the TTPs employed by a group who were observed deploying Everest ransomware during a recent incident response engagement."
Techniques & procedures
9 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniquePersistence
1 techniquePrivilege Escalation
1 techniqueStealth
1 techniqueCollection
1 technique"access a server on November 8–9, 2025, and copy data without permission."
Exfiltration
5 techniques"The group alleges it obtained approximately 90GB of internal data... the data is described as a database and internal company documentation."
"Everest Ransomware Says It Breached Brazilian Energy Giant Petrobras" / "demanding contact through qTox"
"The images appear to show internal file directories, engineering build environments, source code trees, software logs, and technical documentation linked to Polycom’s conferencing platforms..."
The Everest ransomware gang listed Frost Bank and Citizens Financial Group on its dark web leak site on April 20th, setting a six-day deadline before publicly releasing stolen data.
"publicly disclosed the victims on their Dedicated Leak Sites (DLS)"
Impact
2 techniquesThe Everest ransomware-as-a-service (RaaS) operation has been active since at least 2020, running a double-extortion model. This means the Russia-linked attackers steal data, encrypt systems, and threaten to publish everything if the victim doesn't pay.
The attackers released samples of sensitive financial data, setting a six-day ultimatum before public release... This is a very common extortion tactic used by ransomware gangs to pressure victims into negotiating and eventually paying the ransom.
IOCs tracked for this family
3 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Recent activity
46 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A ransomware operation mentioned as one of the actors contributing to Japan’s victim count in Q1 2026.
Everest is a ransomware-as-a-service operation using double extortion: stealing data, encrypting systems, and threatening public release if victims do not pay. The content also states it has expanded into initial access brokerage by selling network footholds to other threat actors.
Ransomware used in attacks against organizations in South Korea (exhibition management platform and an elevator manufacturer).
Extortion group described as Russian-speaking and active since 2020; cited for large-scale customer data theft and publication when demands are not met.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.