Healthcare Sector Warned About Everest Ransomware Group
The Health Sector Cybersecurity Coordination Center has issued a threat profile of the Everest Ransomware group, which was behind the recent ransomware attack on Gramercy Surgery Center in New York. The group has also claimed responsibility for attacks on Horizon View Medical Center in Las Vegas, 2K Dental in Ohio, Prime Imaging in Tennessee, and Stages Pediatric Care in Florida, and has increasingly been targeting the healthcare and public health (HPH) sector since 2021. The group has added more than 120 victims to its data leak site, around 34% of which are located in the United States, and around 27% of U.S. victims are in the healthcare industry. Between April 2021 and July 2024, the group conducted at least 20 attacks on healthcare organizations, disproportionately targeting medical imaging providers.
The Everest ransomware group was first identified in December 2020 and rapidly became well-known within the cybercrime community after conducting attacks on high-profile targets including the Brazilian government and NASA. The group uses double extortion tactics, where ransomware is used to encrypt files after sensitive data has been exfiltrated, with a ransom payment required to decrypt files and prevent data from being uploaded to its dark web data leak site. Researchers have analyzed the encryptor used by Everest and have found similarities to the BlackByte ransomware group and Everest is known to collaborate with other ransomware groups, such as Ransomed.
The group initially focused on data exfiltration, with ransomware only used in more recent attacks. Since late 2022, Everest has been increasingly specializing as an initial access broker (IAB). An IAB is a threat group primarily concerned with breaching company networks, installing malware that provides remote access to their systems, and selling that access to other threat actors. This tactic is relatively rare with threat groups, as if a group can breach company networks and has an encryptor, it is possible to make more money by conducting the ransomware attack themselves rather than selling access to another threat group. One of the reasons for this could be to keep a low profile and avoid law enforcement scrutiny.
The group has been observed advertising for corporate insiders, offering them cash payments to provide remote access to their networks including via shell, vnc, hvnc, RDP with VPN, and various remote access software tools. Access is also known to be purchased from other cybercriminals. Once access is gained to a corporate network, Everest uses compromised user accounts and RDP for lateral movement as well as exploiting weak credentials. The group has been observed removing tools, reconnaissance output files, and data collection archives from compromised hosts to hide their tracks and maintain persistence.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Everest actors primarily use Cobalt Strike for command and control communications, tools such as netscan.exe, netscanpack.exe, and SoftPerfect Network Scanner for network discovery, and WinRAR is installed on file servers to archive files for exfiltration. Data is exfiltrated using tools such as Splashtop and is either ransomed or sold. The Everest Ransomware group threat profile includes indicators of Compromise (IoCs) and recommended mitigations and can be accessed here (PDF).
