Everest Ransomware Combines Encryption, Access, and Insider Threats
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
Everest is a Windows-based ransomware operation active since December 2020 that follows a multi-revenue model built on encryption, initial access brokering, and insider recruitment. The group uses AES-128-CBC for encryption and applies a double-extortion strategy by threatening to publish stolen data on a Tor-based leak site. It also shows technical overlap with BlackByte ransomware, particularly through its local key generation behavior.
Investigation
The report describes the Everest execution chain from initial access through RDP or VPN to defense evasion and final encryption. It analyzes the malware’s use of .NET obfuscation with ConfuserEx and its methods for disabling recovery options such as Shadow Copies and System Restore points. The technical review also examines its network discovery activity, including use of SoftPerfect Network Scanner.
Mitigation
Organizations should enforce multi-factor authentication on all RDP and VPN entry points to reduce the risk of initial compromise. Security teams should monitor for unauthorized changes to Windows Defender Controlled Folder Access and attempts to disable Shadow Copies. Limiting administrative privileges and detecting execution of network scanning tools such as netscan.exe can also help reduce exposure.
Response
If Everest activity is detected, affected systems should be isolated immediately to stop lateral movement and further encryption. Responders should identify and terminate processes attempting to alter security descriptors or delete backup data at scale. Incident response teams should also determine whether data exfiltration occurred through Tor-based channels before containment and recovery proceed.
Attack Flow
Detections
Possible Network Shares Discovery (via cmdline)
View
Suspicious VSSADMIN Activity (via cmdline)
View
Possible Shadow Copies Deletion via WMI (via powershell)
View
Windows Defender Preferences Suspicious Changes (via powershell)
View
Detection of Everest Ransomware Pre-Encryption Defense Evasion Techniques [Windows Powershell]
View
Everest Ransomware Network Discovery and Defense Evasion [Windows Process Creation]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands: An adversary has gained initial access to a Windows workstation. To prepare for the ransomware deployment phase, they need to map the local network to identify high-value targets and ensure no anti-ransomware tools are active. The adversary attempts to run
netscan.exe(SoftPerfect Network Scanner) to discover live hosts and usesmountvol.exeto list all available volumes, including those not currently assigned a drive letter, to identify potential backup or shadow copies. -
Regression Test Script:
# Simulation script to trigger the Everest Ransomware detection rule logic. # Note: These commands assume the files exist in the current directory or system path. # For simulation purposes, we will use 'echo' to simulate the execution if files aren't present, # but to trigger the ACTUAL rule, the files must be present. Write-Host "[+] Starting Everest Ransomware TTP Simulation..." -ForegroundColor Cyan # 1. Simulate mountvol.exe usage (Standard Windows Tool) Write-Host "[*] Executing mountvol.exe..." -ForegroundColor Yellow mountvol.exe # 2. Simulate NetScan (Requires netscan.exe to be in path/dir) # For the purpose of this validation, we create a dummy file to mimic the name # if the real tool isn't available, though the rule looks for the process execution. Write-Host "[*] Simulating netscan.exe execution..." -ForegroundColor Yellow if (Test-Path ".netscan.exe") { Start-Process ".netscan.exe" } else { Write-Host "[!] netscan.exe not found. Please place a dummy netscan.exe in this folder to trigger detection." -ForegroundColor Red } # 3. Simulate Raccine removal Write-Host "[*] Simulating Raccine.exe execution..." -ForegroundColor Yellow if (Test-Path ".Raccine.exe") { Start-Process ".Raccine.exe" } else { Write-Host "[!] Raccine.exe not found. Please place a dummy Raccine.exe in this folder to trigger detection." -ForegroundColor Red } Write-Host "[+] Simulation complete." -ForegroundColor Cyan -
Cleanup Commands:
# Remove any dummy files created during simulation. Remove-Item ".netscan.exe" -ErrorAction SilentlyContinue Remove-Item ".netscanpack.exe" -ErrorAction SilentlyContinue Remove-Item ".Raccine.exe" -ErrorAction SilentlyContinue Write-Host "[+] Cleanup complete." -ForegroundColor Green