Everest Ransomware Claims 1 TB Data Theft But Encryptor Shows No Exfiltration Code

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Spread the love

A new technical breakdown of the Everest ransomware family reveals a strange contradiction at the heart of one of its recent attack claims.

Despite boasting about stealing a full terabyte of data from a victim organization, the actual malware sample used in the intrusion contains no code capable of exfiltrating anything at all.

Everest has been active since at least December 2020 as a double extortion operation, combining file encryption with theft of sensitive data before deployment.

The group is known for hitting a wide range of sectors including government agencies, healthcare providers, and telecom operators across North America, Europe, and Asia.

Its usual playbook involves exploiting vulnerable public facing applications, phishing campaigns, and abusing stolen credentials to gain remote access.

AttackIQ said in a report shared with Cyber Security News (CSN) that they examined a live sample of the Everest encryptor and found that its behavior does not match the group’s own claims about the incident.

The analyzed binary suggests the alleged data theft, if it happened at all, took place during an earlier stage of the intrusion using separate tools rather than through the ransomware payload itself.

ConfuserEx-protected Everest binary (Source – AttackIQ)

This detail matters because it shows how ransomware groups often exaggerate or misrepresent their own operations for extortion leverage.

The encryptor itself is a .NET executable protected with ConfuserEx, a tool that strips identifying watermarks and adds anti tampering layers before analysis begins.

Once launched, it runs three continuous background threads that terminate reverse engineering tools, disable security products, and kill memory heavy processes, all while quietly preparing the system for encryption.

One of the more unusual traits AttackIQ flagged is the ransomware’s use of Wake on LAN broadcasts, sent to force sleeping machines on the network to power up so they too can be encrypted.

This is not something typically seen in most ransomware families and points to an operator focused on maximizing the number of reachable devices in a target environment.

Everest Ransomware Claims 1 TB Data Theft

The sample poses as a .NET Framework application under the filename hlntqyun.exe, compiled just before the tracked incident occurred on Everest’s leak site.

Its cryptographic setup is intentionally misleading, declaring a stronger key size than what actually gets used at runtime, ultimately relying on AES 128 for file data and RSA 1024 to protect the encryption keys, both weaker than what the code initially suggests.

Execution follows a clear pattern starting with a mutex check and a geo fencing routine that avoids systems configured with Commonwealth of Independent States language or locale settings.

Everest binary after ConfuserEx deobfuscation (Source – AttackIQ)

From there, the malware disables Windows Defender’s Controlled Folder Access, deletes shadow copies, wipes backup related files, and even strips Raccine, an open source anti ransomware tool, out of the registry entirely.

Files smaller than 2 MB are fully encrypted and renamed with a .everest extension, while larger files receive partial encryption to speed up the process across large volumes.

The ransomware wraps up by dropping a note called EVERESTRANSOMWARE.txt into every affected folder and on the desktop, before triggering a delayed self deletion routine to erase its own tracks.

Recommendations From the Research

Security teams should expand emulation coverage to include Wake on LAN broadcasts, mapped drive enumeration, and active network connection discovery, since these behaviors reflect genuine attacker movement rather than isolated test conditions.

The report also recommends validating detection and prevention capabilities specifically against the Raccine removal routine and the DACL based self protection mechanism the ransomware uses to resist termination attempts.

Everest Ransomware – 2022-07 – Payload Execution Chain (Source – AttackIQ)

Continuous validation against a realistic attack chain, rather than isolated indicators, gives defenders a clearer picture of where existing controls fall short.

Given Everest’s history of targeting critical sectors and its evolving toolset, organizations are encouraged to treat this encryptor’s behaviors as a benchmark for testing their own resilience against similar double extortion threats.

Indicators of compromise (IoCs):-

Type Indicator Description
SHA-256 Hash 1df92bf4c967297d8a39fc3f619a56702ee96d5cf9196b8e1d5b3654746c6514 Analyzed Everest ransomware encryptor sample
File Name hlntqyun.exe Original filename of the analyzed .NET encryptor binary
File Name EVERESTRANSOMWARE.txt Ransom note dropped on desktop and encrypted directories
File Extension .everest Extension appended to fully or partially encrypted files
Mutex Global7efc73f7-fda1-42d1-a4c5-8f1670bd08a5 Single-instance mutex used to prevent duplicate execution

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Prevent critical incidents and financial loss with stronger proactive defense. Integrate a live threat feed from 15K SOC Teams.