Everest is an active ransomware and data extortion group that has been operating since 2020. The group initially focused on data theft, later shifted to ransomware, and has recently begun acting as an initial access broker. It has been linked to 156 incidents to date, with the latest recorded on June 12, 2025.
In May 2025, there was a noticeable increase in Everest-linked activity in the Middle East, likely tied to the compromise of an SAP integrator. VenariX has identified possible indications of access to several SAP SuccessFactors’ client environments.
Overview — Who Is Everest Group?
Everest is a financially motivated ransomware group first observed in December 2020. It started as a data exfiltration operation, but later expanded to include ransomware encryption and leak site operations. By late 2021, the group was also functioning as an initial access broker (IAB). IABs gain unauthorized access to victim environments and sell that access to other threat actors, often for use in ransomware operations. Everest’s leak site disappeared from the dark web after the Colonial Pipeline attack in 2021, but later reappeared, with increased IAB activity throughout 2023.
According to the U.S. Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3), the group is linked to the EverBe 2.0 ransomware family and, more recently, to the Russia-based BlackByte group, based on technical overlap and campaign similarities. These links have been reported by multiple security researchers and are tracked by VenariX.
Targeting Trends & Sector Impact
Our data indicates that Everest may be linked to at least 156 incidents to date. It has targeted a range of sectors, with healthcare being the most affected. Between December 2020 and June 2025, 42 healthcare-related incidents were recorded in our platform, the majority involving U.S.-based organizations, such as AdventHealth and MCNA Dental.


We have observed that Everest experiences an average of three incidents per month. The group primarily uses the dark web for communication and data exposure. Among the 156 incidents tracked, the types of data leaks that have been confirmed or observed included the following:
First and last names
Dates of birth
Confidential business information
Identification numbers (i.e., driver’s license numbers, U.S. Social Security numbers)
Protected health information
Email addresses
The majority of victims are in the private sector, with the United States being the most affected country, accounting for 57.4% of cases.
See the image below for the profile of the threat actor Everest on the VenariX platform:

Attacks on Government Institutions
In May 2025, we analyzed Everest’s leak site and identified eight impacted entities in the Middle East. Each leak contained structured Human Resources (HR) data from SAP SuccessFactors.
Upon closer analysis, we observed a common denominator: five of the eight organizations appear to be clients of the same SAP integrator, INK IT Solutions. Based on the available evidence, initial access may have occurred through the integrator, enabling lateral movement into client environments. For the remaining three victims, we did not identify a clear connection to the SAP partner.
Data exposed across the incidents included:
Employee directories
Payroll and compensation records
Passport and ID scans
Internal HR and onboarding documentation
Identified victims include:
Department of Culture and Tourism — Abu Dhabi
Jordan Kuwait Bank
Mediclinic Group
Coca-Cola Al Ahlia Beverages
Jamjoom Pharma
Kaefer
Khidmah, LLC
PDI Health

Downstream Effects
One of the victims, the Department of Culture and Tourism — Abu Dhabi, may have exposed data belonging to other entities during the breach.
Downstream victims may include:
Abu Dhabi Arabic Language Centre
Al Ain Book Festival
Department of Municipalities and Transport
Al Qattara Arts Centre
Culture Summit Abu Dhabi
Louvre Abu Dhabi
Manarat Al Saadiyat
See the screenshot below for details:

Inside the Everest Playbook: MITRE ATT&CK Tactics and Techniques
Everest uses a combination of commodity tools and stealthy procedures throughout all phases of an attack. Below is a mapped breakdown based on the MITRE ATT&CK.
Initial Access: T1133 (External Remote Services) — Exploiting insecure external services
Execution: T1059.001 (PowerShell) and T1059.003 (Windows Command Shell) — Using legitimate tools for malicious purposes
Lateral Movement: T1021.001 (Remote Services: RDP) — Using RDP to move across the network
Persistence: T1543.003 (Windows Service) — Installing remote desktop tools as services
Credential Access: T1003.001 (LSASS Memory) and T1003.003 (NTDS) — Dumping credentials from memory and databases
Defense Evasion: T1070.004 (File Deletion) — Removing activity traces
Discovery: T1046 (Network Service Discovery) — Scanning the network
Collection: T1560.001 (Archive via Utility) — Archiving data with WinRAR
Command and Control: T1071.001 (Web Protocols) and T1219 (Remote Access Software) — Using Cobalt Strike and similar tools
Exfiltration: T1041 (Over C2 Channel) — Exfiltrating data via Splashtop
Impact: T1486 (Data Encrypted for Impact) — Encrypting data
Tools Frequently Leveraged
According to the Everest threat profile, the group repurposes legitimate software in its campaigns. Key tools include:
ProcDump — Dumps credentials from LSASS
SoftPerfect Network Scanner — Discovery and lateral movement
WinRAR — Archives files pre-exfiltration
Cobalt Strike — C2 communications via HTTPS
AnyDesk, Splashtop, Atera — Used to maintain access
Everest actors typically remove logs and tools after use, which limits post-incident forensic visibility.
Typical preventions against Everest include:
Everest relies on initial access brokers and stealthy post-exploitation. Mitigation requires a combination of access restrictions, activity monitoring, and response preparedness.
Key recommendations include:
Disable unused RDP ports and audit remote access logs
Use multi-factor authentication for admin access
Monitor scheduled tasks and PowerShell activity
Regularly patch endpoints, update antivirus/EDR, and back up systems offline
Segment networks and apply least privilege principles
Apply IOC detection rules for Splashtop, Cobalt Strike, and WinRAR behaviors
Monitor unusual file collection and archiving activity
Use the VenariX platform to understand how these groups operate, their reach, and recurring patterns across campaigns.
Conclusion
As observed on the VenariX platform, recent Everest activity shows a shift toward supply chain compromise and third-party SaaS targeting, particularly through platforms such as SAP SuccessFactors. The group relies on remote access tools and credential-based lateral movement to limit detection.
Organizations with exposed remote services, HR SaaS integrations, or third-party-managed infrastructure (e.g., IT Managed Service Providers) should consider Everest a current and relevant threat. VenariX users can monitor Everest-related activity through:
Filtering incidents by threat actor using the Everest tag
Real-time visibility into new Everest claims via platform integrations and API access.
Correlation of CVEs with incidents linked to Everest activity.