Everest ransomware operation transitioning as IAB

The Register reports that increased efforts by the Russian-speaking Everest ransomware gang to secure corporate network access, particularly from entities across the U.S., Canada, and Europe, suggest the operation's move to becoming an initial access broker. Aside from promoting a significant portion of profits from attacks facilitated by network access, which could be given through RDP, AnyDesk, and TeamViewer, to corporate insiders, Everest ransomware was noted to have pledged complete transparency on operations and confidentiality on its dark web site. While Everest's shift to an IAB setup may be driven by increasingly prevalent international law enforcement operations dismantling ransomware groups, such a change in business may also be fueled by personnel changes, according to Searchlight Cyber. "For example, infighting within cybercriminal groups is common, and it is within the realms of possibility that the person involved in the encryption part of the ransomware attack has left, leaving less technical ability and skills to carry out full-blown ransomware attacks. If the group members involved in initial access remain, that would explain why the group has mostly been undertaking IAB over the past few months," said Searchlight Cyber.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.