logo

Everest Ransomware

ID: 6ab0e31f-d45d-5f1f-99f5-929785404100

STIX ID: report--6ab0e31f-d45d-5f1f-99f5-929785404100

Feed Name: Security Boulevard

Threat Score
85/100

Date Published: 2026-07-02

Date Updated: 2026-07-03

Author: Ayelen Torello

...
...

This report analyzes the Everest ransomware encryptor, a ConfuserEx-protected .NET binary used in a double-extortion campaign since at least December 2020. It documents the sample’s runtime downgrade to AES-128 and RSA-1024, geo-fencing, noisy pre-encryption actions (recovery sabotage, disabling defenses, SMB1 re-enablement, granting broad ACLs), Wake-on-LAN-based wake-up behavior, DACL self-protection, anti-Raccine removal, continuous monitoring threads that kill security/backups/analysis tools, and the encryption workflow (full encryption for small files, partial for large files). The analysis includes indicators, command tables, targeted processes/services, and an AttackIQ emulation to validate detection and prevention controls.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.