Everest Ransomware
ID: 6ab0e31f-d45d-5f1f-99f5-929785404100
STIX ID: report--6ab0e31f-d45d-5f1f-99f5-929785404100
Feed Name: Security Boulevard
This report analyzes the Everest ransomware encryptor, a ConfuserEx-protected .NET binary used in a double-extortion campaign since at least December 2020. It documents the sample’s runtime downgrade to AES-128 and RSA-1024, geo-fencing, noisy pre-encryption actions (recovery sabotage, disabling defenses, SMB1 re-enablement, granting broad ACLs), Wake-on-LAN-based wake-up behavior, DACL self-protection, anti-Raccine removal, continuous monitoring threads that kill security/backups/analysis tools, and the encryption workflow (full encryption for small files, partial for large files). The analysis includes indicators, command tables, targeted processes/services, and an AttackIQ emulation to validate detection and prevention controls.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
