October 12, 2023 at 09:57AM
The Everest ransomware group is seeking to recruit corporate insiders to gain access to corporate networks directly. The group is offering a percentage of the profits from successful attacks to those who assist in the initial intrusion, promising transparency and confidentiality. Everest is specifically targeting organizations in the US, Canada, and Europe. Researchers speculate that the group’s shift to becoming an initial access broker (IAB) may be an effort to evade law enforcement and compensate for the closure of BreachForums. However, Everest has a history of fluctuating between IAB and ransomware activity.
Key Points from Meeting Notes:
1. The Everest ransomware group is changing its tactics and looking to purchase access to corporate networks directly from employees.
2. Everest is offering a “good percentage” of the profits from successful attacks to those who assist in the initial intrusion.
3. The group promises partners “full transparency” and confidentiality about their role in the attack.
4. Everest is specifically targeting organizations in the US, Canada, and Europe and is accepting remote access through various means like TeamViewer, AnyDesk, and RDP.
5. The group has been observed using both Russian and English languages.
6. Everest appears to be transitioning to becoming an initial access broker (IAB), where they transfer network access to other ransomware groups for a fee.
7. The move to becoming an IAB may be a strategic decision to evade law enforcement and mitigate the risk of losing team members.
8. Recent international busts of ransomware gangs may have prompted Everest to change its tactics.
9. The closure of the BreachForums platform earlier this year could be another reason for Everest’s change in strategy.
10. It is possible that internal changes within the group have forced them to shift from pure ransomware attacks to the IAB model.
11. Despite the increased IAB activity, Everest may still engage in ransomware attacks in the future.
12. Everest’s latest attempt to recruit insiders may be an effort to cut out IABs and increase profits from direct ransomware attacks.
13. However, attracting insider help may be challenging as the pool of willing targets in organizations is limited.
14. Other cybercriminal groups have used similar tactics to recruit insiders in the past, with promises of large payouts.
15. Companies should be vigilant and aware of the potential risks of insider threats and take necessary measures to protect their networks.
16. The success of attracting insiders for attacks is uncertain, but the probability is not zero.
17. Disgruntled employees seeking revenge or causing damage to their organizations may be willing to sell access to threat actors.
18. A survey found that 65% of corporate executives had been contacted directly by ransomware criminals to facilitate network access.
19. Promises of large payouts have been offered to professionals in exchange for assistance in deploying ransomware.
20. Organizations should implement robust security measures and training to prevent and detect insider threats.