Everest Ransomware Data Theft Claims Contradicted by Analysis

Everest ransomware analysis highlights Wake-on-LAN use and separate exfiltration phase

Everest ransomware has claimed it stole 1 TB of data in a recent attack, but technical analysis shows no exfiltration code in the actual encryptor. This discovery puts a spotlight on how ransomware groups use exaggerated claims to increase pressure on victims, while their malware may not even have the capabilities they boast about.

Everest Ransomware: Data Theft Claims vs. Technical Reality

AttackIQ conducted a deep dive into a recent Everest ransomware sample after the group posted about a massive 1 terabyte data breach on their leak site. The Everest operation has been active since December 2020, targeting organisations across government, healthcare and telecom sectors in North America, Europe and Asia. The group’s modus operandi typically involves exploiting vulnerable public-facing applications, running phishing campaigns and abusing stolen credentials to gain a foothold in target environments.

The Everest group’s double extortion technique—encrypting files and threatening to leak stolen data—relies on a perception of credibility. In this incident, however, AttackIQ’s analysis of the actual malware used in the attack revealed a major contradiction: the encryptor binary contained no data exfiltration code at all.

This means that the claimed theft of 1 TB of sensitive material could not have happened via the ransomware payload. If exfiltration occurred, it must have been carried out in an earlier stage of the intrusion, using different tooling altogether. This is a significant finding for defenders, as it demonstrates how threat actors’ statements often do not align with the technical reality of their operations.

Technical Breakdown: How Everest Ransomware Works

The Everest encryptor sample examined by AttackIQ was a .NET executable, specifically protected with ConfuserEx. This obfuscation tool is widely used to hinder reverse engineering by stripping watermarks and adding anti-tampering layers. The file, named hlntqyun.exe, was compiled just before the Everest group’s public leak announcement, suggesting a direct link to the incident in question.

  • File Type: .NET Framework application
  • Protection: ConfuserEx obfuscation
  • Cryptography: AES 128 for file encryption, RSA 1024 for key protection
  • Filename: hlntqyun.exe
  • Compilation Timeline: Just prior to leak site posting

Interestingly, the ransomware’s cryptographic setup was deliberately misleading. The code claimed to use stronger encryption keys, but in reality, it defaulted to AES 128 and RSA 1024, both considered weaker than what was implied. This is a common tactic to create confusion during analysis and inflate the perceived difficulty of decryption.

Upon execution, the encryptor performs several checks and actions:

  • Runs a mutex check to avoid multiple instances
  • Performs geo-fencing to skip systems using Commonwealth of Independent States locales
  • Spawns three persistent background threads
  • Terminates any running reverse engineering tools
  • Disables security products and kills memory-intensive processes

Wake-on-LAN: Maximising Impact

One unique behaviour flagged in AttackIQ’s analysis was Everest’s use of Wake-on-LAN broadcasts. This feature forces sleeping machines on the same network to power up, making them available for encryption. This tactic is rarely seen in ransomware and indicates a focus on maximising the number of affected devices within a target environment.

Anti-Analysis and Security Evasion

The encryptor’s background threads are designed to thwart defenders and analysts. By terminating reverse engineering tools, disabling endpoint security products and killing processes that might hinder encryption, Everest increases its chances of success. These features make the ransomware harder to detect and stop during an active attack.

Timeline and Status of Exploitation

The Everest ransomware family first emerged in December 2020 and has since been linked to numerous high-profile attacks. The sample analysed by AttackIQ was compiled and deployed just before the group claimed a 1 TB data theft from their latest victim. However, the absence of data exfiltration code in the sample suggests that if data was stolen, it happened in a prior phase of the attack, potentially using commonly available tools for staging and exfiltration before deploying the ransomware.

Currently, there is no evidence that this specific Everest encryptor variant is capable of exfiltrating files. This means that defenders should focus on earlier stages of the attack lifecycle—compromise, lateral movement and staging—when investigating claims of large-scale data breaches. The use of ConfuserEx and anti-analysis tactics remains a consistent feature of the group’s arsenal, but the claims of integrated data theft in the ransomware itself are unsubstantiated based on available samples.

Why This Matters for Organisations

This Everest ransomware incident highlights the importance of validating threat actor claims with technical evidence. Many ransomware groups exaggerate their capabilities to extract larger ransoms or damage reputations, but their actual tools may not align with their statements.

  • Organisations should not take extortion claims at face value
  • Investigations must focus on all stages of the attack, not just the ransomware payload
  • Monitoring for suspicious lateral movement and evidence of exfiltration outside the encryptor is essential

Immediate Recommendations Based on the Everest Incident

Given the tactics observed, organisations should:

  • Review logs for signs of earlier-stage exfiltration tools and lateral movement
  • Harden network security to prevent unauthorised Wake-on-LAN broadcasts
  • Enhance detection for anti-analysis and security-killing behaviour on endpoints

By focusing on the full attack lifecycle and not just the final ransomware payload, defenders can more effectively respond to and recover from incidents involving the Everest group and similar threat actors.

Originally reported by cybersecuritynews.com.

Share this bulletin

About the Author

Rob McBride Headshot - CyPro Partner and leading cyber security expert

Rob McBride

Partner

  • CISSP
  • ACA Chartered Accountant
  • MPhil
  • BSc
  • SOC 2
  • ISO 27001

Rob McBride

Rob is a Founding Partner at CyPro and a highly experienced CISO. Beginning his career with a successful tenure at Deloitte, Rob has since amassed a wealth of experience, notably serving as a cyber security advisor to the UK government and spearheading cloud security transformations for several global banks.

At CyPro, Rob leads the managed service business line, working extensively across multiple sectors including telecommunications, technology, higher education, travel, and retail. He is passionate about equipping small and medium-sized businesses (SMBs) with robust cyber security strategies to fuel their growth.

View Profile
Back to Bulletins
CyPro Cookie Consent

Hmmm cookies...

Our delicious cookies make your experience smooth and secure.

Privacy PolicyOkay, got it!

We use cookies to enhance your experience, analyse site traffic, and for marketing purposes. For more information on how we handle your personal data, please see our Privacy Policy.

Schedule a Call