Everest ransomware has claimed it stole 1 TB of data in a recent attack, but technical analysis shows no exfiltration code in the actual encryptor. This discovery puts a spotlight on how ransomware groups use exaggerated claims to increase pressure on victims, while their malware may not even have the capabilities they boast about.
Everest Ransomware: Data Theft Claims vs. Technical Reality
AttackIQ conducted a deep dive into a recent Everest ransomware sample after the group posted about a massive 1 terabyte data breach on their leak site. The Everest operation has been active since December 2020, targeting organisations across government, healthcare and telecom sectors in North America, Europe and Asia. The group’s modus operandi typically involves exploiting vulnerable public-facing applications, running phishing campaigns and abusing stolen credentials to gain a foothold in target environments.
The Everest group’s double extortion technique—encrypting files and threatening to leak stolen data—relies on a perception of credibility. In this incident, however, AttackIQ’s analysis of the actual malware used in the attack revealed a major contradiction: the encryptor binary contained no data exfiltration code at all.
This means that the claimed theft of 1 TB of sensitive material could not have happened via the ransomware payload. If exfiltration occurred, it must have been carried out in an earlier stage of the intrusion, using different tooling altogether. This is a significant finding for defenders, as it demonstrates how threat actors’ statements often do not align with the technical reality of their operations.
Technical Breakdown: How Everest Ransomware Works
The Everest encryptor sample examined by AttackIQ was a .NET executable, specifically protected with ConfuserEx. This obfuscation tool is widely used to hinder reverse engineering by stripping watermarks and adding anti-tampering layers. The file, named hlntqyun.exe, was compiled just before the Everest group’s public leak announcement, suggesting a direct link to the incident in question.
- File Type: .NET Framework application
- Protection: ConfuserEx obfuscation
- Cryptography: AES 128 for file encryption, RSA 1024 for key protection
- Filename: hlntqyun.exe
- Compilation Timeline: Just prior to leak site posting
Interestingly, the ransomware’s cryptographic setup was deliberately misleading. The code claimed to use stronger encryption keys, but in reality, it defaulted to AES 128 and RSA 1024, both considered weaker than what was implied. This is a common tactic to create confusion during analysis and inflate the perceived difficulty of decryption.
Upon execution, the encryptor performs several checks and actions:
- Runs a mutex check to avoid multiple instances
- Performs geo-fencing to skip systems using Commonwealth of Independent States locales
- Spawns three persistent background threads
- Terminates any running reverse engineering tools
- Disables security products and kills memory-intensive processes
Wake-on-LAN: Maximising Impact
One unique behaviour flagged in AttackIQ’s analysis was Everest’s use of Wake-on-LAN broadcasts. This feature forces sleeping machines on the same network to power up, making them available for encryption. This tactic is rarely seen in ransomware and indicates a focus on maximising the number of affected devices within a target environment.
Anti-Analysis and Security Evasion
The encryptor’s background threads are designed to thwart defenders and analysts. By terminating reverse engineering tools, disabling endpoint security products and killing processes that might hinder encryption, Everest increases its chances of success. These features make the ransomware harder to detect and stop during an active attack.
Timeline and Status of Exploitation
The Everest ransomware family first emerged in December 2020 and has since been linked to numerous high-profile attacks. The sample analysed by AttackIQ was compiled and deployed just before the group claimed a 1 TB data theft from their latest victim. However, the absence of data exfiltration code in the sample suggests that if data was stolen, it happened in a prior phase of the attack, potentially using commonly available tools for staging and exfiltration before deploying the ransomware.
Currently, there is no evidence that this specific Everest encryptor variant is capable of exfiltrating files. This means that defenders should focus on earlier stages of the attack lifecycle—compromise, lateral movement and staging—when investigating claims of large-scale data breaches. The use of ConfuserEx and anti-analysis tactics remains a consistent feature of the group’s arsenal, but the claims of integrated data theft in the ransomware itself are unsubstantiated based on available samples.
Why This Matters for Organisations
This Everest ransomware incident highlights the importance of validating threat actor claims with technical evidence. Many ransomware groups exaggerate their capabilities to extract larger ransoms or damage reputations, but their actual tools may not align with their statements.
- Organisations should not take extortion claims at face value
- Investigations must focus on all stages of the attack, not just the ransomware payload
- Monitoring for suspicious lateral movement and evidence of exfiltration outside the encryptor is essential
Immediate Recommendations Based on the Everest Incident
Given the tactics observed, organisations should:
- Review logs for signs of earlier-stage exfiltration tools and lateral movement
- Harden network security to prevent unauthorised Wake-on-LAN broadcasts
- Enhance detection for anti-analysis and security-killing behaviour on endpoints
By focusing on the full attack lifecycle and not just the final ransomware payload, defenders can more effectively respond to and recover from incidents involving the Everest group and similar threat actors.
Originally reported by cybersecuritynews.com.





