Skip to main content

Operator dossier

Everest is a ransomware operator currently active on public leak sites. Darkfield has indexed 369 public victims claimed by this operator between September 9, 2021 and May 29, 2026. Everest is a financially-motivated ransomware group that emerged in September 2021, operating with a focus on profit-driven extortion campaigns against organizations primarily in the United States and Europe. The group's country of origin and specific affiliations remain undocumented in public threat intelligence reporting, though their operational patterns suggest they likely operate as an independent entity rather than a formal ransomware-as-a-service model. Limited public documentation exists regarding Everest's specific attack methodologies, initial access vectors, or technical capabilities, though their victim profile indicates they employ standard ransomware tactics targeting a diverse range of sectors including healthcare, technology, business services, and manufacturing organizations. Since their emergence, Everest has claimed responsibility for attacks against 339 victims across multiple countries, with the United States, United Kingdom, Italy, Germany, and Spain representing their primary geographic targets, though no specific high-profile incidents or major ransoms have been publicly documented by law enforcement or major security firms. As of current reporting, Everest appears to remain an active threat actor, though the limited public intelligence available suggests they operate as a lower-tier ransomware group compared to more prominent and well-documented criminal organizations.

Most-targeted sectors

Most-affected countries

Recent disclosures by Everest

Most recent 150 of 369 indexed disclosures. Click any row for the full per-victim dossier.

See every disclosure indexed for Everest

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

All groups

Everest

369 victims indexed · first seen 5 years ago · last activity 2 months ago

369
Victims indexed
#24 of 364 tracked operators
4y 8m
Active period
Sep 2021 → May 2026
30
Countries hit
top United States · 115

At a glance

Status
active
First seen
5 years ago
Last activity
2 months ago
Onion sites
4 known endpoints
Primary sector
Not Found · 51 hits

About

Everest is a financially-motivated ransomware group that emerged in September 2021, operating with a focus on profit-driven extortion campaigns against organizations primarily in the United States and Europe. The group's country of origin and specific affiliations remain undocumented in public threat intelligence reporting, though their operational patterns suggest they likely operate as an independent entity rather than a formal ransomware-as-a-service model. Limited public documentation exists regarding Everest's specific attack methodologies, initial access vectors, or technical capabilities, though their victim profile indicates they employ standard ransomware tactics targeting a diverse range of sectors including healthcare, technology, business services, and manufacturing organizations. Since their emergence, Everest has claimed responsibility for attacks against 339 victims across multiple countries, with the United States, United Kingdom, Italy, Germany, and Spain representing their primary geographic targets, though no specific high-profile incidents or major ransoms have been publicly documented by law enforcement or major security firms. As of current reporting, Everest appears to remain an active threat actor, though the limited public intelligence available suggests they operate as a lower-tier ransomware group compared to more prominent and well-documented criminal organizations.

References

5 links

External sources curated by the MISP threat-intel community.

Timeline

24 months
2024-04-01T00:00:00+00:00 · 32024-05-01T00:00:00+00:00 · 62024-06-01T00:00:00+00:00 · 52024-07-01T00:00:00+00:00 · 52024-08-01T00:00:00+00:00 · 32024-09-01T00:00:00+00:00 · 22024-10-01T00:00:00+00:00 · 62024-11-01T00:00:00+00:00 · 132024-12-01T00:00:00+00:00 · 82025-01-01T00:00:00+00:00 · 82025-02-01T00:00:00+00:00 · 22025-05-01T00:00:00+00:00 · 92025-06-01T00:00:00+00:00 · 82025-07-01T00:00:00+00:00 · 192025-08-01T00:00:00+00:00 · 132025-09-01T00:00:00+00:00 · 112025-10-01T00:00:00+00:00 · 142025-11-01T00:00:00+00:00 · 162025-12-01T00:00:00+00:00 · 102026-01-01T00:00:00+00:00 · 212026-02-01T00:00:00+00:00 · 132026-03-01T00:00:00+00:00 · 62026-04-01T00:00:00+00:00 · 122026-05-01T00:00:00+00:00 · 15
2024-04-01T00:00:00+00:002026-05-01T00:00:00+00:00

Top countries

🇺🇸 United States
115
🇬🇧 United Kingdom
16
🇮🇹 Italy
14
🇺🇸 United States
12
🇪🇸 Spain
9
🇩🇪 Germany
8
🇦🇪 UAE
8
🇯🇵 Japan
6

Top sectors

Healthcare
45
Technology
42
Financial Services
26
Business Services
26
Manufacturing
20
Transportation/Logistics
12
Energy
10
Consumer Services
8

MITRE ATT&CK

9 techniques · 7 tactics

Tactics

Initial AccessExecutionDefense EvasionLateral MovementCollectionExfiltrationImpact

Techniques

  • T1566Phishing
  • T1190Exploit Public-Facing Application
  • T1059Command and Scripting Interpreter
  • T1055Process Injection
  • T1021Remote Services
  • T1005Data from Local System
  • T1039Data from Network Shared Drive
  • T1041Exfiltration Over C2 Channel
  • T1486Data Encrypted for Impact

Recent victims

Loading…

Onion infrastructure

4 known
  • http://everestndkvzcibcje2cqxhre2hmmybl3rn2gwzwsblz7gx6uryn5rad.onion
  • http://ransomocmou6mnbquqz44ewosbkjk3o5qjsl3orawojexfook2j7esad.onion
  • http://ransomocmou6mnbquqz44ewosbkjk3o5qjsl3orawojexfook2j7esad.onion/
  • http://ransomoefralti2zh5nrv7iqybp3d5b4a2eeecz5yjosp7ggbepj7iyd.onion

Source

Updated 2 months ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.

Get alerted the next time Everest posts a victim.

Add Everest to your watchlist — Pro pings you within 5 minutes of any new Everest leak-site post, Telegram callout, or affiliate-rebrand inference.