Operator dossier

Everest is a ransomware operator currently active on public leak sites. Darkfield has indexed 360 public victims claimed by this operator between September 9, 2021 and May 7, 2026. Everest is a financially-motivated ransomware group that emerged in September 2021, operating with a focus on profit-driven extortion campaigns against organizations primarily in the United States and Europe. The group's country of origin and specific affiliations remain undocumented in public threat intelligence reporting, though their operational patterns suggest they likely operate as an independent entity rather than a formal ransomware-as-a-service model. Limited public documentation exists regarding Everest's specific attack methodologies, initial access vectors, or technical capabilities, though their victim profile indicates they employ standard ransomware tactics targeting a diverse range of sectors including healthcare, technology, business services, and manufacturing organizations. Since their emergence, Everest has claimed responsibility for attacks against 339 victims across multiple countries, with the United States, United Kingdom, Italy, Germany, and Spain representing their primary geographic targets, though no specific high-profile incidents or major ransoms have been publicly documented by law enforcement or major security firms. As of current reporting, Everest appears to remain an active threat actor, though the limited public intelligence available suggests they operate as a lower-tier ransomware group compared to more prominent and well-documented criminal organizations.

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

← All groups

Everest

360 victims indexed · first seen 5 years ago · last activity 13 days ago

360

Victims indexed

#25 of 348 tracked operators

4y 8m

Active period

Sep 2021 → May 2026

Countries hit

top United States · 94

At a glance

Status: active
First seen: 5 years ago
Last activity: 13 days ago
Onion sites: 3 known endpoints
Primary sector: Not Found · 49 hits

About

Everest is a financially-motivated ransomware group that emerged in September 2021, operating with a focus on profit-driven extortion campaigns against organizations primarily in the United States and Europe. The group's country of origin and specific affiliations remain undocumented in public threat intelligence reporting, though their operational patterns suggest they likely operate as an independent entity rather than a formal ransomware-as-a-service model. Limited public documentation exists regarding Everest's specific attack methodologies, initial access vectors, or technical capabilities, though their victim profile indicates they employ standard ransomware tactics targeting a diverse range of sectors including healthcare, technology, business services, and manufacturing organizations. Since their emergence, Everest has claimed responsibility for attacks against 339 victims across multiple countries, with the United States, United Kingdom, Italy, Germany, and Spain representing their primary geographic targets, though no specific high-profile incidents or major ransoms have been publicly documented by law enforcement or major security firms. As of current reporting, Everest appears to remain an active threat actor, though the limited public intelligence available suggests they operate as a lower-tier ransomware group compared to more prominent and well-documented criminal organizations.

References

5 links

External sources curated by the MISP threat-intel community.

Timeline

24 months

2024-02-01T00:00:00+00:002026-03-01T00:00:00+00:00

Top countries

🇺🇸 United States

🇬🇧 United Kingdom

🇮🇹 Italy

🇩🇪 Germany

🇪🇸 Spain

🇦🇪 UAE

🇯🇵 Japan

🇨🇭 Switzerland

United States dossier →United Kingdom dossier →Italy dossier →Germany dossier →

Top sectors

Not Found

Healthcare

Technology

Business Services

Manufacturing

Financial Services

Transportation/Logistics

Energy

Not Found dossier →Healthcare dossier →Technology dossier →Business Services dossier →

MITRE ATT&CK

9 techniques · 7 tactics

Tactics

Initial AccessExecutionDefense EvasionLateral MovementCollectionExfiltrationImpact

Techniques

T1566Phishing
T1190Exploit Public-Facing Application
T1059Command and Scripting Interpreter
T1055Process Injection
T1021Remote Services
T1005Data from Local System
T1039Data from Network Shared Drive
T1041Exfiltration Over C2 Channel
T1486Data Encrypted for Impact

Recent victims

Loading…

Onion infrastructure

3 known

http://ransomocmou6mnbquqz44ewosbkjk3o5qjsl3orawojexfook2j7esad.onion
http://ransomocmou6mnbquqz44ewosbkjk3o5qjsl3orawojexfook2j7esad.onion/
http://ransomoefralti2zh5nrv7iqybp3d5b4a2eeecz5yjosp7ggbepj7iyd.onion

Source

Updated 13 days ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.