Menu
Browse

Cyber Threat Actor: Everest

Aliases: 2 aliases
Actor Type Location Known Incidents
 Icon
Crime Syndicate
Brazil
15 incidents
Profile

Everest, also known as Everest Group or Everest gang, is a ransomware threat actor that has been observed operating from Brazil. The group first appeared in public reporting around 2018 and has since been linked to a series of ransomware incidents involving data theft and extortion. Their activity is characterized by the use of a ransomware variant that bears the same name and by the publication of stolen data on leak sites to pressure victims into payment.

The actor has targeted a wide range of sectors including financial institutions, healthcare providers, technology companies, government agencies, telecommunications, energy utilities and retail organizations. Geographically, victims have been located in the United States, Brazil, Italy, South Africa and other regions, indicating a transnational scope of operations. Public statements and ransom notes consistently show that the group’s primary objective is financial gain, achieved through ransom demands, the sale of stolen data and the offering of network access for cryptocurrency payments.

Everest’s tactics include the deployment of its own ransomware for encryption and data exfiltration, a practice described as double extortion. Initial access has been obtained via phishing emails that deliver remote access tools, through compromised credentials of third‑party vendors and by exploiting shared service providers. Once inside a network, the group has been observed using compromised user accounts and remote desktop protocol for lateral movement. They frequently leak samples of stolen data on dark web forums and sell access to breached environments, sometimes advertising the availability of administrator or root credentials for Linux and Windows systems.

The group has been publicly associated with Black‑Byte ransomware operations, suggesting a loose affiliation or shared tactics with that criminal syndicate. Representative operations include the 2026 ransomware attacks on Citizens Bank and Frost Bank that exposed millions of financial records, the 2026 compromise of Adobe via a compromised contractor that leaked support tickets and employee data, the 2025 breach of healthcare diagnostic firm Viktor Scientific through a revenue‑cycle‑management provider, the 2022 claim of exfiltrating three terabytes of data from the Brazilian government and the 2022 extortion attempt against South Africa’s ESKOM electricity utility where the group demanded $200,000 for alleged administrator access. These examples illustrate the actor’s reliance on third‑party supply chains, credential theft and ransomware deployment to achieve monetary objectives.

Incidents
Attributed incidents available to members
15 incidents
Sources
Sources available to members
6 sources