Everest cybercriminals offer corporate insiders cold, hard cash for remote access
The ransomware gang changes identities more than Jason Bourne
The Everest ransomware group is stepping up its efforts to purchase access to corporate networks directly from employees amid what researchers believe to be a major transition for the cybercriminals.
In a post at the top of its dark web victim blog, Everest said it will offer a "good percentage" of the profits generated from successful attacks to those who assist in its initial intrusion.
The group also promised to offer partners "full transparency" regarding the nature of each operation, as well as confidentiality about their role in the attack.
Everest is specifically looking for access to organizations based in the US, Canada, and Europe, and would accept remote access by a variety of means including TeamViewer, AnyDesk, and RDP.
The language used on cybercrime forums suggests the group is Russian-speaking, but has also been observed using English on a less frequent basis.
Everest ransomware group's message on its deep web blog advertising its intent to recruit corporate insiders
The message is the same as the one it first posted in July, around the same time researchers suggested it could be dropping the ransomware game entirely.
Over the past few months, the ransomware group is showing greater evidence of an "extremely rare" move to becoming an initial access broker (IAB), according to Searchlight Cyber.
It first started acting as an IAB in 2021 but has shown greater levels of IAB activity since November 2022.
An IAB is a type of group often paid by ransomware criminals to transfer access to an organization's network, sometimes to more than one group at a time, making the deployment of ransomware simpler.
Possible reasons for the rare move from ransomware group to IAB, which would typically lead to a less lucrative business, aren't fully understood but have been speculated to include evading law enforcement and loss of team members.
Internationally coordinated busts of ransomware gangs are becoming more commonplace and Everest could be trying to avoid becoming the next Hive or REvil. With the closure of BreachForums earlier this year, researchers said it could also be trying to use its notoriety as an established ransomware force as a way to sell its access as part of a new business model.
"It is also a possibility that a change of personnel within the group has forced it to change its tactics from ransomware," Searchlight Cyber said.
"For example, infighting within cybercriminal groups is common, and it is within the realms of possibility that the person involved in the encryption part of the ransomware attack has left, leaving less technical ability and skills to carry out full-blown ransomware attacks.
"If the group members involved in initial access remain, that would explain why the group has mostly been undertaking IAB over the past few months."
Sticking to what it knows
Despite evidence showing greater IAB activity at Everest, that's not to say it won't ever go back to being a ransomware-focused group again, or isn't trying to stick with ransomware now.
Over the course of its three-year history, Everest has fluctuated between IAB and ransomware activity regularly. November 2021 was the first time IAB access was sold, but for the majority of 2022 it was predominantly pursuing ransomware.
- US construction giant unearths concrete evidence of cyberattack
- US Navy sailor admits selling secret military blueprints to China for $15K
- From chaos to cadence: Celebrating two decades of Microsoft's Patch Tuesday
- curl vulnerabilities ironed out with patches after week-long tease
It's possible that the latest advert for insider access is Everest attempting to cut out insider access for its own attacks, a move that could lead to greater profits generated by ransomware attacks.
"Organizations of all kinds are optimizing their business models, and where they see unnecessary costs, cutting it," said Harry McLaren, head of security engineering at SenseOn.
"Threat actors are no different, and in an increasingly competitive space, cutting out the IABs could improve their financial returns. Direct attacks from threat actor to victim was the historic method used by all threats and are still used by many APTs to minimize awareness or discoverability."
As regards the potential success of attracting insiders for attacks, Everest will likely have to spend time vetting any respondents to its advert.
Attempts to leverage insiders don't always work, as was the case when the FBI stymied what could have been a highly lucrative attack on a major US target in 2021.
If this is a bid to forgo IABs and pursue a more direct route, experts think cybercriminals won't have the easiest time as the pool of potential willing targets, in most organizations, would be fairly small.
"While it is hard to predict how many insiders inside organizations will be willing to sell access to them, the probability is definitely not zero," Alexey Kleymenov, threat intelligence manager at Nozomi Networks Labs, told The Register.
"For example, we all heard stories where disgruntled employees were attempting to cause damage to their organizations as a form of revenge."
The tactic of getting disgruntled or otherwise rebellious employees isn't new and was adopted by various cybercriminal groups over the years, such as LockBit.
According to a 2022 survey by Pulse and Bravura Security, 65 percent of corporate executives had been contacted directly by ransomware criminals to help facilitate access into their employers' networks.
Promises of large payouts are made to professionals in exchange for facilitating access for the thieves or deploying the ransomware themselves.
An investigation by Abnormal Security in 2021 revealed that someone alleging to be part of the Demonware gang offered 40 percent of the total proceeds of a successful attack in exchange for deploying the ransomware.
In an initial exchange, Demonware offered a fake persona adopted by the researchers a sum of $1 million in Bitcoin after assuming they would be able to successfully ransom an organization for $2.5 million.
Further conversations revealed that when initial phishing attacks targeting executives fail, criminals then turn to insiders for access. ®