Security

Research

Everest cybercriminals offer corporate insiders cold, hard cash for remote access

The ransomware gang changes identities more than Jason Bourne


The Everest ransomware group is stepping up its efforts to purchase access to corporate networks directly from employees amid what researchers believe to be a major transition for the cybercriminals.

In a post at the top of its dark web victim blog, Everest said it will offer a "good percentage" of the profits generated from successful attacks to those who assist in its initial intrusion.

The group also promised to offer partners "full transparency" regarding the nature of each operation, as well as confidentiality about their role in the attack.

Everest is specifically looking for access to organizations based in the US, Canada, and Europe, and would accept remote access by a variety of means including TeamViewer, AnyDesk, and RDP.

The language used on cybercrime forums suggests the group is Russian-speaking, but has also been observed using English on a less frequent basis.

Everest ransomware group's message on its deep web blog advertising its intent to recruit corporate insiders

The message is the same as the one it first posted in July, around the same time researchers suggested it could be dropping the ransomware game entirely.

Over the past few months, the ransomware group is showing greater evidence of an "extremely rare" move to becoming an initial access broker (IAB), according to Searchlight Cyber.

It first started acting as an IAB in 2021 but has shown greater levels of IAB activity since November 2022.

An IAB is a type of group often paid by ransomware criminals to transfer access to an organization's network, sometimes to more than one group at a time, making the deployment of ransomware simpler.

Possible reasons for the rare move from ransomware group to IAB, which would typically lead to a less lucrative business, aren't fully understood but have been speculated to include evading law enforcement and loss of team members.

Internationally coordinated busts of ransomware gangs are becoming more commonplace and Everest could be trying to avoid becoming the next Hive or REvil. With the closure of BreachForums earlier this year, researchers said it could also be trying to use its notoriety as an established ransomware force as a way to sell its access as part of a new business model.

"It is also a possibility that a change of personnel within the group has forced it to change its tactics from ransomware," Searchlight Cyber said.

"For example, infighting within cybercriminal groups is common, and it is within the realms of possibility that the person involved in the encryption part of the ransomware attack has left, leaving less technical ability and skills to carry out full-blown ransomware attacks.

"If the group members involved in initial access remain, that would explain why the group has mostly been undertaking IAB over the past few months."

Sticking to what it knows

Despite evidence showing greater IAB activity at Everest, that's not to say it won't ever go back to being a ransomware-focused group again, or isn't trying to stick with ransomware now.

Over the course of its three-year history, Everest has fluctuated between IAB and ransomware activity regularly. November 2021 was the first time IAB access was sold, but for the majority of 2022 it was predominantly pursuing ransomware.

It's possible that the latest advert for insider access is Everest attempting to cut out insider access for its own attacks, a move that could lead to greater profits generated by ransomware attacks.

"Organizations of all kinds are optimizing their business models, and where they see unnecessary costs, cutting it," said Harry McLaren, head of security engineering at SenseOn.

"Threat actors are no different, and in an increasingly competitive space, cutting out the IABs could improve their financial returns. Direct attacks from threat actor to victim was the historic method used by all threats and are still used by many APTs to minimize awareness or discoverability."

As regards the potential success of attracting insiders for attacks, Everest will likely have to spend time vetting any respondents to its advert.

Attempts to leverage insiders don't always work, as was the case when the FBI stymied what could have been a highly lucrative attack on a major US target in 2021.

If this is a bid to forgo IABs and pursue a more direct route, experts think cybercriminals won't have the easiest time as the pool of potential willing targets, in most organizations, would be fairly small.

"While it is hard to predict how many insiders inside organizations will be willing to sell access to them, the probability is definitely not zero," Alexey Kleymenov, threat intelligence manager at Nozomi Networks Labs, told The Register.

"For example, we all heard stories where disgruntled employees were attempting to cause damage to their organizations as a form of revenge."

Attracting insiders

The tactic of getting disgruntled or otherwise rebellious employees isn't new and was adopted by various cybercriminal groups over the years, such as LockBit.

According to a 2022 survey by Pulse and Bravura Security, 65 percent of corporate executives had been contacted directly by ransomware criminals to help facilitate access into their employers' networks.

Promises of large payouts are made to professionals in exchange for facilitating access for the thieves or deploying the ransomware themselves.

An investigation by Abnormal Security in 2021 revealed that someone alleging to be part of the Demonware gang offered 40 percent of the total proceeds of a successful attack in exchange for deploying the ransomware.

In an initial exchange, Demonware offered a fake persona adopted by the researchers a sum of $1 million in Bitcoin after assuming they would be able to successfully ransom an organization for $2.5 million.

Further conversations revealed that when initial phishing attacks targeting executives fail, criminals then turn to insiders for access. ®

Send us news
9 Comments

What is RansomHub? Looks like a Knight ransomware reboot

Malware code potentially sold off, tweaked, back at it infecting victims

Cops cuff 22-year-old Brit suspected of being Scattered Spider leader

Spanish plod make arrest at airport before he jetted off to Italy

Ukrainian cops collar Kyiv programmer believed to be Conti, LockBit linchpin

28-year-old accused of major ransomware attacks across Europe

White House report dishes deets on all 11 major government breaches from 2023

The MOVEit breach and ransomware weren’t kind to the Feds last year

Frontier Communications: 750k people's data stolen in April attack on systems

Company says just names and SSNs affected, watering down RansomHub’s claims

Christie's stolen data sold to highest bidder rather than leaked, RansomHub claims

Experts say auctioning the auctioneer’s data is unlikely to have been genuinely successful

FBI encourages LockBit victims to step right up for free decryption keys

The bad news? Gang wasn't deleting victim data after payments

Blackbaud has to cough up a few million dollars more over 2020 ransomware attack

Four years on and it's still paying for what California attorney general calls 'unacceptable' practice

US senator claims UnitedHealth's CEO, board appointed 'unqualified' CISO

Similar cases have resulted in serious sanctions, and they were on a far smaller scale

With ransomware whales becoming so dominant, would-be challengers ask 'what's the point?'

Fewer rivals on the scene as big-gang success soars

Auction house Christie’s confirms criminals stole some client data

Centuries-old institution dodges questions on how it happened as ransomware gang claims credit

Ransomware crew may have exploited Windows make-me-admin bug as a zero-day

Symantec suggests Black Basta crew beat Microsoft to the patch