Everest Ransomware's Exfiltration Claims Questioned Amidst Technical Analysis
Analysis of the Everest ransomware reveals a discrepancy between its claims of 1 TB data theft and the actual malware capabilities, suggesting separate tools were used for exfiltration.

A recent technical examination of the Everest ransomware family has uncovered a significant contradiction between the group's public claims and the capabilities of the malware itself. While Everest has boasted about stealing a massive 1 terabyte of data from a victim organization, the analyzed ransomware encryptor sample lacks any code designed for data exfiltration. This suggests that if data theft occurred, it was likely accomplished using separate tools earlier in the intrusion lifecycle, rather than being part of the ransomware payload.
Everest ransomware has been active since at least December 2020, operating as a double extortion threat that combines file encryption with the theft of sensitive data. The group is known for targeting a wide array of sectors, including government agencies, healthcare providers, and telecommunications companies across North America, Europe, and Asia. Their typical modus operandi involves exploiting vulnerable public-facing applications, conducting phishing campaigns, and leveraging stolen credentials to gain remote access to victim networks.
AttackIQ researchers, who shared their findings with Cyber Security News, examined a live sample of the Everest encryptor. Their analysis indicated that the malware's behavior did not align with the group's own assertions about the incident. The examined binary points to the possibility that the alleged data theft, if it indeed happened, was carried out using distinct tools, separate from the ransomware deployment itself. This discrepancy highlights how ransomware groups may exaggerate or misrepresent their operations to increase extortion leverage.
The analyzed encryptor is a .NET executable that has been protected using ConfuserEx, a tool commonly used to obfuscate code, remove identifying watermarks, and add anti-tampering measures. Once executed, the ransomware initiates three background threads designed to terminate reverse engineering tools, disable security products, and shut down memory-intensive processes, all while preparing the system for encryption.
One particularly unusual characteristic noted by AttackIQ is Everest ransomware's use of Wake on LAN (WoL) broadcasts. These broadcasts are sent to wake up sleeping machines on the network, ensuring that more devices can be targeted for encryption. This technique is not commonly observed in most ransomware families and indicates a focus by the operators on maximizing the number of reachable devices within a compromised environment.
The ransomware sample, masquerading as a .NET Framework application with the filename hlntqyun.exe, was compiled shortly before the incident was posted on Everest's leak site. Its cryptographic setup is intentionally misleading; it declares a stronger key size than what is actually used at runtime. Ultimately, the encryption relies on AES 128 for file data and RSA 1024 for protecting the encryption keys, both weaker than initially suggested by the code.
Upon execution, the malware first checks for a mutex to ensure single instance operation and then performs a geo-fencing routine to avoid systems configured with Commonwealth of Independent States language or locale settings. Subsequently, it disables Windows Defender's Controlled Folder Access, deletes shadow copies, wipes backup-related files, and even removes the open-source anti-ransomware tool Raccine from the registry. Files smaller than 2 MB are fully encrypted and renamed with the .everest extension, while larger files undergo partial encryption to expedite the process across extensive data volumes.
The ransomware concludes its operation by dropping a ransom note named EVERESTRANSOMWARE.txt into every affected folder and on the desktop. It then initiates a delayed self-deletion routine to erase its tracks. Security teams are advised to expand their emulation coverage to include behaviors like Wake on LAN broadcasts, mapped drive enumeration, and active network connection discovery, as these reflect genuine attacker movements. Continuous validation against realistic attack chains is crucial for defenders to identify weaknesses in their existing controls.