Everest
Everest is a ransomware-as-a-service (RaaS) operation active since at least 2020 and described in the content as Russia-linked. It is referred to as Everest, Everest Group, Everest gang, and Everest ransomware group/team. The content states that Everest uses a double-extortion model, stealing data, encrypting systems, and threatening publication if victims do not pay, and that it has also expanded into initial access brokerage by selling network footholds to other threat actors. The reporting ties Everest to repeated dark web leak-site extortion activity and victim claims across multiple sectors, including finance, insurance, automotive, aerospace, retail, healthcare, aviation, and manufacturing. Victims or claimed victims mentioned in the content include Frost Bank, Citizens Financial Group, Liberty Mutual, Under Armour, Iberia and Air Miles España, a file-transfer service provider supporting Nissan and Infiniti dealerships in North America, Collins Aerospace, Allegis Group, BMW, and incidents affecting Vikor Scientific/Vanta Diagnostics and affiliated labs via Catalyst RCM. The content also notes an Everest attack targeting a South Korean elevator manufacturer. Specific activity described includes Everest listing Frost Bank and Citizens Financial Group on its leak site on April 20 and giving a six-day deadline before release; claiming approximately 250,000 Frost Bank records and approximately 3.4 million Citizens records; claiming to have exfiltrated 250,000 Social Security numbers from Frost Bank; beginning to leak more than 108 GB of allegedly stolen Liberty Mutual data on May 4, 2026 after claiming the data was taken on April 30; claiming a 343 GB Under Armour breach in November 2025; claiming a 596 GB Iberia breach plus 430 GB of booking-related mail files; and claiming a 910 GB breach of a vendor file-transfer system used by Nissan and Infiniti dealerships. The content explicitly characterizes Everest as known for double-extortion tactics. It also states that Everest has amassed well over 100 victims across multiple sectors over the course of a year. In addition to victim operations, Everest itself was reportedly exposed by 0APT, which leaked hashed and encoded publication and user information, and the same defacement message later seen in the LockBit panel compromise was previously used in a compromise of Everest’s dark web leak site. The content notes Everest had not launched a counterattack against 0APT at the time of reporting.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
17 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
1 malware family attributed to this actor across reporting.
Observables
3 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Named threat actor handle extracted from dark web leak-site related content; no further activity details provided.
Claimed to have exfiltrated Frost Bank data, including 250,000 Social Security numbers, and used leak-site extortion tactics.
Ransomware actor contributing to elevated finance victim counts in April, with relatively high finance-sector share.
Ransomware actor noted as contributing to victimization in Japan during Q1 2026.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.