The Health Sector Cybersecurity Coordination Center has published a threat profile of the Everest Ransomware group, which was behind the recent ransomware attack on Gramercy Surgery Center in New York. The group has also claimed responsibility for attacks on Horizon View Medical Center in Las Vegas, 2K Dental in Ohio, Prime Imaging in Tennessee, and Stages Pediatric Care in Florida, and has increasingly targeted the healthcare and public health (HPH) sector since 2021. The group has added more than 120 victims to its breach site, with approximately 34% of victims located in the United States, and approximately 27% of U.S. victims in the healthcare sector. Between April 2021 and July 2024, the group carried out at least 20 attacks on healthcare institutions, disproportionately targeting medical imaging providers.

The Everest ransomware group was first identified in December 2020 and quickly rose to prominence within the cybercriminal community after attacks on high-profile targets including the Brazilian government and NASA. The group employs dual extortion tactics, using ransomware to encrypt files after sensitive data has been exfiltrated, requiring ransom payments to decrypt files and prevent data from being uploaded to the dark web data breach site. Researchers analyzed the encryptor used by Everest and found similarities to the BlackByte ransomware group, and Everest is known to collaborate with other ransomware groups, such as Ransomed.

The group initially focused on data exfiltration, with ransomware only being used in more recent attacks. Since late 2022, Everest has increasingly specialized as an initial access broker (IAB). An IAB is a threat group primarily focused on penetrating corporate networks, installing malware that provides remote access to their systems, and selling that access to other threat actors. This tactic is relatively rare among threat groups, because if a group can penetrate corporate networks and has an encryptor, it is able to make more money by carrying out the ransomware attack itself rather than selling access to another threat group. One reason for this could be to keep a low profile and avoid law enforcement scrutiny.

The group has been observed advertising to corporate insiders, offering them cash payments to provide remote access to their networks, including via shell, vnc, hvnc, RDP with VPN, and various remote access software tools. It has also been known to purchase access from other cybercriminals. Once access to a corporate network is gained, Everest uses compromised user accounts and RDP for lateral movement and exploits weak credentials. The group has been observed removing tools, reconnaissance outputs, and data collection archives from compromised hosts to cover their tracks and maintain persistence.

Everest actors primarily use Cobalt Strike for command and control communications, tools such as netscan.exe, netscanpack.exe, and SoftPerfect Network Scanner for network discovery, and WinRAR is installed on file servers to archive files for exfiltration. Data is exfiltrated using tools such as Splashtop and held hostage or sold. The Everest Ransomware group Threat Profile includes Indicators of Compromise (IoCs) and recommended mitigations and can be viewed here (PDF).

The post Healthcare Industry Warned About Everest Ransomware Group appeared first on The HIPAA Journal.