The Everest Ransomware Gang's Attack on Agrijola

The Everest ransomware gang has attacked Agrijola. Agrijola is a garden and outdoor equipment retailer headquartered in Peniche, Portugal. It was founded in 1996. Everest posted Agrijola to its data leak site on August 14th but provided no further details.

Everest's Notoriety and Tactics

The Everest ransomware group has garnered attention by claiming possession of sensitive data from aeronautics firms, including NASA. While they haven't yet demanded ransom payments from victims, they've established a $30,000 price for the sale of leaked data. The group asserts access to corporate emails as an "intelligence opportunity." Targeting government offices across various states, including Argentina, Peru, and Brazil, the Russian-speaking Everest employs double extortion tactics, seeking payment for decryption keys and to prevent data leaks.

Background and Methodology

Initially detected in 2018, the Everest ransomware is part of the Everbe 2.0 ransomware family, employing tools like Embrace, Hyena Locker, PainLocker, and EvilLocker. Employing tactics like lateral movement through compromised accounts and exploiting the Remote Desktop Protocol, the group targets multiple industries, especially in the Americas, capital goods, health, and public sectors.

A Unique Position in Cybercrime

The Everest group, distinctively rare, acts as an "Initial Access Broker," selling backdoors to other criminals. This shift in approach could be to evade law enforcement or explore new monetization avenues.