Everest ransomware group targets healthcare sector

Ransomware is one of the most costly and disruptive events to befall a healthcare organization. Over 460 known attacks occurred in US-based health systems in 2023, according to HHS, resulting in hundreds of millions of dollars in damages, critical disruptions in patient care, and reputational body blows that can take years to overcome.

Unfortunately for CISOs, ransomware threats are continually evolving to outsmart even the most seemingly foolproof cybersecurity fortress – and if we’re being honest, the majority of healthcare organizations can’t exactly claim to be as protected from attack vectors as they ought to be. 

That’s why cybercriminal are constantly turning their eyes to healthcare, looking for easy targets to exploit for sensitive data, cryptocurrency, and other rewards. 

The latest is the Everest ring, a Russian-speaking ransomware-as-a-service group that infiltrates targets and sells access to the victim to other actors, who then conduct the actual attack, according to a recent industry bulletin by the Health Sector Cybersecurity Coordination Center at HHS. 

The office noted a rise in Everest’s healthcare targets starting in 2021, after several successful attacks on high-profile entities, including NASA, the Brazilian government, and Colonial Pipeline, an oil company. 

HHS states that Everest may be behind at least 20 health sector incidents from April 2021 to July 2024, with medical imaging providers being some of their favorite prey. 

“Most recently, the group claimed the compromise of a New York-based surgery center with a revenue of USD $17 million, in which the attackers claimed to possess more than 450 GB of data allegedly exfiltrated from the victim, including comprehensive details about the center’s physicians and patients, encompassing personal and medical records,” the report states.  

“The attackers gave the victim 24 hours to initiate negotiations, threatening to disclose the data publicly if their demands are not met. While relatively low compared to other ransomware operations, the number of Everest ransomware incidents in the [health] sector has steadily trended upward since 2021, increasing by around one incident per year.” 

In advertisements on Everest’s known data leak site, the group has states that they’re looking for multiple avenues into organizational infrastructure, including shell, vnc, hvnc, RDP with VPN, or via various remote access software tools, HHS says. 

According to John Riggi, the American Hospital Association’s national advisor for cybersecurity and risk, Everest is also using legitimate cybersecurity threat simulation tools, such as Cobalt Strike, to facilitate their activities. 

“It is recommended that health care organizations set network monitoring tools to alert for Cobalt Strike activations, implement the recommended mitigations included in the alert, and implement the voluntary health care cybersecurity performance goals,” he said in an AHA article. 

To counteract ransomware threats such as those posed by Everest and other groups, the FBI specifically recommends healthcare organizations thoroughly review their cybersecurity infrastructure, employee training procedures, and incident response plans.  

Organizations should pay particular attention to maintaining appropriate credentials and passwords on authorized accounts, including using two-factor authentication whenever possible.  Enterprises should also stay up to date on data backups, install anti-virus software, disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs, and even disable hyperlinks in emails to avoid phishing attempts. 

More technical details about the Everest group’s attack vectors and recommended safeguards are available in the Health Sector Cybersecurity Coordination Center’s threat actor profile, available here. 

Jennifer Bresnick is a journalist and freelance content creator with a decade of experience in the health IT industry.  Her work has focused on leveraging innovative technology tools to create value, improve health equity, and achieve the promises of the learning health system.  She can be reached at jennifer@inklesscreative.com.