Under the Ransom Countdown: Everest Group Threatens to Leak Sensitive Data of Major U.S. Banks

Cyber adversaries have issued a menacing ultimatum to disclose sensitive telemetry belonging to two prominent American financial institutions. Having already unveiled a fraction of the purloined intelligence, the marauders have granted a mere six-day window for deliberation.

The leak repository of the Everest collective now features entries for the Texas-based Frost Bank and Citizens Financial Group, both of which were inaugurated into the roster of victims on April 20. The assailants have alluded to the possession of expansive data volumes, explicitly threatening comprehensive disclosure should negotiations fail to materialize. This stratagem has become a hallmark of modern extortion: initially, the hackers exfiltrate data, subsequently publish a discernible fragment to the public domain, and finally initiate a relentless countdown. As the psychological pressure intensifies daily, the institutions find themselves ensnared in a choice between reputational ruin and the payment of a ransom.

According to the syndicate’s proclamations, the breach of Frost Bank encompasses approximately 250,000 clients. While an independent audit of this figure remains elusive, the provided samples are disconcerting, containing Social Security numbers, tax identifiers, full names, domiciles, and meticulous details regarding income, mortgage rates, and investment dividends. Given that portions of the samples are redacted, the authentic magnitude of the exfiltration may be far more pervasive.

The situation surrounding Citizens Bank presents a different profile. The hackers allege the theft of 3.4 million records; however, the disseminated samples appear less critical, consisting of database exports containing names, addresses, account numbers, and internal annotations. The absence of Social Security numbers and tax identifiers in the exhibited tables suggests that the primary risks pertain to fraudulent profiling and social engineering rather than direct identity theft.

Operating as a Ransomware-as-a-Service (RaaS) entity since 2020, the Everest group employs a dual-pressure doctrine: first incapacitating systems through encryption while exfiltrating data, and subsequently leveraging the threat of disclosure. Should a victim refuse to acquiesce, the group often auctions network access to peripheral threat actors. Over the preceding year, the collective has been implicated in over a hundred incursions across diverse industrial sectors.

The syndicate’s list of casualties includes illustrious names such as Coca-Cola, BMW, Under Armour, Nissan, and Iberia Airlines. In several instances, the group followed through on its threats by publishing exfiltrated data, thereby cementing its reputation for lethality. Now, banks with assets totaling hundreds of billions of dollars are within their sights. If confirmed, the repercussions of these leaks will resonate across hundreds of thousands of clients, serving as a stark reminder that even the most formidable financial bastions remain susceptible to digital subversion.