- 2 US banks - Frost Bank and Citizens Bank, both disclosed Everest intrusions inside a single week in April 2026.
- 380 GB - combined data exfiltrated across the peer breaches.
- 3.4 million banking records reportedly in the Citizens Bank leak set.
- $0 - zero-day exploits used. Everest has not needed one in these campaigns.
- ~62 minutes - average attacker breakout time from initial access to lateral movement (CrowdStrike 2024 Global Threat Report).
Frost Bank and Citizens Bank both disclosed Everest ransomware intrusions inside a single week in April. Same actor, same playbook, 380GB out the door. If you run security in financial services, this was supposed to be a quiet Tuesday.
The reflex after a peer-industry breach is usually to wait for the incident writeup and then run the regulatory-response script. That is the wrong job this week. The doors Everest walked through at Frost and Citizens are almost certainly open in your environment too, and the IAB market is already indexing whoever has not closed them yet.
None of this is new. Everest has not needed a zero-day in these campaigns, and looking back across their last three years of activity - the 2022 Collins Aerospace intrusion, the steady uptick in financial-services targeting through 2025 and 2026 - three access paths do almost all the work. If you close them, Everest has to earn the next breach. If you leave them open, you are one infostealer-log purchase away from being the next disclosure.
What Everest Actually Does
Everest is not a technically exotic group. It is a disciplined, financially motivated crew that has industrialized the boring parts of intrusion. Their operational pattern, reconstructed from public incident reports and threat-intel writeups, looks like this:
Buy access on dark-web markets when it is cheap, harvest it yourself from infostealer logs when it is cheaper, or scan for unpatched public-facing appliances when access is sitting in plain sight. Log in through the same VPN, SSO, or RDP service a real administrator would use. Spend a few days to a few weeks mapping the environment with native tools. Stage data into cloud storage the company already trusts. Exfiltrate. Negotiate. If negotiation fails, publish.
There is no novel malware strain to catch and no zero-day signature to patch. The ingredients are commodity, the tempo is patient, and the defensive lesson is uncomfortable: the work in front of a CISO this month is not building a taller wall, it is auditing which doors are still unlocked.
Door 1. Infostealer Logs
An infostealer is a piece of malware whose entire job is to sit on an infected device, quietly harvest saved credentials, session cookies, and MFA seeds, and ship that bundle back to the operator. RedLine, Raccoon, Lumma, StealC - there are dozens of variants, and the output is standardized enough that underground markets sell it in tidy, indexed packages, priced per record.
The Collins Aerospace intrusion that Everest claimed in 2022 started with RedLine credentials harvested from an employee device. Those credentials did not expire on their own, and in most environments the password reset after the breach did not reach every system the credential had been reused on. Credentials stolen four years ago are still being used today because almost nobody rotates wide enough after an incident.
For most mid-market financial-services organizations, the ugly truth is that fresh infostealer logs containing their corporate domains are available on underground markets right now, for a price that rounds to pocket change. If your security program is not actively querying those feeds, the adversary has visibility into your identity surface that you do not.
- Query every infostealer log feed and dark-web monitoring service you subscribe to. If you do not have one, subscribe today.
- Cross-reference every hit against corporate identities. Force-reset the matches before end of day, and invalidate active session cookies, not just passwords.
- For every match, check SSO, VPN, and critical SaaS for that identity in the last 90 days. Credential theft often precedes use by weeks or months.
Door 2. Unpatched Public-Facing Appliances
The second door is the one every incident writeup underplays. VPN gateways, file-transfer appliances, mail gateways, edge routers, identity proxies, remote-desktop gateways - the infrastructure that, by design, has to be reachable from the internet. Everest and its peers do not need a zero-day here. They need a missed patch cycle.
The industry has been learning this lesson the expensive way for five years running. MOVEit. Ivanti Connect Secure. Fortinet FortiOS. Citrix NetScaler. Progress WS_FTP. Each of those names represents thousands of breached organizations - mostly not because the vulnerability was obscure, but because the patch window closed days before the exploit window opened. IABs run the same scans defenders do, and they run them continuously.
A 90-day patch cadence for internet-facing appliances is not a security program. It is a 90-day exposure window with a calendar entry. The working standard for appliances reachable from the internet is 14 days, with an accelerated path - measured in hours - for anything with an active exploitation advisory.
- Inventory every internet-facing appliance, including shadow deployments no one remembers. Use external attack-surface scanning to confirm, not internal asset lists.
- For any appliance past its patch SLA, patch it this week - not in the next sprint, not in the next change window.
- For appliances that cannot be patched in time, take them offline or front them with a compensating control. Leaving them exposed with a known CVE is the decision the intruder is hoping you make.
Door 3. Initial Access Brokers
The third door is the quietest, because it does not leave a trace on your network until it is already being used. Initial access brokers do the intrusion work - credential theft, appliance exploitation, RDP brute-force - and sell the result as a clean, authenticated foothold. Ransomware crews like Everest have publicly shifted toward buying that access, because it collapses weeks of pre-intrusion effort into a single dark-web transaction.
Typical IAB inventory on the markets a financial-services CISO should worry about: valid corporate VPN credentials with 2FA bypass, active RDP sessions into domain-joined servers, domain-admin footholds already tested and documented, and SaaS admin accounts for the big targets - Microsoft 365, Salesforce, Snowflake, GitHub. Prices scale with victim revenue. A mid-market bank can be listed for four figures. A domain-admin foothold at a large enterprise reaches five.
Internet-exposed RDP is the single most reliable source of IAB inventory. Most security teams report that their environment no longer has RDP exposed to the internet. In practice, external scans frequently find at least one forgotten host answering on port 3389 within the first hour. Vendors, contractors, and acquisitions are the usual culprits.
- Scan your own external perimeter the way an IAB would. Shodan, Censys, and a competent external attack-surface platform find what internal asset inventories miss.
- Kill interactive RDP and SSH exposed to the internet. All of it. If a vendor needs remote access, route them through a jump host with MFA and session recording.
- Subscribe to IAB-listing monitoring. If a broker is advertising your domain, you have hours to respond, not days.
The 72-Hour CISO Response
Peer-industry breaches are the one moment when every budget owner in the organization is briefly willing to fund cyber work that should have been funded last quarter. Use the window. The response below is what I would run this week if I were sitting in the CISO chair at any financial-services organization of meaningful size.
Infostealer-log sweep for corporate domains. Force-reset every match and invalidate active sessions. Brief the executive team that this is a peer-industry-response action, not a breach disclosure.
External attack-surface scan. Inventory every internet-facing appliance and its patch state. Kill any exposed RDP or SSH. Escalate any appliance past its patch SLA to emergency change.
Dark-web listing check for the corporate domain. Tabletop the Everest playbook end-to-end with the incident response team. Deliver a one-page exposure report to the executive team with a named owner for each of the three doors.
What to Stand Up Before the Next One
Three doors close in 72 hours. Keeping them closed is a different problem, and it is the one that tends to lose budget fights when no peer is in the headlines. Three standing capabilities do most of the work.
1. Continuous infostealer and dark-web monitoring for corporate identities and domains. Not an annual pentest line item. A standing capability, wired into identity and access management, with automated response for matched identities - session invalidation, credential rotation, and conditional access downgrades.
2. A 14-day patch SLA for internet-facing systems. Named executive owner, published dashboard, and a documented kill-switch when the SLA is missed: the appliance comes offline or gets fronted by a compensating control while the patch is applied. Miss the SLA twice in a quarter and the owner is in the room with the audit committee.
3. Continuous external attack-surface management. Know what the IABs know. What is listening, on what port, with what software version, advertising what banner. The delta between what your internal asset inventory says and what an external scan finds is where the next breach starts.
Why "Sophisticated Attack" Is the Wrong Story
The public writeup of these banking breaches will almost certainly include the phrase "sophisticated attack." It always does. The word is doing a lot of work there - most of it reassurance for boards and customers that the organization could not reasonably have been expected to prevent what happened.
For a handful of state-sponsored campaigns each year, that framing is accurate. For the Everest playbook it is not. Credentials harvested years ago, appliances past their patch SLA, an RDP port nobody remembers opening - calling those "sophisticated" is mostly a way to keep the conversation away from accountability. The organizations that actually close them this week are the ones where someone in the room is willing to push back on that framing before the board meeting, not after.
The attacker working on your peer this week is not ten moves ahead of your team. They are reading the same advisories, scanning the same appliances, and buying the same credentials - just with a tighter deadline.
Frequently Asked Questions
How did Everest ransomware breach Frost Bank and Citizens Bank?
Everest has not exploited zero-days in these campaigns. Public reporting and prior Everest intrusions point to three access paths: infostealer-harvested credentials from employee or contractor devices, vulnerable public-facing appliances such as VPN gateways and file-transfer systems, and network access purchased from initial access brokers. The exfiltration happened through legitimate-looking sessions once inside.
What is an initial access broker (IAB)?
An IAB is a criminal specialist who breaks into corporate networks and sells that access to ransomware crews and other threat actors. Inventory includes valid VPN credentials, active RDP sessions, domain-admin footholds, and cloud-console access. Everest has publicly shifted toward buying rather than stealing that access, because it is faster and cheaper.
What is an infostealer log?
The harvested output of malware like RedLine, Raccoon, Lumma, or StealC running on an infected device. Each log contains saved passwords, session cookies, and MFA material, and is sold on underground markets for a few dollars per record. Credentials harvested in 2022 are still used in 2026 breaches.
What should a CISO do in the first 72 hours after a peer breach?
Infostealer-log sweep and forced credential reset in the first 24 hours. External attack-surface scan and emergency patching of internet-facing appliances in 24-48. Dark-web listing check and an executive-team exposure report in 48-72. Each of the three doors needs a named owner before the week ends.
How do you stop the next ransomware breach, not just respond to this one?
Three standing capabilities: continuous infostealer and dark-web monitoring wired into IAM, a 14-day patch SLA for internet-facing systems with a named owner and a kill-switch when missed, and continuous external attack-surface management that knows what the IABs know about your network.
Closing
Frost, Citizens, and whichever bank gets named next: none of these are coming from a zero-day. They are coming from credentials stolen years ago, an appliance someone meant to patch, and an RDP port that was never supposed to be reachable in the first place.
Closing those exposures this week is the difference between the organization that reads the next disclosure and the organization that issues it. Everything in the standing program - the patch SLA, the dark-web monitoring, the ASM coverage - is built to make sure they stay closed after the news cycle moves on.
Written by
Asaf Levy
Cybersecurity expert with 30+ years of experience across enterprise CISO, CTO, and co-founder roles. Advises boards and executive teams on ransomware readiness, attack-surface management, and incident response.
Related Reading
Why Most Companies Don't Know They've Been Breached
The doors close the intrusion; the detection model decides whether it becomes a breach. Dwell time, MTTD, and what to measure.
CISO InsightsThe CISO's Guide to Board Communication
Turning a three-door exposure report into board-ready language that gets funded, not filed.