[{"data":1,"prerenderedAt":134},["ShallowReactive",2],{"article-slug-everest-ransomware-gang-targets-two-major-us-banks":3,"articles-index":-1},{"id":4,"slug":5,"headline":6,"title":7,"summary":8,"full_report":9,"twitter_post":10,"meta_description":11,"category":12,"severity":16,"entities":17,"cves":29,"sources":30,"events":42,"mitre_techniques":46,"mitre_mitigations":63,"d3fend_countermeasures":91,"iocs":103,"cyber_observables":104,"tags":120,"extract_datetime":124,"article_type":125,"impact_scope":126,"pub_date":34,"reading_time_minutes":133,"createdAt":124,"updatedAt":124},"d6b832a4-a33e-439d-a618-a37a2ed66cbf","everest-ransomware-gang-targets-two-major-us-banks","Everest Ransomware Claims Attacks on Citizens and Frost Banks","Everest Ransomware Gang Targets Two Major US Banks, Threatens Data Leak","The Everest ransomware gang has listed two major U.S. financial institutions, Citizens Financial Group and Frost Bank, on its dark web leak site. The group claims to have stolen sensitive customer data, including Social Security numbers and financial details, and has threatened to release it. Citizens Bank confirmed a breach involving a third-party vendor, stating that while some customer information was involved, most of the data was masked. The full impact on Frost Bank remains unconfirmed.","## Executive Summary\n\nThe **Everest** ransomware gang has claimed responsibility for cyberattacks against two prominent U.S. banks: **[Citizens Financial Group](https://www.citizensbank.com/)** and **Frost Bank**. On April 20, 2026, both financial institutions were listed on the gang's dark web extortion site, with the threat actors setting a six-day deadline for the public release of allegedly stolen data. **Citizens Bank** has acknowledged a data security incident originating from a third-party vendor, but downplayed the severity, stating most data was for testing purposes. The claims regarding **Frost Bank**, which involve records for 250,000 clients, have not been officially confirmed but represent a significant threat to the financial sector.\n\n## Threat Overview\n\nThis incident highlights the persistent threat of ransomware gangs to the financial services industry and their increasing reliance on supply chain attacks. **Everest** is using a double-extortion tactic, not only encrypting data but also stealing it and threatening public release to pressure victims into paying. \n\nFor **Citizens Bank**, the attack vector was a third-party vendor, demonstrating how vulnerabilities in the supply chain can impact even well-defended organizations. The bank stated that only a \"very limited set of customer information was involved.\" \n\nFor **Frost Bank**, the unverified claim is much larger, with **Everest** alleging possession of PII and financial data for 250,000 clients, including Social Security numbers (SSNs), income, and investment details. This type of data is highly valuable on the dark web and poses a severe risk of fraud and identity theft to customers.\n\n## Technical Analysis\n\nWhile the specific TTPs for this attack are not detailed, the pattern is consistent with modern ransomware operations:\n\n1.  **Initial Access**: For **Citizens Bank**, the vector was a compromised third-party vendor, a classic supply chain attack ([`T1199 - Trusted Relationship`](https://attack.mitre.org/techniques/T1199/)). For **Frost Bank**, the vector is unknown but could range from phishing to exploiting an unpatched vulnerability.\n2.  **Data Exfiltration**: Before deploying the ransomware, groups like **Everest** move laterally through the network to identify and exfiltrate valuable data. This involves techniques like [`T1048 - Exfiltration Over Alternative Protocol`](https://attack.mitre.org/techniques/T1048/) and [`T1567 - Exfiltration Over Web Service`](https://attack.mitre.org/techniques/T1567/).\n3.  **Impact**: The final stage is data encryption ([`T1486 - Data Encrypted for Impact`](https://attack.mitre.org/techniques/T1486/)) and posting the victim's name on their leak site to apply public pressure.\n\n> The attack on Citizens Bank via a third-party vendor is a critical reminder that an organization's security is only as strong as its weakest partner. Robust vendor risk management is non-negotiable.\n\n## Impact Assessment\n\n*   **For Customers**: A breach of this nature could lead to widespread financial fraud, identity theft, and targeted phishing attacks. The exposure of SSNs, TINs, and detailed financial records is particularly damaging.\n*   **For the Banks**: The incidents result in significant reputational damage, regulatory fines, and costs associated with incident response, customer notifications, and credit monitoring. An attack on a third party does not absolve the primary organization of responsibility for protecting its customer data.\n*   **For the Financial Sector**: Successful attacks on major banks can erode public trust in the stability and security of the financial system.\n\n## IOCs — Directly from Articles\n\nNo specific Indicators of Compromise (IOCs) were provided in the source articles.\n\n## Cyber Observables — Hunting Hints\n\nTo detect ransomware precursor activity, security teams should hunt for:\n\n| Type | Value | Description |\n| :--- | :--- | :--- |\n| Network Traffic Pattern | Large, anomalous outbound data flows to unknown destinations. | This is a strong indicator of data exfiltration before ransomware deployment. |\n| Process Activity | Execution of `vssadmin.exe delete shadows` or `wbadmin delete catalog`. | Attackers disable volume shadow copies to prevent easy recovery. |\n| Command-Line Pattern | `net stop \u003Cservice_name>` for security tools (AV, EDR). | Attackers attempt to disable endpoint security before running the encryptor. |\n| Log Source | Third-party connection logs | Monitor and baseline traffic from third-party vendors, alerting on unusual access patterns or data transfers. |\n\n## Detection & Response\n\n*   **Detection**: Deploy EDR solutions with anti-ransomware behavioral modules that can detect and terminate processes attempting to rapidly encrypt files or delete backups. Monitor for the execution of common reconnaissance commands (`whoami`, `net group`, etc.) and lateral movement tools. Use canaries or honeyfiles—bait files that trigger an alert if modified or encrypted.\n*   **Response**: Isolate affected systems immediately. Disconnect network access for compromised third-party vendors. Activate the incident response plan, which should include engaging legal counsel and forensic investigators. Do not reboot or delete anything until a forensic image can be taken. Refer to CISA's guidance on ransomware and avoid paying the ransom, as it does not guarantee data recovery and fuels the criminal ecosystem.\n\n## Mitigation\n\n1.  **Vendor Risk Management**: Implement a stringent third-party risk management program. This includes security questionnaires, audits, and contractual requirements for vendors who handle sensitive data. This is a key part of [`M1016 - Vulnerability Scanning`](https://attack.mitre.org/mitigations/M1016/) applied to the supply chain.\n2.  **Offline Backups**: Maintain immutable, offline backups of all critical data. This is the most effective defense against data encryption attacks and is a core component of [`M1053 - Data Backup and Recovery`](https://attack.mitre.org/mitigations/M1053/).\n3.  **Network Segmentation**: Segment networks to prevent ransomware from spreading from one part of the organization to another. A flat network is a ransomware operator's playground. See [`M1030 - Network Segmentation`](https://attack.mitre.org/mitigations/M1030/).\n4.  **Endpoint Security**: Deploy and properly configure advanced EDR and anti-malware solutions. Ensure they are set to block, not just alert, on suspicious behaviors.","Everest ransomware gang targets two major US banks, Citizens Bank and Frost Bank, threatening to leak sensitive customer financial data. Citizens confirms breach via a 3rd party. 🏦 #Ransomware #Everest #Cyberattack #Finance","The Everest ransomware gang has claimed attacks on Citizens Bank and Frost Bank, threatening to leak sensitive customer financial data including SSNs and income details.",[13,14,15],"Ransomware","Data Breach","Threat Actor","high",[18,21,24,26],{"name":19,"type":20},"Everest","threat_actor",{"name":22,"type":23},"Citizens Financial Group","company",{"name":25,"type":23},"Frost Bank",{"name":27,"type":28},"United States","other",[],[31,37],{"url":32,"title":33,"date":34,"friendly_name":35,"website":36},"https://cybernews.com/news/two-major-us-banks-targeted-citizens-bank-confirms-breach-frost-bank-allegedly-hit/","Two major US banks targeted — Citizens Bank confirms breach, Frost Bank allegedly hit","2026-04-22","Cybernews","cybernews.com",{"url":38,"title":39,"date":34,"friendly_name":40,"website":41},"https://www.securityweek.com/citizens-bank-frost-bank-targeted-by-everest-ransomware-gang/","Citizens Bank, Frost Bank Targeted by Everest Ransomware Gang","SecurityWeek","securityweek.com",[43],{"datetime":44,"summary":45},"2026-04-20T00:00:00Z","Citizens Bank and Frost Bank appeared on the Everest ransomware gang's dark web extortion site.",[47,51,55,59],{"id":48,"name":49,"tactic":50},"T1486","Data Encrypted for Impact","Impact",{"id":52,"name":53,"tactic":54},"T1199","Trusted Relationship","Initial Access",{"id":56,"name":57,"tactic":58},"T1048","Exfiltration Over Alternative Protocol","Exfiltration",{"id":60,"name":61,"tactic":62},"T1562.001","Disable or Modify Tools","Defense Evasion",[64,69,78,82],{"id":65,"name":66,"description":67,"domain":68},"M1053","Data Backup and Recovery","Maintain regular, tested, and offline backups to ensure recovery from a destructive ransomware attack without paying the ransom.","enterprise",{"id":70,"name":71,"d3fend_techniques":72,"description":77,"domain":68},"M1030","Network Segmentation",[73],{"id":74,"name":75,"url":76},"D3-NI","Network Isolation","https://d3fend.mitre.org/technique/d3f:NetworkIsolation","Segment the network to limit the blast radius of a ransomware infection, preventing it from spreading from workstations to critical servers.",{"id":79,"name":80,"description":81,"domain":68},"M1016","Vulnerability Scanning","Extend vulnerability management programs to include third-party vendors, ensuring supply chain partners meet security standards.",{"id":83,"name":84,"d3fend_techniques":85,"description":90,"domain":68},"M1040","Behavior Prevention on Endpoint",[86],{"id":87,"name":88,"url":89},"D3-PA","Process Analysis","https://d3fend.mitre.org/technique/d3f:ProcessAnalysis","Use EDR tools to detect and block common ransomware behaviors like shadow copy deletion and mass file encryption.",[92,97],{"technique_id":93,"technique_name":94,"url":95,"recommendation":96,"mitre_mitigation_id":65},"D3-FR","File Restoration","https://d3fend.mitre.org/technique/d3f:FileRestoration","The core defense against the 'Impact' phase of a ransomware attack by groups like Everest is a robust and tested restoration capability. Financial institutions like Citizens Bank and Frost Bank must maintain immutable backups, completely isolated from the production network (air-gapped or on write-once media). This ensures that even if the live network is fully encrypted, a known-good copy of data and system configurations exists. The restoration plan must be regularly tested to validate its integrity and to ensure that Recovery Time Objectives (RTOs) can be met. This removes the primary leverage of the attackers—data unavailability—and allows the organization to recover without considering a ransom payment.",{"technique_id":98,"technique_name":99,"url":100,"recommendation":101,"mitre_mitigation_id":102},"D3-OTF","Outbound Traffic Filtering","https://d3fend.mitre.org/technique/d3f:OutboundTrafficFiltering","To combat the 'double extortion' tactic used by Everest, where data is stolen before encryption, strict outbound traffic filtering is essential. Banks should configure their firewalls and proxies to deny all outbound traffic by default, only allowing connections to known, legitimate destinations on approved ports. For the Citizens Bank scenario involving a third-party vendor, this means restricting the vendor's network access to only the specific systems and ports required for their function. Furthermore, deploying a Data Loss Prevention (DLP) solution to inspect outbound traffic for sensitive data patterns (like SSNs, account numbers) can detect and block exfiltration attempts in real-time. This can prevent the data breach component of the attack, significantly reducing the attacker's leverage and the overall impact of the incident.","M1037",[],[105,110,115],{"type":106,"value":107,"description":108,"context":109,"confidence":16},"command_line_pattern","vssadmin.exe delete shadows /all /quiet","Command used by ransomware to delete volume shadow copies, preventing easy system restoration.","EDR, Sysmon Event ID 1, Windows Security Event ID 4688",{"type":111,"value":112,"description":113,"context":114,"confidence":16},"network_traffic_pattern","Large SMB/FTP/RDP egress to non-standard IPs","Data exfiltration prior to encryption often involves staging large amounts of data and transferring it out over common file sharing protocols to attacker-controlled infrastructure.","Firewall logs, NetFlow data, DLP systems",{"type":116,"value":117,"description":118,"context":119,"confidence":16},"file_name","RANSOM_NOTE.txt","Creation of files with common ransom note names on multiple systems or network shares.","File Integrity Monitoring (FIM), EDR",[13,19,121,122,14,123],"Banking","Finance","Third Party Risk","2026-04-22T15:00:00.000Z","NewsArticle",{"geographic_scope":127,"companies_affected":128,"countries_affected":129,"industries_affected":130,"people_affected_estimate":132},"national",[22,25],[27],[122,131],"Technology","250,000 clients (unverified claim for Frost Bank)",5,1776923388443]