The Everest ransomware group, a double-extortion operation active since late 2020, has integrated a clever and concerning new tactic into its attacks. According to threat emulation research by AttackIQ, the group's malware now uses Wake-on-LAN (WoL) functionality to power on dormant and sleeping endpoints across a compromised network. This allows the ransomware to encrypt a much larger number of devices than would otherwise be possible, significantly increasing the disruptive impact of an attack. This technique, while not new in concept, is rarely seen in major ransomware campaigns and demonstrates a focus on maximizing damage and pressure on the victim.
The Everest group's updated malware employs a multi-stage process to ensure a comprehensive network compromise. The most notable stage is its use of Wake-on-LAN. The process is as follows:
T1018 - Remote System Discovery.This novel approach turns a common power-saving feature into a security liability.
Before initiating the WoL sequence, the Everest malware performs several actions to prepare the environment and weaken defenses, showcasing a well-thought-out attack chain:
T1562.001 - Impair Defenses: Disable or Modify Tools).T1021.002 - Remote Services: SMB/Windows Admin Shares).T1486 - Data Encrypted for Impact).T1070.004 - Indicator Removal: File Deletion).The use of Wake-on-LAN significantly increases the potential impact of an Everest ransomware attack. In many organizations, a substantial portion of workstations are powered down or in a sleep state outside of business hours. These machines would normally be safe from a ransomware attack that spreads across the network at night or on a weekend. By waking these machines up, Everest ensures they are also encrypted, leading to a much larger-scale business disruption. This can turn a partial outage into a complete shutdown, putting more pressure on the victim to pay the ransom. It forces organizations to reconsider the security implications of network features like WoL.
No specific file hashes or C2 domains were provided in the source articles.
Security teams can hunt for this specific activity by monitoring network traffic:
arp -aD3-NTA: Network Traffic Analysis.D3-BDI: Broadcast Domain Isolation.Segmenting networks into smaller broadcast domains (VLANs) will prevent WoL packets from reaching devices outside of the compromised segment.
Mapped D3FEND Techniques:
Disable Wake-on-LAN in the BIOS/UEFI and OS of endpoints if it is not a business requirement.
Mapped D3FEND Techniques:
Filter broadcast traffic at network boundaries to prevent techniques like this from propagating across the enterprise.
Mapped D3FEND Techniques:
The most effective technical countermeasure to Everest's Wake-on-LAN tactic is Broadcast Domain Isolation, commonly implemented via VLANs. WoL magic packets are broadcast traffic, meaning they are sent to all devices within the same Layer 2 network segment but are stopped by routers at the boundary of the segment. By segmenting the network into smaller VLANs (e.g., one for each department, or even more granularly), you can contain the WoL broadcast. If a machine in the marketing VLAN is compromised, the WoL packets sent by the Everest malware will only wake up other machines within that same marketing VLAN. It will not be able to wake up machines in the finance, engineering, or executive VLANs. This dramatically limits the blast radius of the attack, preventing it from becoming a full-blown enterprise-wide disaster and turning it into a more manageable, contained incident.
A direct and simple mitigation is to harden endpoints by disabling the Wake-on-LAN feature if it is not explicitly required for business operations. This can typically be done in two places: in the system's BIOS/UEFI firmware, and within the network adapter's properties in the Windows Device Manager. By disabling this feature, the endpoint's network card will no longer listen for magic packets when the machine is in a low-power state. This completely neutralizes the novel aspect of Everest's attack. While this may not be feasible for organizations that rely on WoL for remote administration or patch management, it should be the default configuration for all other systems. A GPO or endpoint management tool can be used to enforce this configuration across the fleet, ensuring that this attack vector is closed at scale.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.