Exclusive Everest Ransomware Group Interview on Collins Aerospace Breach Daily Dark Web
pIn late September 2025 a crippling cyber event brought European aviation to a standstill Major airports including London Heathrow Brussels and Berlin were plunged into chaos as passenger processing systems were taken offline The disruption centered on the MUSE MultiUser System Environment software a critical platform from defense and aerospace giant Collins Aerospace an RTX subsidiary that manages checkin boarding and baggage ppThe official story confirmed by the European Union Agency for Cybersecurity ENISA and an SEC filing from Collins parent company RTX was that this shutdown which began on September 19 was caused by a cybersecurity incident involving ransomware on systems that support its MultiUser System Environment MUSE passenger processing software Some security researchers subsequently linked the attack to HardBit ransomware ppHowever in the days following the shutdown the cybercrime organization Everest Ransomware Group claimed responsibility for the initial breach This group is known for operating as an encryptionless ransomware organization which means they do not encrypt victim data but instead specialize in data exfiltration for the purpose of extortionppEverest claims they first gained access on September 10 The entry point wasnt a new sophisticated exploit Instead they allegedly used a set of leaked credentials This username and password pair was reportedly stolen from an employees computer by an infostealer RedLine back in 2022 and was never changed The credentials for the publicfacing FTP server were ppppFrom this access Everest claims to have exfiltrated over 50GB of data including ppppThey then entered into negotiations with an RTX representative on September 16 ppHere is the central conflict Everest explicitly denies any involvement with ransomware Instead they allege that Collins Aerospace already aware of Everests data theft intentionally shut down its own servers on September 19 and publicly blamed unspecified ransomware in a coordinated effort to commit insurance fraud ppThis complex and contradictory scenario is further complicated by the UKs National Crime Agency which arrested a suspect in connection with the attack on September 24 though their affiliation remains unconfirmed Meanwhile Everest continued its operations claiming new breaches on October 25 at Dublin Airport and Air Arabia ppIn light of these reports and the threat actors public claims we initiated contact with the Everest Ransomware Group via an email address listed on their darknet website We sent a list of 12 questions to get their official statement on the record seeking to clarify their role their alleged connection to HardBit and the basis for their fraud allegationsppThe group responded to our questions We are publishing the interview in full to provide transparency and allow our readers to see the threat actors claims in their entirety which can then be compared against the official statements and public evidencepp ppQ1 To begin could you provide an overview of the Everest group What do you consider to be your groups core mission
Everest Everest is a small group of IT specialists who study how large infrastructures manage their digital security When companies handling critical data are careless we draw attention to it We focus on documents analyzing fileslogs messages email and other internal information helps show the real picture not just the companys words We search for proof of mismanagement and wrongdoing that companies often try to cover up behind official statements We do not use ransomware we do not damage infrastructure and we do not block systems Our work involves analyzing finding valuable documents and publishing facts that companies usually try to hidepp ppQ2 Are your operations purely financially driven or are there geopolitical factors that influence your choice of targets Can you clarify if Everest operates as a fully independent entity or if you maintain affiliations with other groups or any statelevel actors
Everest Everest is a commercial organization and we dont hide that We earn money for our work just like any professional who spends time resources and knowledge on their job The financial part is needed to cover expenses infrastructure and risks But money is not our only motivation We work independently without support or influence from governments or other groups When we see systemic incompetence carelessness or outdated decisions that put millions of users at risk we take action First comes the business side but behind it is a principle we dont ignore negligence that affects peoples safety The situation with Collins Aerospace is not unique Similar incidents happen regularly and the reason is usually the same careless management of infrastructure The problem is not just this specific incident but the overall approach to security a culture that focuses on metrics rather than real protection of datapp ppQ3 Was Collins Aerospace or its parent RTX a specific target for your group or was this discovery opportunistic
Everest The access to the FTP server came to us by chance Seeing a major aerospace company storing operational data with such a weak password which according to some researchers had already leaked online in 2022 was shocking After that our interest shifted from just technical to public How can a company responsible for the safety of millions of passengers allow this kind of negligencepp ppQ4 Since the Collins Aerospace incident you have also claimed breaches at Air Arabia and Dublin Airport Is the aerospace and aviation sector a new strategic focus for your group and if so why
Everest No aviation is not our main focus The reason we highlight these cases is simple In aviation the results of carelessness are obvious right away Thousands of flights are delayed and millions of passengers are affected We point out these incidents because a single vulnerable server or a small configuration mistake can paralyze an entire transport system It is not about choosing a target It is about showing where the cost of negligence is most visiblepp ppQ5 Public reports attribute the airport disruptions to HardBit ransomware yet your group explicitly denies using ransomware Investigations connect both of your names Everest and HardBit to the Collins Aerospace incident Can you clarify this discrepancy As a known Initial Access Broker did you sell network access to a HardBit affiliate after your initial breach or do you claim these were two entirely separate attacks
Everest We did not use any ransomware and no encryption took place The link between Everest and HardBit might be someones mistake or a deliberate false report in the media We did not sell or give anyone access to encrypt the systems Our correspondence with Collins did not mention encryption at all It was only about various operational detailspp ppQ6 A suspect was arrested in the UK in connection with the Collins Aerospace attack Can you confirm if this individual was affiliated with your group or your operational partners
Everest We have nothing to do with him People often get arrested just for being loosely connected to leak sites or maybe being part of a chain of compromised proxy serverspp ppQ7 What criteria do you use to decide whether to exploit a breach yourselves as you claim you did with Collins Aerospace versus selling the access to a third party
Everest We havent practiced that in many years and dont plan topp ppQ8 Your site featured a passwordprotected News For CEO section related to this incident What specific information did you provide in that section and what were the full negotiation terms and final requested financial amount
Everest This section was intended solely for the companys leadership and will not be disclosed We will keep the amount private The main goal of the publication was to get acknowledgment of the incident and responsibility for it without trying to hide what happened behind the loud label ransomwarepp ppQ9 Regarding your public claim that Collins Aerospace was motivated by insurance fraud what evidence or observations led you to this specific conclusion
Everest This is based on the timeline of events They were aware of the issue for eight days before shutting down the servers We are not stating it as a fact but their behavior and timing look too coordinated to be a coincidence The term ransomware says it all Its the easiest way to blame a virus and do whatever they wanted Replacing old systems during such a big incident also let them get an insurance payout They didnt have to warn millions of people that moving to new systems would be slow difficult and expensive This situation worked in their favor avoiding millions in losses and lawsuits Since they didnt pay us they now face potential classaction claims from millions of people Insurance for a ransomware event must pay while simply shutting down servers without a reason would not have triggered a payout They set it up to benefit themselves We dont use ransomware and everyone knows it RTX made a big mistake by not checking this more carefully and probably didnt expect us to make this public or show the correspondencepp ppQ10 Weve observed several public events related to your infrastructure including intermittent downtime after both the Collins and Colonial Pipeline claims as well as a public defacement in April 2025 Could you comment on these operational challenges
Everest Most of the time these were DDoS attacks We are prepared for that The main thing is that the information we publish cannot be destroyed even if the servers are shut down It stays online After the April events we updated the site and infrastructure and it did not affect us at allpp ppQ11 Why have you chosen to speak with the media about this attack What message are you trying to send to the cybersecurity community the public and potential victims with the interview
Everest Staying silent only helps those who are trying to hide their mistakes We show how systemic negligence affects real peoples lives The Collins Aerospace case clearly demonstrates how closedness and careless security can lead to complete chaospp ppQ12 Finally your groups tactics have visibly shifted from deploying ransomware to primarily operating as an Initial Access Broker What drove this strategic pivot and what is Everests longterm plan
Everest I wont repeat myself the answer has already been given above Thank you for the interviewpppp Daily Dark Web 2024 ppDaily Dark Web 2024 p
Everest Everest is a small group of IT specialists who study how large infrastructures manage their digital security When companies handling critical data are careless we draw attention to it We focus on documents analyzing fileslogs messages email and other internal information helps show the real picture not just the companys words We search for proof of mismanagement and wrongdoing that companies often try to cover up behind official statements We do not use ransomware we do not damage infrastructure and we do not block systems Our work involves analyzing finding valuable documents and publishing facts that companies usually try to hidepp ppQ2 Are your operations purely financially driven or are there geopolitical factors that influence your choice of targets Can you clarify if Everest operates as a fully independent entity or if you maintain affiliations with other groups or any statelevel actors
Everest Everest is a commercial organization and we dont hide that We earn money for our work just like any professional who spends time resources and knowledge on their job The financial part is needed to cover expenses infrastructure and risks But money is not our only motivation We work independently without support or influence from governments or other groups When we see systemic incompetence carelessness or outdated decisions that put millions of users at risk we take action First comes the business side but behind it is a principle we dont ignore negligence that affects peoples safety The situation with Collins Aerospace is not unique Similar incidents happen regularly and the reason is usually the same careless management of infrastructure The problem is not just this specific incident but the overall approach to security a culture that focuses on metrics rather than real protection of datapp ppQ3 Was Collins Aerospace or its parent RTX a specific target for your group or was this discovery opportunistic
Everest The access to the FTP server came to us by chance Seeing a major aerospace company storing operational data with such a weak password which according to some researchers had already leaked online in 2022 was shocking After that our interest shifted from just technical to public How can a company responsible for the safety of millions of passengers allow this kind of negligencepp ppQ4 Since the Collins Aerospace incident you have also claimed breaches at Air Arabia and Dublin Airport Is the aerospace and aviation sector a new strategic focus for your group and if so why
Everest No aviation is not our main focus The reason we highlight these cases is simple In aviation the results of carelessness are obvious right away Thousands of flights are delayed and millions of passengers are affected We point out these incidents because a single vulnerable server or a small configuration mistake can paralyze an entire transport system It is not about choosing a target It is about showing where the cost of negligence is most visiblepp ppQ5 Public reports attribute the airport disruptions to HardBit ransomware yet your group explicitly denies using ransomware Investigations connect both of your names Everest and HardBit to the Collins Aerospace incident Can you clarify this discrepancy As a known Initial Access Broker did you sell network access to a HardBit affiliate after your initial breach or do you claim these were two entirely separate attacks
Everest We did not use any ransomware and no encryption took place The link between Everest and HardBit might be someones mistake or a deliberate false report in the media We did not sell or give anyone access to encrypt the systems Our correspondence with Collins did not mention encryption at all It was only about various operational detailspp ppQ6 A suspect was arrested in the UK in connection with the Collins Aerospace attack Can you confirm if this individual was affiliated with your group or your operational partners
Everest We have nothing to do with him People often get arrested just for being loosely connected to leak sites or maybe being part of a chain of compromised proxy serverspp ppQ7 What criteria do you use to decide whether to exploit a breach yourselves as you claim you did with Collins Aerospace versus selling the access to a third party
Everest We havent practiced that in many years and dont plan topp ppQ8 Your site featured a passwordprotected News For CEO section related to this incident What specific information did you provide in that section and what were the full negotiation terms and final requested financial amount
Everest This section was intended solely for the companys leadership and will not be disclosed We will keep the amount private The main goal of the publication was to get acknowledgment of the incident and responsibility for it without trying to hide what happened behind the loud label ransomwarepp ppQ9 Regarding your public claim that Collins Aerospace was motivated by insurance fraud what evidence or observations led you to this specific conclusion
Everest This is based on the timeline of events They were aware of the issue for eight days before shutting down the servers We are not stating it as a fact but their behavior and timing look too coordinated to be a coincidence The term ransomware says it all Its the easiest way to blame a virus and do whatever they wanted Replacing old systems during such a big incident also let them get an insurance payout They didnt have to warn millions of people that moving to new systems would be slow difficult and expensive This situation worked in their favor avoiding millions in losses and lawsuits Since they didnt pay us they now face potential classaction claims from millions of people Insurance for a ransomware event must pay while simply shutting down servers without a reason would not have triggered a payout They set it up to benefit themselves We dont use ransomware and everyone knows it RTX made a big mistake by not checking this more carefully and probably didnt expect us to make this public or show the correspondencepp ppQ10 Weve observed several public events related to your infrastructure including intermittent downtime after both the Collins and Colonial Pipeline claims as well as a public defacement in April 2025 Could you comment on these operational challenges
Everest Most of the time these were DDoS attacks We are prepared for that The main thing is that the information we publish cannot be destroyed even if the servers are shut down It stays online After the April events we updated the site and infrastructure and it did not affect us at allpp ppQ11 Why have you chosen to speak with the media about this attack What message are you trying to send to the cybersecurity community the public and potential victims with the interview
Everest Staying silent only helps those who are trying to hide their mistakes We show how systemic negligence affects real peoples lives The Collins Aerospace case clearly demonstrates how closedness and careless security can lead to complete chaospp ppQ12 Finally your groups tactics have visibly shifted from deploying ransomware to primarily operating as an Initial Access Broker What drove this strategic pivot and what is Everests longterm plan
Everest I wont repeat myself the answer has already been given above Thank you for the interviewpppp Daily Dark Web 2024 ppDaily Dark Web 2024 p
