Cannabis industry is apparent target of Everest Ransomware, security experts warn

Help shape our annual “Diversity in Cannabis” special report by filling out our business survey here!


Image of multiple skull and crossbones with blue tinting hovering above red circuitry

(Image by Skórzewiak/stock.adobe.com)

Image of Ben Taylor
Ben Taylor (Courtesy photo)

(This is a contributed guest column. To be considered as an MJBizDaily guest columnist, please submit your request here.)

The Everest Ransomware group appears to have set its sights on the marijuana industry, according to the Cannabis Information Sharing & Analysis Organization (Cannabis ISAO).

On Monday, a second cannabis operator within one week appeared as a ransomware victim on Everest’s dark-web blog.

The second claimed victim is listed as a client of the first victim, a software-as-a-service vendor.

This potential connection highlights third-party vendor risk and the potential for Everest to continue branching out and targeting the industry.

Cyber threat background

Ransomware groups utilize data-leak sites, also known as “name and shame” blogs on the dark web, in an effort to pressure victims into paying ransoms.

It is important to remember that just because an organization appears on one of these sites does not mean their networks were breached.

But multiple organizations within the same industry being referenced in a short period of time suggests there might be a legitimate threat. (MJBizDaily has agreed not to identify the alleged victims.)

The U.S. Department of Health and Human Services (HHS) recently published a Threat Actor Profile about Everest after its increased targeting of health care organizations.

“Everest appears to have morphed into what is known as an ‘initial access broker,’ meaning their role in the underground Russian ransomware economy is to facilitate ransomware attacks by initially gaining unauthorized access to a victim organization,” John Riggi, national adviser for cybersecurity and risk at the American Hospital Association, said in August.

“They then sell the unauthorized access to other gangs, who conduct the ransomware attack.”

Understanding cybersecurity threats

The Cannabis ISAO recommends that organizations maintain situational awareness of ongoing cybersecurity threats to better understand where they might be most at risk.

Doing so can help network defenders better prioritize their information-security activities, particularly for implementing software patches.

“We always encourage organizations to understand the threat environment,” said Jennifer Lyn Walker, director of cyber defense at Gate 15, a threat-management company in Virginia.

“As the cyberthreat landscape changes faster than most individual organizations can keep up, collective defense – organizations working together, sharing information within and across industries – is key to defending against today’s cyberthreats.”

Third-party risk management and ransomware defense

Third-party risk is any risk brought on to an organization by external parties in its ecosystem or supply chain.

The marijuana industry experienced this firsthand in 2022, when a cyberattack on Ontario Cannabis Store’s logistics partner impacted product delivery to retailers.

“As a nascent and growing industry, our vendors may be at a different stage in their cybersecurity journey,” advised Chris Clai, director of information security for Chicago-based marijuana multistate operator Green Thumb Industries.

“It’s important that any third-party risk program not only assesses and monitors our vendors for potential risks but also establishes a healthy partnership wherein our IT resources may have to offer expertise to ensure continued iterations and improvements on the overall security resilience of both vendor and customer.”

The Cybersecurity & Infrastructure Security Agency (CISA) of the U.S. Department of Homeland Security maintains the Stop Ransomware site, which features best practices for both mitigation and response, including its #StopRansomware Guide.

In the wake of ransomware attacks in 2023 against Caesars Entertainment and MGM Resorts, Lisa Plaggemier, executive director of the Washington, D.C.-based National Cyber Security Alliance told Casino.org that “the best way to deal with a ransomware attack is to practice having one, to do tabletop exercises.”

“You bring in outside consultants, a third party that runs you through an exercise where you practice having an incident and everybody knows what their role is and how they would respond,” Plaggemier continued.

“That can help you find weaknesses, maybe in the way your backup processes are built or in your response plan.”

Additional ransomware best practices that organizations should be considering include:

2024 MJBiz Factbook – now available!  

Exclusive industry data and analysis to help you make informed business decisions and avoid costly missteps. All the facts, none of the hype. 

Featured inside: 

  • Financial forecasts + capital investment trends 
  • 200+ pages and 49 charts highlighting key data figures and sales trends 
  • State-by-state guide to regulations, taxes & market opportunities
  • Monthly and quarterly updates, with new data & insights
  • And more!

Defending against Everest

While the CISA’s site provides a good one-stop shop for general ransomware defense, the previously mentioned Threat Actor Profile from the HHS offers some specific Indicators of Compromise (IOCs) related to Everest.

Cannabis organizations are encouraged to work with internal information security teams or managed security service providers (MSSPs) to scan for the below IOCs featured in the HHS’ profile:

Indicator Type Description
netscan.exe File Name SoftPerfect Network Scanner
netscanpack.exe File Name This was unable to be analyzed during the investigation.
svcdsl.exe File Name SoftPerfect Network Scanner Portable
Winrar.exe File Name Popular archiving tool, which supports encryption.
subnets.txt File Name Network Discovery output file
trustdumps.txt File Name Network Discovery output file
I.exe File Name Metasploit payload
hXXp://3.22.79[.]23:8080/ URL Site hosting Cobalt Strike beacon
hXXp://3.22.79[.]23:8080/a URL Site hosting Cobalt Strike beacon
hXXp://3.22.79[.]23:10443/ga.js URL Cobalt Strike C2
hXXp://18.193.71[.]144:10443/match URL Cobalt Strike C2
hXXp://45.84.0[.]164:10443/o6mj URL Meterpreter C2

Ben Taylor is the executive director of the Virginia-based Cannabis Information Sharing & Analysis Organization, where he focuses on identifying and disseminating critical physical security and cybersecurity threat intelligence to the marijuana industry. He can be reached at ben@cannabisisao.org.