Epiq Global Ransomware Attack by Everest (May 2026)

Claim Summary

On May 2, 2026, the Everest ransomware group allegedly added Epiq Global to their dark web leak site. The US-based legal services company, operating under domain epiqglobal.com, is purportedly a victim of a ransomware attack. According to the threat actor’s post, they claim to have exfiltrated data from Epiq Global’s systems, though the volume and specific nature of the stolen information remain undisclosed. This claim has not been independently verified by Yazoul Security.

Epiq Global provides technology-driven legal services including class action administration, bankruptcy case management, eDiscovery, document review, and legal notification. The company serves law firms, corporations, and government entities across multiple countries.

Threat Actor Profile

Everest is a ransomware group first observed in 2020, with 339 known victims according to tracked data. The group operates a double extortion model - encrypting systems while exfiltrating data to use as leverage for payment demands.

Based on publicly available threat intelligence (including HC3 analysis from August 2024), Everest’s known toolset includes:

• Reconnaissance: SoftPerfect NetScan
• Credential Access: ProcDump
• C2 Frameworks: Cobalt Strike, Metasploit, Meterpreter
• Remote Access: AnyDesk, Atera, Splashtop

Everest typically gains initial access through phishing campaigns, RDP brute-forcing, or exploiting unpatched vulnerabilities. They have historically targeted legal, healthcare, and government sectors. The group’s credibility is moderate - they have successfully completed attacks against multiple victims but have also been known to exaggerate claims or repost old data to pressure victims.

Alleged Data Exposure

The Everest group claims to have stolen data from Epiq Global, but has not provided:

• Specific data categories (client files, financial records, PII)
• File count or total data volume
• Sample files or proof of exfiltration
• Timeline of when the breach allegedly occurred

Given Epiq Global’s role as a legal services provider handling sensitive litigation data, class action participant information, and corporate legal documents, any confirmed breach would potentially involve highly confidential materials protected by attorney-client privilege.

Potential Impact

If the Everest claim is verified, the impact could include:

• Legal Exposure: Compromise of privileged attorney-client communications and case strategy documents
• Regulatory Risk: Potential GDPR, HIPAA, or state breach notification obligations depending on data types
• Operational Disruption: Interruption of class action administration, bankruptcy filings, and eDiscovery services
• Reputational Harm: Loss of client trust among law firms and corporate legal departments
• Financial Costs: Incident response, forensic investigation, legal fees, and potential ransom payment

What to Watch For

Security teams should monitor for:

• Everest-related IOCs including Cobalt Strike beacon configurations and AnyDesk/Splashtop remote access artifacts
• YARA rules targeting Everest’s custom tools (available through threat intelligence platforms)
• Phishing emails impersonating Epiq Global or Everest group communications
• Unusual network connections to known Everest C2 infrastructure
• Any public statements from Epiq Global regarding security incidents

For detection guidance, organizations can reference HC3’s August 2024 threat actor profile on Everest (available at aha.org) which includes behavioral indicators and network signatures.

Disclaimer

This report is based solely on an unverified claim posted by the Everest ransomware group on their dark web leak site. Yazoul Security has not independently confirmed the breach, data exfiltration, or any specific details of the alleged attack. Ransomware groups routinely exaggerate or fabricate claims to pressure victims into payment. Organizations should treat this information as intelligence requiring verification and not as confirmed fact. No PII, credentials, download links, or access methods are provided in this report. For official updates, refer to Epiq Global’s communications channels.