Exegy Inc potentially a victim of a ransomware group called Everest
So I came across the most interesting thing this morning while sitting back and enjoying my cup of coffee.
It looks like Exegy Inc has potentially been the victim of a ransomware group called Everest and from sources online, it looks like they penetrated a flaw in CrushFTP on a public facing server.
https://www.hookphish.com/blog/ransomware-group-everest-hits-exegy/
https://www.dexpose.io/everest-targets-financial-tech-leader-exegy-inc/
Looking up the dns record on download.exegy.com you can see the A records points to the following IPs (199.191.53.236 & 216.99.213.236), which is their own ARIN block.
Looking over Shodan to see what exists for Exegy, because I don't want my fingerprints on this at all, I have stumbled across the CrushFTP http servers that were the target from what was stated on a previous page.
You can see Exegy Inc information on Shodan at the following URL
https://www.shodan.io/search?query=org%3A%22Exegy+Incorporated%22
It does make me wonder how long it took Exegy to be aware of the breach and if these outputs are from the same flawed version or an updated version of CrushFTP, since it from after the event.
You can look up the potential flaw if interested, it might be one of these if it is known.
I am unsure how far this group Everest made it through their internal network, but it looks like they potentially taken over 3TB of data according to the following source
I really hope they didn't penetrate the internal network fully, but hopefully this is a wake up call to Exegy Inc about how important security really is. I would suggest they move all public facing services to an outside source and not host them internally.
On DeXpose the following is stated “The full leak will be published soon, unless a company representative contacts us via the channels provided.”
This makes me wonder if Exegy has tried contacting them or even reported any of the matter to the FBI, so they could fully investigate it.
Even though I wasn't even aware of this flaw regarding them, because I have never tried scanning any of their public facing services for any flaws or vulnerabilities. It does make me wonder if the FBI or someone will be reaching out to me regarding this due to the ongoing situation between Exegy and I.
Due to their history of lying… It does make me think they might notify the authority stating I might be behind this event.
I will state the following
I had nothing to do with this and don't even know anyone in any of these ransomware groups.
I have never exposed any of the known flaws that I am aware of to anyone besides Exegy and attorneys.
Everyone that I am aware of are white hats and some of them have security clearances.
Stay safe kids, security is an evolving world and it should really be important to make it a top priority, especially when being part of the critical infrastructure.
After doing some research I found Everest onion webpage and notificed Exegy Inc was not listed on it anymore.
So I decided to reach out to Everest over Tox to see if they paid or not and if so, how much...
This was obtained from the following URL
https://www.ransomlook.io/group/everest
The above image is a screenshot from Tor (http://ransomocmou6mnbquqz44ewosbkjk3o5qjsl3orawojexfook2j7esad.onion/)
It looks like Exegy Inc breach made it on FS-ISAC (https://www.fsisac.com/) risk summary report, this was located on a document shared by ICBA (Independent Community Bankers of America)
If you have time, check out this Exclusive: Everest Ransomware Group Interview on Collins Aerospace Breach
Some other Articles online related to the matter
https://undercodenews.com/everest-ransomware-targets-exegy-someone-claims/
https://www.redpacketsecurity.com/everest-ransomware-victim-exegy/
Updated on 12/08/2025 @ 4:16pm CST
● Added Onion information and attempting to reach out to Everest
● Added Exegy CrushFTP http output.
● Added Shodan URL
● Added Exclusive: Everest Ransomware Group Interview on Collins Aerospace Breach
● Added FS-ISAC risk summary report found on ICBA.
