Everest Ransomware Hits Frost and Citizens: SAMA CSCC Lessons

Everest, an extortion crew that started 2024 as a footnote, walked onto the dark web on April 20, 2026 carrying records it claims to have stolen from Frost Bank and Citizens Financial Group — two of the largest U.S. banks by assets. The pattern is unmistakable: identity-led intrusion, quiet exfiltration, then a public auction designed to force payment without ever firing an encryptor. For SAMA-regulated banks in the Kingdom, the message is equally clear — the perimeter is no longer where the fight is decided.

What Everest Hit and How

Everest's leak site posted samples claiming to contain data on roughly 250,000 Frost Bank customers and an unspecified slice of Citizens Financial Group, which carries $227.9 billion in assets as of March 2026. Both banks publicly disputed the scope, but the dump included internal documents, customer PII, and what researchers at multiple threat-intel firms describe as artifacts consistent with stolen Active Directory tokens. Everest did not encrypt — it exfiltrated and extorted, the hallmark of the data-first ransomware playbook that the Sophos State of Ransomware 2026 report flagged as the dominant attack pattern in financial services.

Why Data-First Ransomware Changes the Threat Model

Traditional ransomware playbooks were noisy. Encryption tripped EDR, halted production lines, and forced an incident declaration within hours. Data-first extortion is the opposite: dwell time stretches into weeks, the only externally visible event is a leak-site post, and recovery from backup offers no protection because the data is already gone. Sophos found that 59% of breached financial firms in 2026 had data successfully encrypted, up from 49% a year earlier — but a separate cohort of exfiltration-only victims never appears in the encryption statistic at all. Median ransom demand for the sector now sits at $3 million, the highest of any vertical.

Impact on Saudi Financial Institutions

SAMA CSCC sub-controls 3.3.5 (Cyber Security Event Management) and 3.3.14 (Threat Management) explicitly require continuous monitoring for lateral movement and exfiltration patterns — the exact telemetry Everest evades by living off the land inside compromised identities. NCA ECC controls 2-12 (Web Application Security) and 2-13 (Vulnerability Management) close adjacent gaps, but neither framework alone mandates a specific data loss prevention posture for stealth exfiltration. PDPL Article 20 then sets a 72-hour breach notification window to SDAIA — meaning an Everest-style intrusion discovered weeks after the fact triggers regulatory exposure on top of customer harm. Saudi banks that still treat ransomware as an encryption event will under-invest in the controls that actually matter for this generation of attacker.

The Identity-First Defensive Posture

Every public Everest write-up so far points to the same initial vector category: stolen or phished identity, often a privileged service account or a third-party administrator with standing access. Hardening here is unglamorous but decisive. Phishing-resistant MFA based on FIDO2 or WebAuthn on every privileged path closes the credential-replay vector outright. Tiered admin models, aligned with CIS Controls 6.7 and SAMA CSCC 3.3.7, prevent a help-desk compromise from cascading into a domain administrator takeover. Identity Threat Detection and Response (ITDR) tooling — separate from traditional EDR — surfaces the Kerberoasting attempts, golden-ticket forgeries, and OAuth consent grants that conventional SIEM use cases routinely miss.

Recommendations and Practical Steps

1. Map every privileged identity, both human and service, against SAMA CSCC 3.3.7 within 30 days; retire any account with standing access that cannot justify it on a business basis.
2. Enforce phishing-resistant MFA on RDP, VPN, Microsoft 365 admin, AWS and Azure root, and any vendor portal that touches production data.
3. Deploy egress DLP with content-aware policies for PII, MADA card data, IBAN clusters, and SWIFT message templates; alert on volumetric anomalies, not just exact-match patterns.
4. Run a tabletop exercise specifically for an exfiltration-only scenario: when does the SDAIA notification clock start, who briefs SAMA, and how is the dark web monitored for first signs of disclosure?
5. Audit third-party administrators under TPRM for MFA enforcement, session recording, and least privilege, mapping each to SAMA CSCC 3.3.15 supplier security controls.
6. Expand threat intelligence ingestion to cover dark web monitoring for Saudi bank brand mentions, IBAN ranges, executive names, and corporate domains across the major Russian and English-speaking leak forums.
7. Review backup architecture for immutability, air-gapping, and recovery testing — but recognize that backups are no longer the primary recovery lever in a data-first attack.

Conclusion

The Everest campaign against Frost Bank and Citizens Financial is not an outlier — it is the template. Saudi banks operating under SAMA CSCC, NCA ECC, and PDPL must shift the boardroom conversation from "how fast can we restore?" to "how would we ever know that data left the building?" That is an identity, monitoring, and DLP program — not a backup project.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment.