Pierluigi Paganini
April 08, 2025
The Everest ransomware gang’s darknet site went offline after being hacked and defaced, with victim listings replaced by the following message.
“Don’t do crime CRIME IS BAD xoxo from Prague” read the message published on the site’s homepage after the defacement. Later, the site went down and currently it is still offline.
No threat actor has yet claimed responsibility for the defacement. We cannot exclude the fact that the incident is an exit scam of the group.
The group has been active since 2020, the operation has evolved from data theft extortion to using ransomware and initial access broker activity. In 5 years, Everest listed more than 200 victims on its dark web leak site, including the US marijuana dispensary STIIIZY.
In August 2024, the U.S. HHS warned that the Everest ransomware gang was increasingly targeting healthcare organizations across the U.S.
“The Everest ransomware group has been active since 2020, and has engaged in data extortion and ransomware operations, along with initial access broker (IAB) activity. The group has increasingly targeted the healthcare industry since 2021, and claimed responsibility for a recent incident impacting a surgical facility in the United States.” reads the threat actor profile issued by the U.S. Department of Health and Human Services. “The group leverages a variety of common publicly available tools in its attacks, and is known to obtain initial access via various remote access tools and methods. The ransomware strain was previously linked to a Russia-based ransomware operation.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, newsletter)
