HQ/EMEAFind out how we can help your business
The Everest ransomware gang’s dark web leak site may have been compromised after recently becoming unavailable. An unknown threat actor has allegedly executed an attack that forced the malicious group’s site to go offline.
Moreover, this unnamed attacker altered the website’s content. One of the surprising changes the attacker made to the website is that it displayed a message stating: “Don’t do crime. CRIME IS BAD xoxo from Prague.”
On the other hand, the ransomware gang has subsequently removed their leak site, which no longer loads and now displays an “Onion site not found” message.
As of now, it is unclear how the attacker acquired access to the gang’s website or whether it was hacked. However, some security experts suspect that a possible WordPress vulnerability could have been the vector to deface the ransomware operation’s leak site.
This suspicion is backed by evidence that Everest used a WordPress template for their blog.
The Everest ransomware organisation has been a headache for various companies for years.
Since its establishment in 2020, the Everest ransomware operation has transitioned its strategy from an exclusive data theft corporate extortion to incorporating malware in its operations to encrypt victims’ infected systems.
Everest operators are also notorious for functioning as initial access brokers for other cybercriminal gangs and threat actors, as they are well-known for selling access to compromised corporate networks.
Over the past five years, this ransomware organisation has added over 230 victims to its dark web leak site, which is utilised in double-extortion operations. Hence, its victims suffered threats about releasing files containing sensitive information if they did not pay the ransom.
One of its most recent victims is STIIIZY, a popular California-based cannabis business that Everest compromised in November last year. In January, STIIIZY revealed that unknown attackers had hacked their point-of-sale (POS) vendor, stealing client information such as purchase history and government IDs.
In August 2024, the United States Department of Health and Human Services warned the public that the ransomware group was increasingly targeting healthcare organisations in the country.
Despite the recent defacing of its extortion site, compromised organisations should not take this lightly. Companies, especially those listed on the dark web leak site, should remain cautious and improve cybersecurity to avoid unwanted issues in the future.
