Illustration: JMiks | Shutterstock
The Everest ransomware gang’s Tor website has gone offline after an unknown hacker gained access to the home page, removed victim listings, and added a message saying, “Don’t do crime CRIME IS BAD xoxo from Prague.”
No other threat actors have taken responsibility for the attack as of now. Prague isn’t particularly famous for cybercrime groups targeting others either, so this could be anything from a revenge attack to another group taking Everest down. There’s also a possibility of the defacement and subsequent takedown being actions taken by law enforcement, however, agencies usually replace the website home page with a screen identifying organisations involved in the takedown and the reason why.
The single-line, cryptic message could also just be an exit scam for the group. Ransomware groups are known to disappear for a while and come back after a couple of years with a new encryptor or modus operandi to keep law enforcement off their tails.
The cybercrime group has been active since at least 2020. In the five years since its inception, it had collected over 200 victims on its dark web leak site. The group initially started off without any specific target profile, but the US Department of Health and Human Services (HHS) warned in August 2024 of increasing attacks on US healthcare organisations since 2021.
No governmental links were also discovered from Everest, although it does use a ransomware strain previously linked to a Russian ransomware operation. The group also uses several easily available and popular, publicly available tools and often gains initial access via remote access tools.
In the News: 21 countries sign accord to curb commercial spyware abuse
