In a surprising turn of events, the Everest ransomware gang’s dark web leak site was infiltrated and defaced over the weekend. The site, typically used by the group to publish stolen data as leverage to extort victims into paying ransoms, was replaced with a message stating: Don’t do crime CRIME IS BAD xoxo from Prague. As of now, the defacement remains, and it is unclear whether the hackers behind this act accessed or exfiltrated any data from Everest’s servers.
Everest, a Russia-linked ransomware group active since 2020, has been responsible for numerous high-profile cyberattacks. Their targets have spanned various sectors, including the theft of over 420,000 customer records from the cannabis retail chain Stiizy. Additionally, the U.S. government has attributed several breaches to Everest, notably incidents involving NASA and the Brazilian government.
The group’s modus operandi involves encrypting victims’ data and demanding ransom payments for decryption keys. They also threaten to release sensitive information publicly if their demands are not met. This dual-threat approach has placed immense pressure on organizations to comply, often leading to significant financial and reputational damage.
Interestingly, Everest has also been observed acting as an Initial Access Broker, a role where they sell unauthorized access to compromised networks to other cybercriminals. This behavior is relatively uncommon among ransomware groups, as direct attacks typically yield higher financial returns. The shift towards brokering access may indicate strategic changes within the group, possibly to evade law enforcement scrutiny or adapt to personnel changes.
The recent defacement of Everest’s leak site highlights the vulnerabilities that even sophisticated cybercriminal organizations face. Security researchers have previously identified flaws in ransomware gangs’ infrastructure, leading to successful interventions that prevented victims from paying ransoms. For instance, in August 2024, security flaws in ransomware leak sites helped save six companies from paying hefty ransoms. These incidents underscore the importance of robust cybersecurity measures and the potential for counter-offensives against cybercriminals.
While the identity and motives of the individuals behind the defacement remain unknown, this event serves as a reminder of the ever-evolving landscape of cybersecurity threats and the continuous cat-and-mouse game between cybercriminals and those who oppose them.
