Everest Ransomware Group’s Tor Leak Site Offline Following Defacement Attack

TL;DR

The Everest ransomware group’s darknet site went offline after being hacked and defaced, with a message discouraging cybercrime left on the homepage. The incident raises questions about the group’s future activities and potential exit scam.

Everest Ransomware Group’s Tor Leak Site Offline Following Defacement Attack

Over the weekend, the Everest ransomware group’s darknet site experienced a significant disruption after being hacked and defaced. The site, which has been a hub for the group’s malicious activities since 2020, is currently offline. The defacement left a clear message on the homepage: “Don’t do crime CRIME IS BAD xoxo from Prague.” This act of cyber vandalism has sparked speculation about the group’s future and the motives behind the attack.

Key Details of the Incident

Defacement Message

The hackers replaced the victim listings on the Everest group’s site with a straightforward message condemning criminal activities. Following the defacement, the site went down and remains offline. No threat actor has claimed responsibility for the defacement, leaving room for various theories, including the possibility of an exit scam by the Everest group.

Group’s History and Activities

The Everest ransomware group has been active since 2020, initially focusing on data theft extortion before evolving into ransomware operations and initial access broker activities. Over the past five years, the group has listed more than 200 victims on its dark web leak site, including high-profile targets like the US marijuana dispensary STIIIZY ¹.

Targeting Healthcare Organizations

In August 2024, the U.S. Department of Health and Human Services (HHS) issued a warning about the Everest ransomware gang increasingly targeting healthcare organizations across the U.S. The group’s operations have become more sophisticated, leveraging common publicly available tools and various remote access methods to gain initial entry into systems. The ransomware strain has previously been linked to a Russia-based operation ².

“The Everest ransomware group has been active since 2020, engaging in data extortion and ransomware operations, along with initial access broker (IAB) activity. The group has increasingly targeted the healthcare industry since 2021 and claimed responsibility for a recent incident impacting a surgical facility in the United States.” - U.S. Department of Health and Human Services ³.

Implications and Future Outlook

The defacement of the Everest ransomware group’s site raises several questions about the group’s future operations. The incident could be an exit scam, a retaliatory attack by a rival group, or an act by ethical hackers aiming to disrupt criminal activities. The current offline status of the site suggests a significant disruption in the group’s operations, but it remains to be seen whether this is a temporary setback or a permanent shutdown.

Follow for More Updates

For the latest updates on cybersecurity news and developments, follow:

• Twitter
• Facebook
• Mastodon

Stay informed with insights from Pierluigi Paganini and Security Affairs.

Additional Resources

For further insights, check:

• Source Article

References

1. Security Affairs (2025). “Marijuana Dispensary STIIIZY Data Breach”. Retrieved 2025-04-08. ↩︎

2. Security Affairs (2024). “South Africa Eskom Everest Ransomware”. Retrieved 2025-04-08. ↩︎

3. U.S. Department of Health and Human Services (2024). “Everest Ransomware Threat Actor Profile Alert”. Retrieved 2025-04-08. ↩︎