Website of Everest ransomware group hacked and defaced

📟 News

Date: 08/04/2025

Last weekend, the darknet website of the Everest ransomware group was hacked and went offline. The attackers replaced its content with a sarcastic message: “Don’t do crime CRIME IS BAD xoxo from Prague.”

Apparently, Everest operators took down their website after the attack: the resource cannot be loaded and displays an “Onion site not found” error message.

It’s not yet known how the attackers gained access to the Everest website and whether it was actually hacked. Tammy Harper, Senior Threat Intelligence Researcher at Flare, and other experts believe that a potential WordPress vulnerability could be exploited in this attack.

According to Harper, Everest used a WordPress template in their blog, and this could be the case.

The Everest ransomware group has been active since 2020. Over the past years, it completely changed its tactics: from ‘standard’ data thefts for subsequent extortion to the use of ransomware that encrypts compromised systems.

In addition, Everest resells gained accesses to organizations’ networks to other hacker groups and cybercriminals.

Over the five years of activity, Everest published information about 230 victims on its darknet website. The resource was used to implement a classic double extortion scheme: hackers forced victims to pay a ransom under the threat of disclosing stolen sensitive data.

In August 2024, the United States Department of Health and Human Services warned that Everest is increasingly frequently targeting healthcare organizations in the US.

US authorities implicate Everest in several attacks, including data leaks from NASA and the Brazilian government.

Related posts:
2025.03.18 — Black Basta ransomware group developed its own automated brute-forcing framework

According to EclecticIQ, Black Basta Ransomware-as-a-Service (RaaS) group has developed its own automated brute-forcing framework dubbed BRUTED. It's used to hack edge network devices…

Full article →
2025.02.05 — Google patches Android zero-day vulnerability exploited by hackers

Google released the February set of patches for Android. In total, they fix 48 bugs, including a kernel zero-day vulnerability actively exploited by hackers. The zero-day's…

Full article →
2025.04.15 — Hackers exploit authentication bypass bug in OttoKit WordPress plugin

Hackers exploit an authentication bypass vulnerability in the OttoKit (formerly SureTriggers) WordPress plugin used by more than 100,000 websites. First attacks were recorded just…

Full article →
2025.01.23 — Fake Telegram CAPTCHA forces users to run malicious PowerShell scripts

Hackers used the news of Ross Ulbricht pardoning to lure users to a rogue Telegram channel where they are tricked into running malicious PowerShell code. This…

Full article →
2025.02.17 — Dutch police seize 127 servers belonging to Zservers hosting provider

Following the introduction of international sanctions against Zservers, Russian 'bulletproof' hosting services provider, the Dutch National Police (Politie) shut down and seized 127 servers belonging to Zservers/XHost.…

Full article →
2025.02.10 — Failed attempt to block phishing link results in massive Cloudflare outage

According to the incident report released by Cloudflare, an attempt to block a phishing URL on the R2 platform accidentally caused a massive outage; as a result, many Cloudflare…

Full article →
2025.04.22 — Scammers pose as FBI IC3 specialists, offer 'assistance' to fraud victims

According to the FBI, scammers impersonating employees of the FBI Internet Fraud Complaint Center (IC3) contact fraud victims offering them 'assistance' in getting their money…

Full article →
2025.03.16 — Researchers force DeepSeek to write malware

According to Tenable, the AI chatbot DeepSeek R1 from China can be used to write malware (e.g. keyloggers and ransomware). DeepSeek was released in January 2025 and caused a stir…

Full article →
2025.02.14 — 12,000 Kerio Control firewalls remain vulnerable to RCE

Security experts report that more than 12,000 GFI Kerio Control firewall instances remain vulnerable to the critical RCE vulnerability CVE-2024-52875, which was fixed…

Full article →
2025.02.23 — New JavaScript obfuscation technique uses invisible Unicode characters

According to Juniper Threat Labs , a new JavaScript obfuscation technique that uses invisible Unicode characters was used in a phishing attack targeting Political Action…

Full article →