Website of Everest ransomware group hacked and defaced

📟 News

Date: 08/04/2025

Last weekend, the darknet website of the Everest ransomware group was hacked and went offline. The attackers replaced its content with a sarcastic message: “Don’t do crime CRIME IS BAD xoxo from Prague.”

Apparently, Everest operators took down their website after the attack: the resource cannot be loaded and displays an “Onion site not found” error message.

It’s not yet known how the attackers gained access to the Everest website and whether it was actually hacked. Tammy Harper, Senior Threat Intelligence Researcher at Flare, and other experts believe that a potential WordPress vulnerability could be exploited in this attack.

According to Harper, Everest used a WordPress template in their blog, and this could be the case.

The Everest ransomware group has been active since 2020. Over the past years, it completely changed its tactics: from ‘standard’ data thefts for subsequent extortion to the use of ransomware that encrypts compromised systems.

In addition, Everest resells gained accesses to organizations’ networks to other hacker groups and cybercriminals.

Over the five years of activity, Everest published information about 230 victims on its darknet website. The resource was used to implement a classic double extortion scheme: hackers forced victims to pay a ransom under the threat of disclosing stolen sensitive data.

In August 2024, the United States Department of Health and Human Services warned that Everest is increasingly frequently targeting healthcare organizations in the US.

US authorities implicate Everest in several attacks, including data leaks from NASA and the Brazilian government.

Related posts:
2025.04.04 — Privilege escalation vulnerability in Google Cloud resulting in sensitive data leaks finally patched

Tenable Research revealed details of a recently patched privilege escalation vulnerability in Google Cloud Platform (GCP) Cloud Run enabling an attacker to gain access to container images…

Full article →
2025.01.28 — J-magic backdoor attacked Juniper Networks devices using 'magic packets'

A massive backdoor attack targeting Juniper routers often used as VPN gateways has been uncovered. The devices were attacked by the J-magic malware that…

Full article →
2025.02.14 — 12,000 Kerio Control firewalls remain vulnerable to RCE

Security experts report that more than 12,000 GFI Kerio Control firewall instances remain vulnerable to the critical RCE vulnerability CVE-2024-52875, which was fixed…

Full article →
2025.01.24 — Hundreds of websites impersonating Reddit and WeTransfer spread Lumma Stealer

Sekoia researcher crep1x discovered that hackers are currently using some 1,000 pages impersonating Reddit and WeTransfer. Victims visiting these sites are tricked into…

Full article →
2025.04.15 — Hackers exploit authentication bypass bug in OttoKit WordPress plugin

Hackers exploit an authentication bypass vulnerability in the OttoKit (formerly SureTriggers) WordPress plugin used by more than 100,000 websites. First attacks were recorded just…

Full article →
2025.02.25 — More than 100,000 users downloaded SpyLend malware from Google Play Store

According to Cyfirma, a malicious Android app called SpyLend was available on the official Google Play Store for some time and has been downloaded from there…

Full article →
2025.03.10 — Nearly a million Windows computers impacted by a malvertising campaign

According to Microsoft, nearly 1 million Windows devices fell victim to a sophisticated malvertising campaign in recent months. Cybercriminals were able to steal credentials, cryptocurrency, and sensitive…

Full article →
2025.04.10 — April updates released by Microsoft cause issues with Windows Hello

Microsoft warns that some Windows users who have installed the April updates might be unable to login to their Windows services using Windows Hello facial recognition…

Full article →
2025.02.17 — Dutch police seize 127 servers belonging to Zservers hosting provider

Following the introduction of international sanctions against Zservers, Russian 'bulletproof' hosting services provider, the Dutch National Police (Politie) shut down and seized 127 servers belonging to Zservers/XHost.…

Full article →
2025.02.07 — 768 vulnerabilities were exploited by hackers in 2024

According to VulnCheck, 768 CVEs were registered as exploited in real-life attacks in 2024. This is 20% greater compared to 2023 when hackers exploited 639 vulnerabilities. Interestingly,…

Full article →