The dark web leak site of the notorious Everest ransomware gang was mysteriously taken offline over the weekend after being apparently hacked by an unknown attacker. The site that once hosted the stolen data from over 230 victims, now displays a cryptic and sarcastic message mocking the criminal gang.
The message reads: "Don't do crime CRIME IS BAD xoxo from Prague," and replaces the usual contents of the site, which previously hosted stolen corporate data as part of the gang's double-extortion scheme. The site now leads to a page that shows an "Onion site not found" error, indicating that the operation has been disrupted.
While details surrounding the attack remain scarce, experts speculate that the Everest gang’s use of a WordPress template for their leak site might have played a key role in the breach.
"It is worth mentioning that Everest was using a Wordpress template for their blog. I would not be surprised if that was how this happened," said Tammy Harper, senior threat intelligence researcher at Flare.
The Everest ransomware group, which first emerged in 2020, has evolved over time, shifting from a simple data-theft operation into a multi-faceted attack strategy. Initially, the gang was focused on stealing sensitive corporate data to extort victims, but it later adopted ransomware techniques to further encrypt systems and demand larger ransoms. The gang is also known to act as an initial access broker, selling access to compromised networks to other cybercriminals.
Everest’s leak site had become notorious for publicly shaming its victims, while threatening the release of sensitive files unless the ransom was paid.
In August 2024, the US Department of Health and Human Services issued a warning about the Everest gang’s increasing focus on healthcare organizations, a sector that has become a frequent target for ransomware attacks.
