Everest ransomware group’s darknet site offline following defacement

Avatar

The darknet leak site used by the ransomware gang Everest went offline Monday after being apparently hacked and defaced over the weekend.

Victim listings on the site for the Russian-speaking group, linked to an attack on cannabis dispensary STIIIZY earlier this year, were replaced by a simple message over the weekend.

“Don’t do crime CRIME IS BAD xoxo from Prague” stated the defacement, which took place over the weekend. The site itself went offline on Monday.

It is not clear whether the incident is legitimate or who may be behind it.

Law enforcement disruption operations, which have expanded in recent years, usually replace the sites they target with a splash page announcing the operation and identifying the agencies involved.

Criminal groups sometimes perform “exit scams” such as AlphV/BlackCat which forged a law enforcement notice last year in order to steal funds from an affiliate in the wake of a devastating attack on Change Healthcare.

The Everest defacement does not purport to come from a law enforcement agency, and to-date no affiliates have been identified complaining about being scammed on cybercrime forums.

It comes as Western authorities scramble to deal with the threat posed by the financially-motivated criminals, including disruption operations which have sowed disarray in the ransomware ecosystem, particularly the operation targeting LockBit.

The British government is currently considering banning public sector bodies from making extortion payments, and requiring all victims to report incidents to the government, in a bid to starve the ransomware ecosystem of its revenues.

Alongside the LockBit disruption and the AlphV/BlackCat exit scam, extortion payments dropped for the first time in years in 2024 according to a report by Chainalysis.

CybercrimeNewsNews Briefs
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Alexander Martin

is the UK Editor for Recorded Future News. He was previously a technology reporter for Sky News and is also a fellow at the European Cyber Conflict Research Initiative.

 

Total
0
Shares
Previous Post

CISA and FBI Warn Fast Flux is Powering Resilient Malware, C2, and Phishing Networks

Next Post

Russia arrests CEO of tech company linked to Doppelgänger disinformation campaign

Related Posts

Microsoft SharePoint Connector Flaw Could’ve Enabled Credential Theft Across Power Platform

Cybersecurity researchers have disclosed details of a now-patched vulnerability impacting the Microsoft SharePoint connector on Power Platform that, if successfully exploited, could allow threat actors to harvest a user's credentials and stage follow-on attacks. This could manifest in the form of post-exploitation actions that allow the attacker to send requests to the SharePoint API on behalf
Avatar
Read More

CISA Adds NAKIVO Vulnerability to KEV Catalog Amid Active Exploitation

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity security flaw impacting NAKIVO Backup & Replication software to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The vulnerability in question is CVE-2024-48248 (CVSS score: 8.6), an absolute path traversal bug that could allow an unauthenticated attacker to
Avatar
Read More