Everest ransomware group’s darknet site offline following defacement

The darknet leak site used by the ransomware gang Everest went offline Monday after being apparently hacked and defaced over the weekend.

Victim listings on the site for the Russian-speaking group, linked to an attack on cannabis dispensary STIIIZY earlier this year, were replaced by a simple message over the weekend.

“Don’t do crime CRIME IS BAD xoxo from Prague” stated the defacement, which took place over the weekend. The site itself went offline on Monday.

It is not clear whether the incident is legitimate or who may be behind it.

Law enforcement disruption operations, which have expanded in recent years, usually replace the sites they target with a splash page announcing the operation and identifying the agencies involved.

Criminal groups sometimes perform “exit scams” such as AlphV/BlackCat which forged a law enforcement notice last year in order to steal funds from an affiliate in the wake of a devastating attack on Change Healthcare.

The Everest defacement does not purport to come from a law enforcement agency, and to-date no affiliates have been identified complaining about being scammed on cybercrime forums.

It comes as Western authorities scramble to deal with the threat posed by the financially-motivated criminals, including disruption operations which have sowed disarray in the ransomware ecosystem, particularly the operation targeting LockBit.

The British government is currently considering banning public sector bodies from making extortion payments, and requiring all victims to report incidents to the government, in a bid to starve the ransomware ecosystem of its revenues.

Alongside the LockBit disruption and the AlphV/BlackCat exit scam, extortion payments dropped for the first time in years in 2024 according to a report by Chainalysis.