The Federal Bureau of Investigation (FBI) and its European partner law enforcement agencies have dismantled the online cybercrime infrastructure of an emerging ransomware group called Radar/Dispossessor.
The U.K.’s National Crime Agency, the Bamberg Public Prosecutor’s Office, and the Bavarian State Criminal Police Office (BLKA) participated in the joint multinational crackdown on Radar/Dispossessor.
They dismantled the LockBit copycat’s servers in Germany (8), the United States (3), and Britain (3); and seized nine domains in the US (8) and Germany (1).
Investigators also identified twelve suspects in Germany, Russia, Ukraine, Kenya, Serbia, Lithuania, and the United Arab Emirates. They also forewarned four German companies that the emergent cybergang was about to victimize.
In addition, federal prosecutors have indicted Brian, the ransomware gang’s elusive kingpin, who remains at large in an undisclosed European country.
Radar/Dispossessor is an opportunistic and emerging ransomware group
The Radar/Dispossessor ransomware group targets healthcare, financial services, education, and transportation sector organizations, usually small and mid-sized businesses. Cybersecurity experts believe that Radar and Dispossessor are two distinct cybercrime groups that share internal tools and divide profits.
Since its launch in August 2023, it has victimized 43 organizations in the United States, the United Kingdom, Germany, Belgium, Australia, Canada, Poland, Argentina, Brazil, Honduras, India, Croatia, Peru, Poland, and the United Arab Emirates.
Although the “extent of the reach and damage inflicted is yet to be determined,” the Radar/Dispossessor ransomware group is responsible for “millions of dollars” in losses.
According to the FBI, the Radar/Dispossessor cybergang targets vulnerable systems, those with weak passwords, and those without two-factor authentication.
“Once the criminals gained access to the systems, they obtained administrator rights and easily gained access to the files. The actual ransomware was then used for encryption. As a result, the companies could no longer access their own data,” the FBI said.
The minor league, emergent ransomware group employs double extortion by threatening to publish the stolen data online if victims refuse to pay the ransom. It also proactively contacts victimized organizations’ employees via email and phone to exert more pressure. The emails usually contain “links to video platforms on which the previously stolen files had been presented.”
The ransomware group, which includes former LockBit affiliates, also reposts data from previously compromised Lockbit, Clop, Hunters International, Cactus, 8Base, and Snatch victims to re-extort them. In February, Radar/Dispossessor reposted 330 LockBit victims.
“Dispossessor was modeling its RaaS after the infamous Lockbit group, with the twist of brokering data it had harvested off the dark web of other companies that were hacked by other RaaS companies,” noted Tyler Reese, director of product management at Netwrix.
To reach more potential buyers, it usually advertises “the availability of previously leaked data for download and potential sale” on Telegram and dark web hacking forums, such as the English-speaking BreachForums and Russian-language XSS.
While Radar/Dispossessor relies on re-extorting previous victims, the group is also determined to establish its own ransomware-as-a-service operation. In June 2024, the ransomware group adopted the leaked LockBit 3.0 encryptor and started recruiting “pentesters/redteamers” to work with various technologies such as AD, VPN, Citrix, RDP, and VNC.
Meanwhile, the FBI requests past victims to contact the agency’s Internet Crime Complaint Center (IC3) and share more information about the group. The agency also persuades former Radar/Dispossessor site administrators to reach out.
Law enforcement continues to disrupt ransomware gangs
Although the FBI’s Radar/Dispossessor crackdown operation affected only a minor player, it represents significant progress in the fight against cybercrime.
“This is great news – yet another disruption by law enforcement using global cooperation,” said Roger Grimes, a data-driven defense evangelist at KnowBe4. “But I didn’t see the now usual notices of the real identities of the gang leaders, arrests, or warrants for their arrests, this time. Hopefully, it happens next time. Still, great news to be celebrated.”
In February 2024, the FBI, NCA, and Europol seized the infrastructure of Radar/Dispossessor’s role model LockBit ransomware in Operation Cronos, in which they “gained unprecedented and comprehensive access” to the cyber gang’s systems.