FBI Shuts Down Servers of Group That Dispatched Ransomware from Expropriation Programs in US, UK, Germany

The US Federal Bureau of Investigation (FBI) announced on Monday that online infrastructure has been disrupted by an emerging ransomware group called Radar/Dispossessor.

The effort saw the takedown of three US servers, three UK servers, 18 German servers, eight US criminal domains, and one German criminal domain. Dispossessor is said to be run by individual(s) known online as “Brain.”

“Since its inception in August 2023, Radar/Dispossessor has quickly evolved into a globally impactful ransomware group that targets and attacks small to medium-sized businesses and organizations in the manufacturing, development, education, healthcare, financial services, and transportation sectors,” the FBI said in a statement.

As many as 43 companies have been identified as victims of Dispossessor attacks, including companies in Argentina, Australia, Belgium, Brazil, Canada, Croatia, Germany, Honduras, India, Peru, Poland, the UAE, the UK and the US.

Notable for its similarities to LockBit, Dispossessor emerged as a ransomware-as-a-service (RaaS) group that followed the same dual-extortion model pioneered by other e-crime gangs. Such attacks work by exfiltrating victim data to demand ransom payments, in addition to encrypting their systems. Users who refuse to comply are threatened with data exposure.

It has been observed that the attack chains set up by the cyber criminals use systems with security holes or weak passwords as an entry point to compromise targets and gain elevated access rights to lock their data behind encryption barriers.

“Once the business was compromised, if they did not contact the criminal actor, they proactively contacted others at the victim business, either via email or telephone,” the FBI said.

“The emails also contained links to video platforms on which the previously stolen files had been presented. This was always with the aim of increasing the blackmail pressure and increasing the willingness to pay.”

According to DataBreaches.Net, Radar and Dispossessor are two groups that share the same private tools, methods, and accesses and split the profits. Members of the Dispossessor group are also said to be former LockBit affiliates who split to start their own operations.

Earlier reporting from cybersecurity firm SentinelOne revealed that the Dispossessor group had already advertised leaked data for download and sale. The firm added that it “appears to be reposting data previously associated with other activities, with examples including Cl0p, Hunters International and 8Base.”

The frequency of such takedowns is yet another indication that law enforcement agencies around the world are ramping up their efforts to combat the ongoing ransomware threat. At the same time, threat actors are looking for ways to innovate and thrive in the ever-changing landscape.

This includes an increase in attacks executed through contractors and service providers, highlighting how threat actors are weaponizing trusted relationships to their advantage, as “this approach enables large-scale attacks with less effort, often going undetected until data breaches or encrypted data are discovered.”

Palo Alto Networks Unit 42 data from breach sites shows that the industries most affected by ransomware in the first half of 2024 were manufacturing (16.4%), healthcare (9.6%), and construction (9.4%).

The most targeted countries during this period included the US, Canada, the UK, Germany, Italy, France, Spain, Brazil, Australia and Belgium.

“Newly disclosed vulnerabilities primarily drove ransomware activity as attackers sought to exploit these opportunities quickly,” the company said. “Threat actors frequently target vulnerabilities to gain access to victim networks, escalate privileges, and move laterally within breached environments.”

One notable trend is the emergence of new (or revamped) ransomware groups, which accounted for 21 of the 68 unique groups posting extortion attempts, and the increasing focus on smaller organizations, Rapid7 said.

“This could be for a number of reasons, the main one being that these smaller organizations hold much of the same data that threat actors are after, but often have less sophisticated security measures in place,” the report said.

Another important aspect is the professionalization of RaaS business models. Ransomware groups are not only more sophisticated, they are also increasingly scaling up their activities to look like legitimate business enterprises.

“They have their own marketplaces, they sell their own products, and in some cases they have 24/7 support,” Rapid7 pointed out. “They also seem to be creating an ecosystem of collaboration and consolidation in the types of ransomware they deploy.”

(The story was updated after publication to clarify that Radar and Dispossessor are two related ransomware groups.)