The FBI has disrupted a ransomware group called Radar/Dispossessor, announcing on Monday that it had dismantled several domains and servers worldwide belonging to the operation.
Radar/Dispossessor, which has been around since August 2023 and is led by someone using the online moniker “Brain,” has targeted small and mid-sized businesses across a range of sectors globally, including development, education, healthcare, financial services and transportation. The FBI’s Cleveland office on Monday said that it had dismantled three U.S. servers, three UK servers and 18 German servers for the group, as well as eight U.S.-based criminal domains and one German-based criminal domain.
“Originally focused on entities in the United States, the investigation discovered 43 companies as victims of the attacks, from countries including Argentina, Australia, Belgium, Brazil, Honduras, India, Canada, Croatia, Peru, Poland, the United Kingdom, the United Arab Emirates, and Germany,” according to the FBI’s Monday release. “During its investigation, the FBI identified a multitude of websites associated with Brain and his team.”
The ransomware group targeted weak passwords with a lack of two-factor authentication for initial access to victim organizations. After gaining initial access, the group then would obtain administrator rights and file access, before deploying ransomware. The group also leveraged dual extortion tactics, both holding victim data hostage and threatening to contact others if a ransom was not paid.
According to an analysis by SentinelOne researchers, Dispossessor has also advertised the availability of previously leaked data for sale on BreachForums and XSS, and has listed at least a dozen victims that have been previously listed by other groups.
“Dispossessor initially announced the renewed availability of the data from some 330 LockBit victims,” said Jim Walter with SentinelOne in an April analysis that looked at how ransomware affiliates are re-monetizing stolen data outside of their RaaS agreements. “This was claimed to be reposted data from previously available LockBit victims, now hosted on Dispossessor's network and thus not subject to LockBit's availability restrictions. Dispossessor appears to be reposting data previously associated with other operations with examples ranging from Cl0p , Hunters International , and 8base.”
The FBI urged other victims, and people with further information about the group, to contact its Internet Crime Complaint Center.
“As ransomware can have many variants, such as this case, the total number of businesses and organizations affected is yet to be determined,” said the FBI.
The investigation and takedown was the result of a collaboration between the U.K.'s National Crime Agency, Bamberg Public Prosecutor’s Office, Bavarian State Criminal Police Office and U.S. Attorney’s Office for the Northern District of Ohio. This type of international collaboration has been critical for crackdown efforts on cybercriminals, and over the past year law enforcement agencies worldwide worked together to disrupt the BlackCat ransomware group, the Qakbot malware, the Ragnar Locker ransomware gang, and to dismantle a global network of computers infected by the Snake malware.