Feds bust minor league Radar/Dispossessor ransomware gang

The Dispossessor ransomware group is the latest to enter the cybercrime graveyard with the Feds proudly laying claim to the takedown.

Ransomware groups typically have leak blogs where their victims' data is posted and this case is no different. The leak blog existed until this week, but it was simply called "Leaked Data" instead of being branded in line with the group's name.

The FBI said it took down the "Radar/Dispossessor" group. For the uninitiated, the slash there could raise questions. It's not one group that goes by two names, it's actually two groups that operate as two distinct units but share project work.

The group is comprised of two separate tred-teaming operations – Radar and Dispossesor. Different individuals comprise the two groups and they both work on the same attacks, as the ringleader said in a recent interview.

The Feds say the Radar/Dispossessor coalition spun up in August 2023, but the operation's spokesperson said it actually began around three years ago.

However, the two groups do indeed have an element of separation. According to the coalition's GitHub page, the Dispossessor team was a former LockBit affiliate that span up its own ransomware operation almost immediately after LockBit was disrupted in February.

Due to that, many cybersecurity researchers track the group only as Dispossessor, but the FBI acknowledged it as the coalition name.

It's a relatively minor league ransomware operation. It only registered 43 victims in total – some groups exceed that in a single month – and they mostly comprised small and medium sized organizations from various countries across Europe and South America mainly, although India, the UAE, and Canada also featured.

German police in Bavaria (BLKA) added that the group recently declared its intention to branch out and start targeting the US – hospitals and healthcare organizations specifically.

"Radar/Dispossessor identified vulnerable computer systems, weak passwords, and a lack of two-factor authentication to isolate and attack victim companies," said the FBI. "Once the criminals gained access to the systems, they obtained administrator rights and easily gained access to the files. The actual ransomware was then used for encryption. As a result, the companies could no longer access their own data. 

"Once the company was attacked, if they did not contact the criminal actor, the group would then proactively contact others in the victim company, either through email or phone call. The emails also included links to video platforms on which the previously stolen files had been presented. This was always with the aim of increasing the blackmail pressure and increasing the willingness to pay."

The BKLA said during the course of the takedown, police were able to alert four companies in Germany that they were about to be hit with ransomware. The announcement didn't explicitly say these attacks were stopped, but we'd expect they were given the low level of bragging.

Officials said numerous servers were "dismantled" in the US (3), UK (3), and Germany (18), as well as eight US-based domains and one in Germany.

"By seizing the IT infrastructure, the ZCB, the BLKA, and its international partners have managed to strike a major blow against cybercriminals," said Guido Limmer, VP at the BLKA. 

"This clearly shows that the perpetrators must expect to be caught and held accountable at any time, even in virtual space. The shutdown of the servers will save numerous other companies around the world from financial consequences that could be existential."

The question everyone wants answers to when a cybercrime takedown is announced is whether any arrests were made. Without arrests, takedowns are rarely permanent.

Crucially, the FBI didn't mention any arrests – either those made already or planned for the near future. The announcement also didn't reveal anything about the ringleader's identity or location, although they know the individual goes by the alias "Brain."

The BLKA, however, said there was an arrest warrant out for one of the suspected individuals involved in the operation, who is believed to be residing in Germany. The other 11 members were spread out across the globe, hailing from the likes of Kenya, Lithuania, Russia, Ukraine, and the UAE.

El Reg checked in with the FBI about the arrests aspect but has yet to receive a response.

"The law enforcement takedown of Dispossessor is interesting, as they do not appear to be a particularly impactful or active ransomware group, so why go after them," said Stephen Robinson, senior threat intelligence analyst at WithSecure. "When they launched, they were described as simply reposting LockBit victims, and according to the FBI's own statements they are only known to have performed around 40 attacks since they launched in 2023.

"Recently there have been a number of law enforcement disruption operations against cybercriminals in a short space of time. It may well be that the goal of this takedown is to maintain that operational tempo and keep the ransomware industry disrupted and off balance.

"Instead of targeting Dispossessor for a take own in order to combat their operations specifically, they may have simply discovered an opsec error by the criminals and decided to make use of it in an opportunistic operation.

• Orion SA says scammers conned company out of $60 million
• Attacker steals personal data of 200K+ people with links to Arizona tech school
• Police take just 2 days to recover $40M stolen in business email scam
• Breaking the economy of trust: How busts affect malware gangs

"If Dispossessor's operations are disrupted and they stop posting victims, it won't drastically reduce the total number of ransomware victims. However, yet another takedown in a short space of time could make cybercriminals more cautious and risk-aware, and may even help push some to exit the industry."

Given the smaller scale of the Radar/Dispossessor operation, the authorities didn't waste their time with the newer style of ransomware takedowns which seek to embarrass and entirely discredit the group's reputation, a la LockBit.

Instead, we only got the older method of takedown – the usual FBI-branded splash page when visiting the group's leak blog which also encouraged site admins to rat on the others via Signal or a Tox chat.

"Don't be the last to reach out," the splash page reads ominously. ®