The United States Federal Bureau of Investigation (FBI) declared on Monday that it has successfully disrupted the digital infrastructure tied to an emergent ransomware collective identified as Dispossessor (also known as Radar).
This coordinated endeavor led to the dismantling of three servers in the U.S., three in the United Kingdom, 18 in Germany, as well as the takedown of eight criminal domains in the U.S. and one in Germany. Dispossessor is reportedly helmed by an individual or group operating under the alias “Brain.”
“Since its inception in August 2023, Radar/Dispossessor has rapidly evolved into a ransomware group with a significant international footprint, targeting small-to-mid-sized enterprises and institutions spanning the manufacturing, development, education, healthcare, financial services, and transportation sectors,” the FBI stated in an official communiqué.
The FBI has identified as many as 43 entities as casualties of Dispossessor’s nefarious activities, with victims located in countries such as Argentina, Australia, Belgium, Brazil, Canada, Croatia, Germany, Honduras, India, Peru, Poland, the UAE, the U.K., and the U.S.
Dispossessor, which shares striking resemblances to LockBit, emerged as a ransomware-as-a-service (RaaS) group, employing the dual-extortion technique pioneered by other cybercriminal syndicates. These assaults involve the exfiltration of sensitive data, which is then held for ransom alongside the encryption of the victim’s systems. Those who decline to comply are menaced with the public exposure of their data.
The modus operandi of these malefactors includes exploiting systems with inherent security weaknesses or deficient passwords as gateways to breach targets, thereby obtaining elevated access to lock down critical data within encrypted fortresses.
“Once a company fell prey to an attack, and failed to initiate contact with the criminal operatives, the group would then actively reach out to other members within the victim organization, either via email or telephonic communication,” the FBI disclosed.
“These emails frequently contained links to video platforms where previously pilfered files were showcased, with the express purpose of intensifying extortion pressure and bolstering the likelihood of payment.”
Prior intelligence from cybersecurity firm SentinelOne revealed that the Dispossessor group was advertising already compromised data for both download and sale, adding that it “appears to be repurposing data previously linked to other operations, with instances ranging from Cl0p, Hunters International, and 8Base.”
The frequency of such law enforcement operations serves as a testament to the global intensification of efforts to combat the relentless ransomware scourge, even as cyber adversaries continue to adapt and flourish within the volatile landscape.
This phenomenon is underscored by a surge in attacks orchestrated via contractors and service providers, accentuating how cybercriminals are weaponizing trusted relationships to their advantage. “This approach facilitates large-scale intrusions with minimal exertion, often remaining undetected until either data leaks or encrypted data surfaces.”
Data compiled by Palo Alto Networks’ Unit 42 from breach portals indicate that the industries most afflicted by ransomware during the first half of 2024 were manufacturing (16.4%), healthcare (9.6%), and construction (9.4%).
The U.S., Canada, the U.K., Germany, Italy, France, Spain, Brazil, Australia, and Belgium were among the nations most frequently targeted during this period.
“Recently disclosed vulnerabilities were the primary catalyst driving ransomware activity as perpetrators swiftly moved to exploit these opportunities,” the company remarked. “Threat actors routinely exploit vulnerabilities to infiltrate victim networks, escalate privileges, and maneuver laterally within compromised environments.”
A notable trend is the rise of new (or rejuvenated) ransomware collectives, accounting for 21 out of 68 distinct groups engaging in extortion attempts, alongside an intensified focus on smaller organizations, as observed by Rapid7.
“This could be attributed to various factors, not the least of which is that these smaller entities possess much of the coveted data sought by threat actors, yet often lack robust security measures,” the report stated.
Another crucial element is the increasing professionalization of RaaS business models. Ransomware collectives are not only growing more sophisticated but are also scaling their operations to resemble legitimate corporate enterprises.
“They have their own marketplaces, sell their own products, and in some cases, offer round-the-clock support,” Rapid7 noted. “Moreover, they seem to be cultivating an ecosystem of collaboration and consolidation in the variety of ransomware they deploy.”