The FBI recently announced a significant operation that successfully dismantled the web infrastructure of a new ransomware group known as Radar/Dispossessor.

Operation Details

This operation led to the takedown of several key elements of the group’s infrastructure. The FBI disabled three servers in the United States, three in the United Kingdom, 18 in Germany, eight criminal domains in the United States, and one in Germany. Radar/Dispossessor is reportedly led by someone using the online alias “Brain.”

Rise of a New Threat

Radar/Dispossessor, a ransomware group that surfaced in August 2023, has quickly made a name for itself on the global stage. The group targets small-to-mid-sized businesses and organizations across various sectors, including manufacturing, education, healthcare, financial services, and transportation.

You might be interested in: Phishing Attack Uses Google & WhatsApp Links

So far, the group has attacked 43 companies across different countries, including Argentina, Australia, Belgium, Brazil, Canada, Croatia, Germany, Honduras, India, Peru, Poland, the UAE, the UK, and the US.

Ransomware as a Service

Much like other notorious groups, Radar/Dispossessor operates as a ransomware-as-a-service (RaaS) organization, using a dual-extortion tactic. This method involves stealing data from victims and then encrypting their systems to demand a ransom. If the ransom isn’t paid, the attackers threaten to leak the stolen data.

The group often gains access to its targets by exploiting security flaws or weak passwords. Once inside, they encrypt the victim’s data, making it inaccessible.

Communication Tactics and Blackmail

If a company does not reach out to the attackers after an initial breach, Radar/Dispossessor takes the initiative. They contact other individuals within the victim company through emails or phone calls. These communications often include links to videos showcasing the stolen data to increase pressure on the victims to pay the ransom.

Collaboration Among Cybercriminals

Reports from DataBreaches.Net indicate that Radar and Dispossessor share confidential tools, techniques, and access credentials while splitting the profits. It’s believed that the Dispossessor group includes former members of LockBit who broke away to form their own operation.

Selling Stolen Data

A recent study by SentinelOne revealed that the Dispossessor group has been selling or offering stolen data for download. This includes data linked to other ransomware operations, such as Cl0p, Hunters International, and 8Base.

Law Enforcement’s Increased Efforts

The FBI’s successful takedown of Radar/Dispossessor’s infrastructure is part of a broader effort by global law enforcement agencies to combat the rising threat of ransomware. Despite these efforts, cybercriminals continue to find new ways to innovate and adapt.

Exploiting Trusted Relationships

A concerning trend in recent ransomware attacks is the use of contractors and service providers to gain access to victims. This method allows attackers to carry out large-scale attacks with minimal effort and often goes unnoticed until data is leaked or encrypted.

Industries and Countries Most Affected

According to data from Palo Alto Networks Unit 42, the industries most affected by ransomware in the first half of 2024 were manufacturing (16.4%), healthcare (9.6%), and construction (9.4%). The countries most targeted were the United States, Canada, the UK, Germany, Italy, France, Spain, Brazil, Australia, and Belgium.

Exploiting New Vulnerabilities

Ransomware activity has been largely driven by newly discovered vulnerabilities, which attackers are quick to exploit. These vulnerabilities allow malicious actors to gain unauthorized access, elevate their privileges, and move laterally within compromised networks.

Emerging Ransomware Groups

According to a report by Rapid7, there has been a rise in new or restructured ransomware groups, with 21 out of 68 groups identified as being involved in extortion. Smaller businesses are increasingly becoming targets due to their valuable data and typically weaker security measures.

The professionalization of RaaS models is also a growing concern. Ransomware groups are not only becoming more sophisticated but are also starting to operate like legitimate businesses, complete with their own marketplaces, products, and even 24/7 customer support.

Rapid7 also pointed out that these groups are forming networks to collaborate and share different types of ransomware, making them even more formidable.