Feds seize Radar/Dispossessor ransomware gang servers in US and Europe

Avatar

The FBI announced the takedown of the Radar/Dispossessor ransomware operation on Monday, confirming that dozens of servers across the U.S. and Europe were “dismantled.” 

The group — which some researchers believe was started by former affiliates of the LockBit ransomware enterprise — has listed dozens of victims since emerging last year.

Last month, members of the group told DataBreaches.net about a purported attack on Richard Parish Hospital in Louisiana that was never confirmed by the hospital. 

On Monday, the FBI’s Cleveland office said the group is led by a hacker going by the moniker “Brain” and that law enforcement officials took down three servers in the U.S., three in the U.K., and 18 in Germany. Eight domains registered in the U.S. and one in Germany were also taken down by the FBI.

The FBI declined to respond to a question about whether any arrests have been made. In a statement, the FBI said Radar/Dispossessor has existed since August 2023 and focused on targeting small to mid-sized businesses and organizations. 

FBI officials said their investigation discovered that 43 companies were attacked by the group from across the U.S., South America, India, Europe, the United Arab Emirates, and elsewhere. The group primarily went after companies and organizations in the education, healthcare, financial services, and transportation sectors.

The ransomware gang operated like most others, according to the FBI, breaching networks and stealing data before encrypting systems.

The FBI warned the total number of businesses and organizations affected is yet to be determined because many ransomware operations have variants used by affiliates. 

“The FBI encourages those with information about Brain or Radar Ransomware, or if their business or organization has been a target or victim of ransomware or currently paying a criminal actor, to contact its Internet Crime Complaint Center,” they said.

The operation was conducted alongside the U.S. Justice Department, the U.K.’s National Crime Agency and law enforcement in Germany. 

Several cybersecurity experts have said the group’s leak site looks identical to LockBit, which was taken down by law enforcement agencies earlier this year. 

“Dispossessor’s website bears a striking resemblance to the original LockBit site. The layout, color scheme, and typefaces are nearly identical, suggesting either a rebranding effort by the same operators or a new group leveraging LockBit’s infrastructure,” SOCRadar said in May. 

“Content analysis reveals that many posts from the original LockBit site have been mirrored on Dispossessor’s platform on their first days, maintaining the exact publication dates and details.”

SOCRadar said it did not appear at first that Dispossessor had ransomware capabilities and that it was simply operating as a data broker. But there have been multiple posts on darkweb forums from an account going by the name Dispossessor seeking hackers who could launch attacks.

A SentinelOne report said someone going by the name Dispossessor claimed to be selling the information of more than 300 LockBit victims shortly after the law enforcement operation that shuttered LockBit. Experts noted that several of Radar/Dispossessor’s victims previously appeared on the leak sites of other ransomware gangs or had been attacked by other groups.  

In a recent interview which cannot be verified, alleged members of the group claimed it is made up of former LockBit affiliates who drew inspiration from the now-defunct criminal operation. The interview includes several other claims about the group declining to attack victims in China and using artificial intelligence to quickly analyze batches of stolen files. 

At the DefCon cybersecurity conference in Las Vegas last week, several U.S. leaders lauded the recent string of ransomware takedowns operations by law enforcement but noted the seeming futility of the disruptions. 

Anne Neuberger, deputy national security adviser for cyber at the White House, listed dozens of ransomware-focused initiatives they are working on but said the lack of law enforcement cooperation between certain countries allows the gangs behind the attacks to continue flourishing.  

“From an infrastructure perspective, we’ve done takedowns of infrastructure, often with partners around the world. They’re temporary. There’s so much vulnerable infrastructure that attackers can use in the second round,” she said. 

“So the question is, as governments, what should we do about that?”

CybercrimeNews
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.

 

Total
0
Shares
Previous Post

Exclusive: Russian spies hacked UK government data and emails earlier this year

Next Post

Swiss manufacturer investigating ransomware attack that shut down IT network

Related Posts

New Phishing Tool GoIssue Targets GitHub Developers in Bulk Email Campaigns

Cybersecurity researchers are calling attention to a new sophisticated tool called GoIssue that can be used to send phishing messages at scale targeting GitHub users. The program, first marketed by a threat actor named cyberdluffy (aka Cyber D' Luffy) on the Runion forum earlier this August, is advertised as a tool that allows criminal actors to extract email addresses from public GitHub
Avatar
Read More

16 Chrome Extensions Hacked, Exposing Over 600,000 Users to Data Theft

A new attack campaign has targeted known Chrome browser extensions, leading to at least 16 extensions being compromised and exposing over 600,000 users to data exposure and credential theft. The attack targeted publishers of browser extensions on the Chrome Web Store via a phishing campaign and used their access permissions to insert malicious code into legitimate extensions in order to steal
Avatar
Read More

Apple Opens PCC Source Code for Researchers to Identify Bugs in Cloud AI Security

Apple has publicly made available its Private Cloud Compute (PCC) Virtual Research Environment (VRE), allowing the research community to inspect and verify the privacy and security guarantees of its offering. PCC, which Apple unveiled earlier this June, has been marketed as the "most advanced security architecture ever deployed for cloud AI compute at scale." With the new technology, the idea is
Avatar
Read More