In a significant blow to cybercriminal activity, the FBI announced the successful takedown of the Radar/Dispossessor ransomware operation, following an extensive international investigation. This operation was conducted in partnership with the U.K.'s National Crime Agency, the Bamberg Public Prosecutor's Office, and the Bavarian State Criminal Police Office (BLKA).
As part of this coordinated effort, law enforcement agencies seized critical infrastructure utilised by the ransomware group, including three servers located in the U.S., three in the U.K., and 18 in Germany. Additionally, eight domains hosted in the U.S. and one in Germany were taken down, including notable sites like radar[.]tld, dispossessor[.]com, and several fake news and video sites.
Dispossessor, a ransomware operation spearheaded by a threat actor known as "Brain," has been active since August 2023. The group primarily targeted small to mid-sized businesses across various industries worldwide, with the FBI identifying 43 confirmed victims spanning the U.S., Argentina, Australia, Belgium, Brazil, Honduras, India, Canada, Croatia, Peru, Poland, the United Kingdom, the United Arab Emirates, and Germany.
The ransomware gang exploited vulnerabilities such as weak passwords and the absence of multi-factor authentication (MFA) to breach networks. Once inside, they would steal sensitive data and deploy ransomware to encrypt company systems, effectively locking victims out of their own data. According to the FBI, the attackers would gain administrator rights after compromising the network, making it easy for them to access and encrypt critical files.
In cases where victims did not respond to the attackers' demands, the group would initiate contact through emails or phone calls, often sharing links to platforms where the stolen data was publicly displayed as a means of exerting further pressure.
The FBI has urged any past victims or organisations targeted by the Dispossessor group to come forward with information, directing them to report incidents to the Internet Crime Complaint Center at ic3.gov or by calling 1-800-CALL-FBI.
Initially, Dispossessor operated as an extortion group, leveraging data from previous LockBit ransomware attacks, which they claimed to be affiliated with. The group also reposted leaks from other ransomware operations, attempting to monetise these stolen datasets on breach markets and hacking forums like BreachForums and XSS.
In a report published by SentinelOne in April, it was revealed that Dispossessor had re-released data from approximately 330 LockBit victims, hosting this information on their network. This move allowed them to bypass LockBit's availability restrictions, expanding their reach and impact. Dispossessor was also found to be distributing data previously linked to other ransomware groups, including Cl0p, Hunters International, and 8base.
In June 2024, Dispossessor escalated its activities by incorporating the leaked LockBit 3.0 encryptor into its own ransomware attacks, significantly broadening the scope and scale of its operations.
This takedown is part of a broader law enforcement effort targeting various cybercriminal activities over the past year. These operations have disrupted a range of illicit activities, including cryptocurrency scams, malware development, phishing attacks, credential theft, and ransomware. Notably, law enforcement agencies have also employed counter-hacking techniques to infiltrate and dismantle other prominent ransomware groups such as ALPHV/Blackcat, Ragnar Locker, and Hive.
This latest operation marks a crucial victory in the ongoing fight against ransomware, demonstrating the effectiveness of international collaboration in tackling cyber threats.
