FBI Shuts Down Dozens of Radar/Dispossessor Ransomware Servers

The FBI has shut down dozens of servers associated with the Radar/Dispossessor ransomware operations, disrupting a group that originally piggybacked on activity of an existing ransomware gang but eventually became its own cybercriminal force to be reckoned with.

The agency dismantled various pieces of the group's global computer infrastructure, including three servers in the US; three in the UK; 18 servers in Germany; eight US-based criminal domains; and one German-based criminal domain, FBI Cleveland revealed in a press release this week.

Radar/Dispossessor, operated by a person with the online moniker "Brain," first came onto the cybercriminal scene in August 2023 as an operation that published data stolen by the LockBit ransomware gang in an attempt to profit from it, according to researchers at SentinelOne. However, it soon evolved into a full-fledged ransomware gang of its own.

At the time of the FBI bust, the group had developed into an international ransomware gang with a particular focus on small-to-mid-sized businesses (SMBs) and organizations from the production, development, education, healthcare, financial services, and transportation sectors, according to the law enforcement organization.

The FBI conducted its investigation and subsequent takedown of the group's infrastructure in collaboration with the the UK's National Crime Agency, Bamberg Public Prosecutor's Office, Bavarian State Criminal Police Office (BLKA), and US Attorney's Office for the Northern District of Ohio.

Relentless Double-Extortion Pressure

Radar/Dispossessor originally attacked US organizations but eventually branched out globally; the FBI identified 43 victims from not only the US but also Argentina, Australia, Belgium, Brazil, Honduras, India, Canada, Croatia, Peru, Poland, the UK, the United Arab Emirates, and Germany.

"During its investigation, the FBI identified a multitude of websites associated with Brain and his team," according to the release.

Like many other groups, Radar/Dispossessor used double extortion as its criminal model, exfiltrating organizations' critical data in attacks to hold for ransom in addition to encrypting their computer systems. Its typical attacks included finding vulnerabilities, using weak passwords, and discovering a lack of two-factor authentication (2FA) as an entry point into victim systems. Once initial access was gained, the group escalated privileges to admin status to gain access to files and then deployed ransomware-based encryption from there.

The group was known for being relentless in its pursuit of a ransom payment, according to the FBI. Once a company was attacked, Radar/Dispossessor would then proactively contact company employees either through emails or phone calls, including links to video platforms showing videos of stolen data to turn up the heat, the agency said.

"This was always with the aim of increasing the blackmail pressure and increasing the willingness to pay," the FBI said. Radar/Dispossessor then used a separate leak page to set a countdown for public release of the victim data if organizations didn't pay the ransom.

Patch Software and Protect Passwords

Radar/Dispossessor joins a growing list of cybercriminal operations that have been disrupted significantly or taken out indefinitely by global law-enforcement over the last several years, including the notorious ransomware gangs LockBit and ALPHV/BlackCat, as well as hacker forums such as BreachForums and Genesis.

However, most of these groups or forums end up resurfacing in some form or another, whether as a similar unit or allying with their former members in splinter cybercriminal gangs.

Indeed, though the shutdown of cybercriminal infrastructure comes as "great news," it would be even better if there were warrants for the arrests of the gang's leaders and if they were identified publicly, common notices that often accompany law-enforcement actions, noted Roger Grimes, data-driven defense evangelist at security awareness training firm KnowBe4. Thus as ransomware remains a prevalent threat, law-enforcement entities and security experts alike urge organizations to remain vigilant to protect themselves against attacks.

Given that initial entry often includes the abuse of software vulnerabilities and weak passwords, every organization should ensure that they are frequently updating applications to their latest versions and applying any necessary fixes, as well as encouraging strong password hygiene. These basic mitigations and protections are especially important for SMBs, which may not have the budgets to implement more robust and comprehensive protections.