The U.S. Federal Bureau of Investigation (FBI) announced on Monday that it had successfully disrupted the online infrastructure of a nascent ransomware group known as Dispossessor, also referred to as Radar.
The operation resulted in the dismantling of 24 servers across the U.S., U.K., and Germany, along with the takedown of eight criminal domains in the U.S. and one in Germany. Dispossessor, reportedly led by an individual or group using the alias “Brain” has been active since August 2023.
“Since its inception, Radar/Dispossessor has rapidly evolved into an internationally significant ransomware group, targeting small to mid-sized businesses and organizations in sectors including production, development, education, healthcare, financial services, and transportation,” the FBI stated.
To date, 43 companies across 14 countries—including Argentina, Australia, Belgium, Brazil, Canada, Croatia, Germany, Honduras, India, Peru, Poland, the U.A.E., the U.K., and the U.S. have been identified as victims of Dispossessor’s attacks.
Dispossessor, which shares similarities with the LockBit ransomware group, operates as a ransomware-as-a-service (RaaS) outfit, employing a dual-extortion model where victims’ data is exfiltrated and held for ransom in addition to encrypting their systems. Victims who refuse to pay are threatened with public data exposure.
The attack chains orchestrated by Dispossessor have leveraged vulnerabilities in systems with security flaws or weak passwords, allowing the threat actors to gain elevated access and lock victims’ data behind encryption barriers.
“If a company was attacked and did not contact the criminal actor, the group would proactively reach out to others within the victim company, either through email or phone call,” the FBI noted.
These communications often included links to video platforms showcasing the stolen files, aiming to increase blackmail pressure and compel victims to pay.
Cybersecurity firm SentinelOne has previously reported that Dispossessor has advertised leaked data for download and sale, noting that the group “appears to be reposting data previously linked to other operations, including Cl0p, Hunters International, and 8Base.”
The increasing frequency of such takedowns underscores the growing efforts of law enforcement agencies worldwide to combat the persistent ransomware threat. Despite these efforts, threat actors continue to innovate and adapt within the ever-changing digital landscape.
One emerging trend is the rise in attacks executed through contractors and service providers, revealing how cybercriminals are exploiting trusted relationships to their advantage. This tactic enables large-scale attacks with minimal effort, often going undetected until data leaks or encrypted data come to light.
According to data collected by Palo Alto Networks’ Unit 42 from leak sites, the industries most affected by ransomware during the first half of 2024 were manufacturing (16.4%), healthcare (9.6%), and construction (9.4%).
During this period, some of the most targeted countries included the U.S., Canada, the U.K., Germany, Italy, France, Spain, Brazil, Australia, and Belgium.
“Ransomware activity was primarily driven by newly disclosed vulnerabilities, as attackers swiftly moved to exploit these opportunities,” the company noted. “Threat actors consistently target vulnerabilities to gain access to victim networks, elevate privileges, and move laterally across compromised environments.”
A significant trend observed was the rise of new or rebranded ransomware groups, which accounted for 21 out of 68 unique groups engaged in extortion attempts. Additionally, there has been a marked increase in the targeting of smaller organizations, according to Rapid7.
“This could be due to several factors, chief among them being that smaller organizations possess much of the same data that threat actors seek, but often have less robust security measures in place,” Rapid7 explained.
Another crucial aspect is the growing professionalization of the ransomware-as-a-service (RaaS) business model. Ransomware groups are not only becoming more sophisticated, but they are also increasingly scaling their operations to resemble legitimate corporate enterprises.
“These groups have their own marketplaces, sell their own products, and in some cases, offer 24/7 support,” Rapid7 highlighted. “They also appear to be fostering an ecosystem of collaboration and consolidation in the types of ransomware they deploy.”
Source: TheHackerNews