The FBI successfully dismantled the Radar/Dispossessor ransomware gang, seizing their servers and domains.
The FBI recently seized the servers and domains of a ransomware gang known as Radar (or Dispossessor), marking a significant achievement in their fight against ransomware. The seizure included servers in the UK and Germany, and the group's website now displays a message from law enforcement stating it has been seized.
Radar, also known as Dispossessor, is a ransomware and extortion gang that has been active since August 2023.
Dispossessor had previously breached around 340 companies while affiliated with LockBit. After leaving LockBit, Dispossessor established their own operation, leveraging data recovered from their cold backups to facilitate this transition. This shift was driven by their desire to innovate within the cybercrime field and offer services beyond traditional ransomware tactics.
Dispossessor has developed a model that combines ransomware with data resale services. This dual approach allows them to profit from their attacks even if victims do not pay the ransom. The team emphasized the importance of adapting to the evolving threat landscape and noted that their experience with LockBit provided them with critical insights into vulnerabilities and attack methods. In their new direction, Dispossessor focused on establishing a unique identity within the cybercrime community while maintaining high standards of operational security.
See also: HIPAA Compliant Email: The Definitive Guide
On August 12, FBI Cleveland released a statement announcing the disruption of Radar, dismantling multiple servers in the US, UK, Germany, and eight US-based domains. “Since its inception in August 2023, Radar/Dispossessor has quickly developed into an internationally impactful ransomware group, targeting and attacking small-to-mid-sized businesses and organizations from the production, development, education, healthcare, financial services, and transportation sectors,” says the FBI. Initially, the gang targeted entities based in the US. However, the investigation revealed that 43 companies from various nations were victims of these attacks. The countries identified include Argentina, Australia, Belgium, Brazil, Honduras India Canada Croatia Peru Poland United Kingdom United Arab Emirates, and Germany.
“Radar Ransomware follows the same dual-extortion model as other ransomware variants by exfiltrating victim data to hold for ransom in addition to encrypting victim’s systems.”
Double extortion is an advanced ransomware technique that encrypts a victim's data to block access and steal sensitive information before encryption. After compromising the data, the attackers demand a ransom for the decryption key. If the victim refuses to pay, the attackers threaten to release or sell the stolen data publicly, increasing pressure on the victim to comply. his approach increases pressure on victims by amplifying the impact of operational disruption from encrypted files alongside potential reputational harm and legal consequences caused by compromised confidential information becoming public knowledge.
Go deeper: Understanding double and triple extortion ransomware
Bringing down the Radar/Dispossessor ransomware gang has disrupted a major source of cybercrime, thus halting the operations of a group responsible for numerous attacks on organizations worldwide. This reduces the immediate threat of data breaches, financial losses, and operational disruptions for potential victims. It also sends a strong message to other cybercriminals that law enforcement agencies are capable of identifying, tracking, and dismantling even sophisticated and elusive groups, potentially deterring future attacks. The FBI’s ability to seize the gang’s infrastructure can allow authorities to analyze and understand their tactics, techniques, and procedures, providing valuable intelligence that can be used to prevent and mitigate similar threats in the future.
Ransomware is a type of malicious software (malware) that encrypts a victim’s files, rendering them inaccessible. The attacker then demands a ransom from the victim in exchange for a decryption key to restore access to the files.
Signs of a ransomware attack include unexpected encryption of files, ransom notes appearing on your screen, inability to access certain files or systems, and unusual network activity. You may also receive notifications from security software indicating the presence of malware.
Organizations should implement strong cybersecurity practices, including regular data backups, patching vulnerabilities, employee training on phishing and other common attack vectors, and using advanced security tools. Staying informed about emerging threats and maintaining an incident response plan are also crucial.
Read also: What is ransomware and how to protect against it