Feds seize Radar/Dispossessor ransomware gang servers in US and Europe

The FBI announced the takedown of the Radar/Dispossessor ransomware operation on Monday, confirming that dozens of servers across the U.S. and Europe were “dismantled.” 

The group — which some researchers believe was started by former affiliates of the LockBit ransomware enterprise — has listed dozens of victims since emerging last year.

Last month, members of the group told DataBreaches.net about a purported attack on Richard Parish Hospital in Louisiana that was never confirmed by the hospital. 

On Monday, the FBI’s Cleveland office said the group is led by a hacker going by the moniker “Brain” and that law enforcement officials took down three servers in the U.S., three in the U.K., and 18 in Germany. Eight domains registered in the U.S. and one in Germany were also taken down by the FBI.

The FBI declined to respond to a question about whether any arrests have been made. In a statement, the FBI said Radar/Dispossessor has existed since August 2023 and focused on targeting small to mid-sized businesses and organizations. 

FBI officials said their investigation discovered that 43 companies were attacked by the group from across the U.S., South America, India, Europe, the United Arab Emirates, and elsewhere. The group primarily went after companies and organizations in the education, healthcare, financial services, and transportation sectors.

The ransomware gang operated like most others, according to the FBI, breaching networks and stealing data before encrypting systems.

The FBI warned the total number of businesses and organizations affected is yet to be determined because many ransomware operations have variants used by affiliates. 

“The FBI encourages those with information about Brain or Radar Ransomware, or if their business or organization has been a target or victim of ransomware or currently paying a criminal actor, to contact its Internet Crime Complaint Center,” they said.

The operation was conducted alongside the U.S. Justice Department, the U.K.’s National Crime Agency and law enforcement in Germany. 

Several cybersecurity experts have said the group’s leak site looks identical to LockBit, which was taken down by law enforcement agencies earlier this year. 

“Dispossessor’s website bears a striking resemblance to the original LockBit site. The layout, color scheme, and typefaces are nearly identical, suggesting either a rebranding effort by the same operators or a new group leveraging LockBit’s infrastructure,” SOCRadar said in May. 

“Content analysis reveals that many posts from the original LockBit site have been mirrored on Dispossessor’s platform on their first days, maintaining the exact publication dates and details.”

SOCRadar said it did not appear at first that Dispossessor had ransomware capabilities and that it was simply operating as a data broker. But there have been multiple posts on darkweb forums from an account going by the name Dispossessor seeking hackers who could launch attacks.

A SentinelOne report said someone going by the name Dispossessor claimed to be selling the information of more than 300 LockBit victims shortly after the law enforcement operation that shuttered LockBit. Experts noted that several of Radar/Dispossessor’s victims previously appeared on the leak sites of other ransomware gangs or had been attacked by other groups.  

In a recent interview which cannot be verified, alleged members of the group claimed it is made up of former LockBit affiliates who drew inspiration from the now-defunct criminal operation. The interview includes several other claims about the group declining to attack victims in China and using artificial intelligence to quickly analyze batches of stolen files. 

At the DefCon cybersecurity conference in Las Vegas last week, several U.S. leaders lauded the recent string of ransomware takedowns operations by law enforcement but noted the seeming futility of the disruptions. 

Anne Neuberger, deputy national security adviser for cyber at the White House, listed dozens of ransomware-focused initiatives they are working on but said the lack of law enforcement cooperation between certain countries allows the gangs behind the attacks to continue flourishing.  

“From an infrastructure perspective, we've done takedowns of infrastructure, often with partners around the world. They're temporary. There's so much vulnerable infrastructure that attackers can use in the second round,” she said. 

“So the question is, as governments, what should we do about that?”