The U.S. Federal Bureau of Investigation (FBI) on Monday announced the disruption of online infrastructure associated with a nascent ransomware group called Radar/Dispossessor.
The effort saw the dismantling of three U.S. servers, three United Kingdom servers, 18 German servers, eight U.S.-based criminal domains, and one German-based criminal domain. Dispossessor is said to be led by individual(s) who go by the online moniker "Brain."
"Since its inception in August 2023, Radar/Dispossessor has quickly developed into an internationally impactful ransomware group, targeting and attacking small-to-mid-sized businesses and organizations from the production, development, education, healthcare, financial services, and transportation sectors," the FBI said in a statement.
As many as 43 companies have been identified as victims of Dispossessor attacks, including those located in Argentina, Australia, Belgium, Brazil, Canada, Croatia, Germany, Honduras, India, Peru, Poland, the U.A.E., the U.K., and the U.S.
Dispossessor, notable for its similarities to LockBit, surfaced as a ransomware-as-a-service (RaaS) group following the same dual-extortion model pioneered by other e-crime gangs. Such attacks work by exfiltrating victim data to hold for ransom in addition to encrypting their systems. Users who refuse to settle are threatened with data exposure.
Attack chains mounted by the threat actors have been observed to leverage systems with security flaws or weak passwords as an entry point to breach targets and gain elevated access to lock their data behind encryption barriers.
"Once the company was attacked, if they did not contact the criminal actor, the group would then proactively contact others in the victim company, either through email or phone call," the FBI said.
"The emails also included links to video platforms on which the previously stolen files had been presented. This was always with the aim of increasing the blackmail pressure and increasing the willingness to pay."
According to DataBreaches.Net, Radar and Dispossessor are two groups that share the same private tools, methods, accesses between each other and divide the profits. Members of the Dispossessor group are also believed to be former LockBit affiliates who parted ways to kickstart their own operations.
Previous reporting from cybersecurity company SentinelOne found the Dispossessor group to be advertising already leaked data for download and sale, adding it "appears to be reposting data previously associated with other operations with examples ranging from Cl0p, Hunters International, and 8Base."
The frequency of such takedowns is yet another indication that law enforcement agencies across the world are ramping up efforts to combat the persistent ransomware menace, even as the threat actors are finding ways to innovate and thrive in the ever-shifting landscape.
This includes an uptick in attacks carried out via contractors and service providers, highlighting how threat actors are weaponizing trusted relationships to their advantage, as "this approach facilitates large-scale attacks with less effort, often going undetected until data leaks or encrypted data are discovered."
Data gathered by Palo Alto Networks Unit 42 from leak sites shows that industries most impacted by ransomware during the first half of 2024 were manufacturing (16.4%), healthcare (9.6%) and construction (9.4%).
Some of the most targeted countries during the time period were the U.S., Canada, the U.K., Germany, Italy, France, Spain, Brazil, Australia and Belgium.
"Newly disclosed vulnerabilities primarily drove ransomware activity as attackers moved to quickly exploit these opportunities," the company said. "Threat actors regularly target vulnerabilities to access victim networks, elevate privileges and move laterally across breached environments."
A noticeable trend is the emergence of new (or revamped) ransomware groups, which accounted for 21 out of the total 68 unique groups posting extortion attempts, and the increased targeting of smaller organizations, per Rapid7.
"This could be for a lot of reasons, not the least of which is that these smaller organizations contain many of the same data threat actors are after, but they often have less mature security precautions in place," it said.
Another important aspect is the professionalization of the RaaS business models. Ransomware groups are not only more sophisticated, they are also increasingly scaling their operations that resemble legitimate corporate enterprises.
"They have their own marketplaces, sell their own products, and in some cases have 24/7 support," Rapid7 pointed out. "They also seem to be creating an ecosystem of collaboration and consolidation in the kinds of ransomware they deploy."
(The story was updated after publication to clarify that Radar and Dispossessor are two related ransomware groups.)