Fraud Management & Cybercrime , Ransomware

FBI Seizes Servers Powering Dispossessor Ransomware Group

Feds Also File Criminal Complaint Against 'Brain,' Alleged Leader of the Operation
FBI Seizes Servers Powering Dispossessor Ransomware Group
Image: FBI

The FBI led the disruption of a newcomer ransomware group known as Dispossessor or Radar that amassed victims in dozens of countries, causing millions of dollars' worth of damage.

See Also: Live Webinar | Crack Australia’s Code on Ransomware: Empowering Your Last Line of Defence

An international operation against the group's infrastructure seized three servers in the United States, three in the U.K. and 18 in Germany, plus eight "criminal domains" registered in the U.S. and one in Germany, the FBI said.

U.S. federal prosecutors announced an indictment against the group's alleged leader, who goes by "Brain." Officials believe Brain is at large in Europe.

"Site admins - you know who you are. If you want to talk, contact us," says a site takedown notice that replaced the group's dark web leak site.

The U.S. Attorney's Office for the Northern District of Ohio, which filed a complaint against Brain, said current estimates of the damage caused by the group already amount to millions of dollars and that "this is an ongoing investigation and the extent of the reach and damage inflicted is yet to be determined." The criminal complaint against Brain has not yet been made public.

The FBI is urging victims of the group to contact its Internet Crime Complaint Center at ic3.gov or 1-800-CALL-FBI so that it can better quantify the damage caused by the ransomware group. "Your identity can remain anonymous," the bureau said.

When Dispossessor first appeared in August 2023, it focused on U.S. targets, the FBI said. Later, the group expanded its focus, ultimately amassing victims in such sectors as healthcare, financial services, education and transportation while predominantly focusing on small and midsize businesses.

"The investigation discovered 43 companies as victims of the attacks, from countries including Argentina, Australia, Belgium, Brazil, Honduras, India, Canada, Croatia, Peru, Poland, the United Kingdom, the United Arab Emirates and Germany," the FBI said.

Like other ransomware groups, attacks conducted under the Dispossessor banner involved a variety of tactics for breaking into victims' systems. The FBI said these included exploiting remote access to servers with weak passwords or those that lacked two-factor authentication as well as exploiting known vulnerabilities in such systems.

At least in its more recent attacks, Dispossessor practiced double extortion, meaning the group would crypto-lock victims' systems, steal data and threaten to leak it. Victims who didn't pay a ransom for a decryptor or a promise to not leak stolen data were threatened via the group's data leak site, where it would list nonpaying victims and eventually might dump stolen data.

The group also proactively contacted employees of victim employees to ramp up pressure through emails and phone calls, according to the FBI. Emails included "links to video platforms on which the previously stolen files had been presented. This was always with the aim of increasing the blackmail pressure and increasing the willingness to pay," the bureau said.

Re-Extortion Group

Dispossessor appears to be a mid-tier player at best, amassing fewer victims or notoriety than the likes of Akira, Alphv/BlackCat, LockBit, BianLian, Black Basta, BlackSuit or Inc Ransom.

Dispossessor also appears to have first launched as an extortion-only undertaking, borrowing liberally from other ransomware groups' leak sites.

The group in February listed data from 330 LockBit victims, which it hosted via its own network, said cybersecurity firm SentinelOne.

Dispossessor also took to cybercrime forums such as the English-speaking BreachForums and Russian-speaking XSS, as well as Telegram channels, to advertise "the availability of previously leaked data for download and potential sale," it said.

By March, the Ransomfeed account on social platform X reported that of 332 victims then listed on the Dispossessor data leak site, 328 had already appeared on the leak sites of such groups as Cactus, Clop, 8Base and Snatch, which is an aggregate site for other ransomware operations.

"From our point of view it is not ransomware, but a group of scoundrels trying to monetize (on nothing) using the claims of other groups," Ransomfeed said.

The borrowing didn't stop there. Threat intelligence firm SOCRadar said Dispossessor's data leak site appeared to bear "a striking resemblance to the original LockBit site." Whether that meant it was "a rebranding effort by the same operators or a new group leveraging LockBit's infrastructure" wasn't clear.

Or Dispossessor may simply have ripped off the look and feel of LockBit's site and borrowed victims to make itself look more like a going concern (see: Ransomware Groups' Data Leak Blogs Lie: Stop Trusting Them).

At the same time, the group was advertising for "red teamers" to launch fresh attacks under the Dispossessor banner, presumably to amass victims of its own, SOCRadar said.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.