The FBI and international law enforcement agencies have seized two dozen servers and nine domains belonging to a ransomware gang called Dispossessor – also known as Radar – that rose in prominence in the wake of a similar takedown of the notorious LockBit group in February.

Since emerging onto the scene in August 2023, Dispossessor has attacked at least 43 organizations, reaching into such regions as North America (the United States and Canada), the European Union (Belgium, Poland, and Germany), Asia (India and Australia), and South America (Brazil, Honduras, and Peru), according to the FBI.

Companies in the UK and United Arab Emirates also were targeted.

The authorities took down three servers each in the United States and UK and 18 more in Germany. In addition, they seized eight U.S.-based criminal domains and another one in Germany.

Dispossessor – led by a hacker identified as “Brain” – initially targeted companies in the United States but then expanded internationally, attacking small to midsize organizations in such sectors as education, health care, financial services, and transportation. Some victims also were in the production and development industries.

A Double-Extortion Operation

The group runs a ransomware-as-a-service (RaaS) operation that, like most ransomware gangs, uses a double-extortion model, where they or their affiliates exfiltrate data from the victim before encrypting it, and then demanding the ransom. The bad actors targeted vulnerable systems that used weak passwords or lacked two-factor authentication, according to the FBI. Once in the system, they gained administrator rights and then accessed files, encrypting the data.

“As a result, the companies could no longer access their own data,” the agency wrote. “Once the company was attacked, if they did not contact the criminal actor, the group would then proactively contact others in the victim company, either through email or phone call. The emails also included links to video platforms on which the previously stolen files had been presented. This was always with the aim of increasing the blackmail pressure and increasing the willingness to pay.”

The FBI added that “finally, the compromise was announced by the attackers on a separate leak page and a countdown set until public release of the victim data if no ransom was paid.”

Teaming Up Against Ransomware

The disruption of the Dispossessor operation is the latest by U.S. and international law enforcement agencies that have become increasingly aggressive over the past year going after ransomware and other threat groups and their infrastructures. LockBit was a big catch, as were the Hive and BlackCat/ALPHV groups. Some re-established their operations while others shut down.

“By taking control of these servers, law enforcement has seriously weakened the group’s ability to lock up and steal data from their victims,” researchers with cybersecurity vendor SOCRadar wrote in an update to an earlier report about the group. “For now, this should put a dent in Dispossessor’s operations.”

They added that law enforcement’s gameplan to fight ransomware by teaming with private companies has been affective, they wrote, though added that “this might not be the end of Dispossessor. Ransomware groups are known for bouncing back, often with new tricks up their sleeves. So, it’s important for organizations to stay alert and keep strengthening their defenses against potential attacks.”

Out From LockBit’s Shadow

Takedowns that do eliminate a high-profile group also often give way for smaller ransomware gangs to emerge. Dispossessor is an example of this, having assumed a larger role in the ransomware field after the raid on LockBit. It initially was known as a group that advertised the availability of data that had previously been leaked by ransomware groups like LockBit, Hunters International, Cl0p, and 8base, according to a report by cybersecurity company SentinelOne.

In their report, SOCRadar analysts wrote that Dispossessor’s emergence in the wake of the LockBit crackdown “highlights the dynamic and adaptive nature of cybercriminal activities. Their operational tactics, mimicking the Ransomware-as-a-Service model while primarily functioning as data brokers, present a unique challenge for cybersecurity experts and law enforcement agencies.”