The US Federal Bureau of Investigation (FBI) on Monday announced a failure in the Internet infrastructure linked to a group of ransomware called Dispossessor (aka Radar).
In the course of this work, three servers in the US, three servers in the UK, 18 German servers, eight criminal domains in the US and one criminal domain in Germany were dismantled. Dispossessor is said to be operated by an individual(s) who go by the internet alias “The Brain”.
“Since its inception in August 2023, Radar/Dispossessor has rapidly evolved into an international ransomware group that targets and attacks small and medium-sized businesses and organizations in the manufacturing, development, education, healthcare, financial services and transportation industries. “, FBI said in the statement.
43 companies were identified as victims of Dispossessor attacks, including those located in Argentina, Australia, Belgium, Brazil, Canada, Croatia, Germany, Honduras, India, Peru, Poland, UAE, UK and USA
Dispossessor first appeared in August 2023 as a Ransomware-as-a-Service (RaaS) group, following the same dual-extortion model pioneered by other cybercriminal groups. Such attacks work by stealing victims’ data for ransom in addition to encrypting their systems. Users who refuse to agree face the risk of data disclosure.
Attack chains orchestrated by threat actors have been observed to use systems with security flaws or weak passwords as an entry point to compromise targets and gain elevated access to lock their data behind encryption barriers.
“After a company is attacked, if they have not contacted the perpetrator, the team will actively contact other employees of the victim company, either by email or phone,” the FBI said.
“The e-mails also contained links to video platforms that previously featured stolen files. This was always done with the aim of increasing the pressure of blackmail and increasing the willingness to pay.”
A preliminary report by cybersecurity firm SentinelOne found the Dispossessor group will promote the already leaked data for download and sale, adding that it “appears to be reposting data previously associated with other operations with examples ranging from Cl0p, Hunters International and 8Base.”
The frequency of these takedowns is further evidence that law enforcement agencies around the world are stepping up efforts to combat the persistent threat of ransomware, even as threat actors finding ways to innovate and prosper in an ever-changing landscape.
This includes rise of seizures carried out through contractors and service providers, highlighting how threat actors use weapons trust relationship to its advantage, as “this approach facilitates large-scale attacks with less effort, often remaining undetected until data leaks or encrypted data are discovered.”
Data collected by Palo Alto Networks Unit 42 from data breach sites shows that in the first half of 2024, manufacturing (16.4%), healthcare (9.6%) and construction (9.4 %).
Some of the most targeted countries during this period were the US, Canada, UK, Germany, Italy, France, Spain, Brazil, Australia and Belgium.
“The recently discovered vulnerabilities primarily triggered ransomware activity as attackers sought to quickly exploit these capabilities,” the company said in a statement. said. “Threat actors routinely target vulnerabilities to gain access to victim networks, elevate privileges, and navigate compromised environments.”
A notable trend is the emergence of new (or upgraded) ransomware groups, which account for 21 of the 68 unique groups posting ransomware attempts, as well as an increase in smaller organizations, according to Rapid7.
“This could be for many reasons, not the least of which is that these smaller organizations contain many of the same data threat actors that are being pursued, but they often have less sophisticated security measures in place,” it said. said.
Another important aspect is this professionalization of RaaS business models. Ransomware groups are not only more sophisticated, but increasingly scale their operations to resemble legitimate corporate enterprises.
“They have their own marketplaces, sell their products and in some cases have 24/7 support,” Rapid7 noted. “They also seem to be creating an ecosystem of collaboration and consolidation in the kind of ransomware they’re deploying.”
