International investigation shuts down Radar/Dispossessor ransomware group

FBI Cleveland announced the disruption of “Radar/Dispossessor”—the criminal ransomware group led by the online moniker “Brain”—and the dismantling of three U.S. servers, three United Kingdom servers, 18 German servers, eight U.S.-based criminal domains, and one German-based criminal domain.

Since its inception in August 2023, Radar/Dispossessor has quickly developed into an internationally impactful ransomware group, targeting and attacking small-to-mid-sized businesses and organizations from the production, development, education, healthcare, financial services, and transportation sectors.

Originally focused on entities in the United States, the investigation discovered 43 companies as victims of the attacks, from countries including Argentina, Australia, Belgium, Brazil, Honduras, India, Canada, Croatia, Peru, Poland, the United Kingdom, the United Arab Emirates, and Germany. The FBI identified many websites associated with Brain and his team during its investigation.

Radar Ransomware follows the same dual-extortion model as other ransomware variants by exfiltrating victim data to hold for ransom in addition to encrypting the victim’s systems. Simply put, ransomware identifies and attacks new victims and re-victimizes current victims.

Radar/Dispossessor isolated and attacked victim companies by identifying vulnerable computer systems, weak passwords, and a lack of two-factor authentication. Once the criminals gained access to the systems, they obtained administrator rights and easily gained access to the files. The actual ransomware was then used for encryption.

As a result, the companies could no longer access their data. Once the company was attacked, if they did not contact the criminal actor, the group would then proactively contact others in the victim company, either through email or phone call. The emails also included links to video platforms on which the previously stolen files had been presented. This was always with the aim of increasing the blackmail pressure and increasing the willingness to pay.

Finally, the compromise was announced by the attackers on a separate leak page and a countdown set until public release of the victim data if no ransom was paid.

As ransomware can have many variants, such as this case, the total number of businesses and organizations affected is yet to be determined. The FBI encourages those with information about Brain or Radar Ransomware—or if their business or organization has been a target or victim of ransomware or currently paying a criminal actor—to contact its Internet Crime Complaint Center at ic3.gov or 1-800-CALL-FBI. Your identity can remain anonymous.

Don't miss