Law enforcement disrupts Radar/Dispossessor ransomware group

The FBI's Cleveland branch announced Monday that it disrupted the Radar/Dispossessor ransomware gang via a series of server and domain seizures.

The FBI announced the disruption effort through a press release on the bureau's website as well as notices on seized domains. According to the release, FBI Cleveland dismantled "three U.S. servers, three United Kingdom servers, 18 German servers, eight U.S.-based criminal domains, and one German-based criminal domain."

The FBI left playful seizure notices on the dark web domains for Radar and Dispossessor's leak sites. One had an image of a radar behind the seizure notice, while the other had the typical "This website has been seized" notice with "seized" crossed out and replaced by "repossessed."

Also in the press release, the bureau said the gang, which utilizes a dual-extortion ransomware model, was created in August of last year and has to this point been led by an individual known as "Brain."

"Since its inception in August 2023, Radar/Dispossessor has quickly developed into an internationally impactful ransomware group, targeting and attacking small-to-mid-sized businesses and organizations from the production, development, education, healthcare, financial services, and transportation sectors," the press release read. "Originally focused on entities in the United States, the investigation discovered 43 companies as victims of the attacks, from countries including Argentina, Australia, Belgium, Brazil, Honduras, India, Canada, Croatia, Peru, Poland, the United Kingdom, the United Arab Emirates, and Germany. During its investigation, the FBI identified a multitude of websites associated with Brain and his team."

Radar/Dispossessor, the FBI said, targeted small and medium-sized businesses in a variety of sectors -- particularly those with weak passwords and no multifactor authentication. The gang used aggressive post-infection tactics; if the victim did not contact Radar/Dispossessor, "the group would then proactively contact others in the victim company, either through email or phone call."

"The emails also included links to video platforms on which the previously stolen files had been presented. This was always with the aim of increasing the blackmail pressure and increasing the willingness to pay," the FBI said. "Finally, the compromise was announced by the attackers on a separate leak page and a countdown set until public release of the victim data if no ransom was paid."

The investigation and joint takedown were conducted in conjunction with the U.S. Attorney's Office for the Northern District of Ohio, the U.K.'s National Crime Agency, and the Bamberg Public Prosecutor's Office and Bavarian State Criminal Police Office in Germany.

The Radar/Dispossessor gang disruption is the latest in a long line of recent international law enforcement efforts to disrupt ransomware gangs and hold members accountable. The U.K.'s National Crime Agency led a severe high-profile disruption against LockBit earlier this year, while last January the FBI compromised Hive's operations. And this week, the U.S. government unsealed documents relating to Belarusian and Ukrainian national Maksim Silnikau, an alleged threat actor arrested in Spain and extradited to the U.S. for cybercrime including operating the Ransom Cartel.

TechTarget Editorial contacted the FBI for more information about the Radar/Dispossessor disruption effort, but a spokesperson declined to comment.

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.