The FBI and US Department of Justice announce the successful takedown of global infrastructure belonging to a ransomware gang you may have never heard of.
The FBI and the US Department of Justice have announced the disruption and removal of the Dispossessor ransomware gang.
According to the FBI’s Cleveland office, a multinational operation seized the gang’s darknet leak site and took down servers around the world: three in the US and UK and 18 in Germany.
Additionally, eight “criminal domains” in the United States were removed, as well as one based in Germany.
But what makes this takedown particularly interesting is the low profile the gang has maintained since its apparent creation in August last year. The gang is not listed in threat platform Falcon Feeds’ databases and is only briefly mentioned on a similar site run by VenariX.
Another threat tracking site, ransomwatch, has some details of the gang’s activity, while SOCRadar has a profile of the group. SOCRadar believes the gang only began operating in February of this year, but does note that the gang appears to have some ties to the LockBit gang based on the design of their darknet leak site.
Dispossessor, also known as Radar, the FBI said, is, possibly was, a ransomware-as-a-service operation, working with a variety of affiliates to attack victims from countries such as “Argentina, Australia, Belgium, Brazil, Honduras, India, Canada, Croatia, Peru, Poland, United Kingdom, United Arab Emirates and Germany.”
The FBI believes the gang has claimed at least 43 different victims, but also admits that due to the nature of the many variants of ransomware on the illicit market, it is impossible to know for sure.
The seizure notice on the gang’s darknet site also includes Grade A trolling by the FBI.
“Site administrators: you know who you are,” the FBI said. “If you want to talk, contact us…”
“Don’t be the last to communicate.”
A statement from the US Department of Justice added more information, but also some more confusion. While the FBI noted that “Radar/Dispossessor” was “led by the online nickname ‘Brain,'” the DOJ added that the individual known as Brain had filed a complaint against him with the U.S. Attorney’s Office for the Northern District of Ohio and that Brain was believed to be based in Europe and is “responsible for building a multinational ransomware organization known as Radar.”
“The complaint sought injunctive relief to prevent additional attacks on victims and authorized disruption of the ransomware by disabling domain names, servers, and IP addresses associated with the criminal enterprise,” the Justice Department said in a statement.
The Justice Department statement made no mention at all of Dispossessor, the name the broader ransomware gang appears to have used.
Wait, it’s not actually ransomware?
On the other hand, while it is right to applaud any disruption in ransomware operators, some observers feel that Dispossessor was not a “proper” ransomware gang at all. SOCRadar certainly didn’t see the threat actor from that perspective.
“…The dispossessor does not appear to possess ransomware capabilities; instead, it functions more precisely as a data broker,” SOCRadar said in a May 17, 2024 blog post.
“Since no cases of their ransomware have been observed, it is clear that they are primarily publishing data leaks from other groups, including those that no longer exist or have been shut down. “This makes them opportunistic threat actors.”
Ransomware analysis platform Ransomfeed agrees.
“We have noticed that there is a lot of talk about the supposed new owner of the ransomware group; We did some checks and analyzed the situation,” Ransomfeed said via its Ransomfeednews account on X on March 25, 2024.
“In light of everything, from our point of view this is not ransomware, but rather a group of scoundrels trying to monetize (for nothing) using the claims of other groups.”
In many ways, it doesn’t matter who is right; Either way, a group of clever cybercriminals have had their infrastructure ripped out.
Furthermore, it is quite possible that the resources of the FBI and the Department of Justice – along with the Bavarian State Criminal Police Office in Germany; the UK National Crime Agency; and the Prosecutor’s Office in Bamberg, Germany, were able to discover more than any threat analyst has been able to do so far.
However, the announcement of this takedown also illustrates how fluid and difficult the ransomware environment is and the difficult job of threat analysts and law enforcement agencies when it comes to pinning down and identifying individual gangs and their members.