In a coordinated international takedown, the FBI, in collaboration with law enforcement agencies across the globe, has dismantled the infrastructure of the “Radar/Dispossessor” ransomware group. The operation, led by the online alias “Brain,” targeted small-to-mid-sized businesses across various sectors, causing significant disruption and financial losses.
The FBI’s Cleveland division announced the successful dismantling on August 12th. The operation resulted in the takedown of servers and domains crucial to the group’s operations. This included seizing three servers each in the United States and the United Kingdom, along with 18 servers located in Germany. Additionally, authorities seized eight U.S.-based and one German-based domain used by the cybercriminals.
The investigation and joint takedown were conducted in collaboration with the the U.K.’s National Crime Agency, Bamberg Public Prosecutor’s Office, Bavarian State Criminal Police Office (BLKA), and U.S. Attorney’s Office for the Northern District of Ohio.
Rapid Rise, Global Reach of ‘Radar/Dispossessor’
Emerging in August 2023, Radar/Dispossessor quickly established itself as a formidable threat. The group employed the now-common “dual-extortion” model, encrypting victim data while simultaneously exfiltrating it for potential public release if ransom demands weren’t met. Their targets spanned various sectors, including production, development, education, healthcare, finance, and transportation. While initial attacks focused on the U.S., the investigation revealed victims in 13 countries, including Argentina, Australia, Belgium, and India.
Preying on Weaknesses
The investigation exposed the group’s tactics. Radar/Dispossessor exploited vulnerabilities in victim systems, targeting weak passwords and a lack of two-factor authentication. Once initial access was established, the attackers escalated privileges to gain complete control over the system. This enabled them to deploy the ransomware for data encryption, rendering critical information inaccessible.
Escalating Pressure
Following the initial data encryption, the cybercriminals adopted a multi-pronged approach to pressure victims into paying. They would proactively contact individuals within the compromised organization, often via email or phone call. These communications included links to platforms showcasing the stolen data, a tactic employed to heighten the sense of urgency and increase the likelihood of ransom payment. To further pressure victims into paying the ransom, they even provided examples of previous victims who broke their rules, researchers at Broadcom said.
The final act of coercion involved publicly announcing the data breach on a dedicated leak site. This announcement included a countdown timer, further pressuring victims to meet the ransom demands before their sensitive information was exposed.
Seeking Information, Offering Support
The FBI is actively seeking further information about Brain and his criminal network. Additionally, they encourage any business or organization that has been targeted by Radar Ransomware – or any other ransomware variant – to report the incident to the Internet Crime Complaint Center (IC3) at ic3.gov or by calling 1-800-CALL-FBI. Anonymity is guaranteed to those who report such crimes.
