Share this article on:
The FBI and US DOJ announce a successful takedown of global infrastructure belonging to a ransomware gang you may never have heard of.
The FBI and the US Department of Justice have announced the disruption and takedown of the Dispossessor ransomware gang.
According to the FBI’s Cleveland office, a multinational operation has seized the gang’s darknet leak site and dismantled servers across the globe – three each in the US and UK and 18 in Germany.
In addition, eight “criminal domains” in the US were taken down, as well as one based in Germany.
But what makes this takedown particularly interesting is how much of a low profile the gang has kept since its apparent inception in August of last year. The gang is not listed in threat platform Falcon Feeds’ databases and is only briefly mentioned on a similar site run by VenariX.
Another threat-tracking site, ransomwatch, has some details of the gang’s activity, while SOCRadar has a profile for the outfit. SOCRadar believes the gang only began operations in February of this year, but it does note that the gang appears to have some links to the LockBit gang based on the design of its darknet leak site.
Dispossessor – also known as Radar, the FBI said – is, possibly was, a ransomware-as-a-service operation, working with a range of affiliates to attack victims from countries such as “Argentina, Australia, Belgium, Brazil, Honduras, India, Canada, Croatia, Peru, Poland, the United Kingdom, the United Arab Emirates, and Germany”.
The FBI believes the gang had claimed at least 43 separate victims but also admits that due to the nature of the many variants of ransomware on the illicit market, it is impossible to know for sure.
The seizure notice on the gang’s darknet site also includes some grade-A trolling by the FBI.
“Site admins – you know who you are,” the FBI said. “If you want to talk, contact us…”
“Don’t be the last to reach out.”
A statement from the US Department of Justice added some more information, but also some more confusion. While the FBI noted that “Radar/Dispossessor” was “led by the online moniker ‘Brain’,” the DOJ added that the individual known as Brain had had a complaint filed against them with the Attorney’s Office for the Northern District of Ohio and that Brain was “believed to be based in Europe” and is “responsible for building a multinational ransomware organisation known as Radar”.
“The complaint sought injunctive relief to prevent additional attacks on victims from occurring and authorised disruption of the ransomware by disabling domain names, servers and IP addresses associated with the criminal enterprise,” the DOJ said in a statement.
The DOJ statement did not mention Dispossessor at all – the name that the ransomware gang seems to have gone by, by and large.
Wait, not actually ransomware?
Then again, while it’s right to applaud any disruption to ransomware operators, some observers feel that Dispossessor was not a “proper” ransomware gang at all. SOCRadar certainly didn’t see the threat actor in that light.
“... Dispossessor does not appear to possess ransomware capabilities; instead, it functions more accurately as a data broker,” SOCRadar said in a 17 May 2024 blog post.
“Since no instances of their ransomware have been observed, it is clear that they are primarily publishing data leaks from other groups, including those that are now defunct or have been shut down. This makes them opportunistic threat actors.”
Ransomware analytics platform Ransomfeed agrees.
“We have noticed that there is a lot of talk about the alleged new ransomware group dispossessor; we did some checking and analysed the situation,” Ransomfeed said via its Ransomfeednews account on X on 25 March 2024.
“In light of everything, from our point of view it is not ransomware, but a group of scoundrels trying to monetise (on nothing) using the claims of other groups.”
In many ways, it doesn’t matter who’s right – either way, a group of canny cyber criminals has had its infrastructure pulled out from underneath them.
Plus, it’s entirely possible that the resources of the FBI and DOJ – alongside the Bavarian State Criminal Police Office in Germany; the National Crime Agency of the United Kingdom; and the Prosecutor’s Office of Bamberg, Germany – were able to uncover more than any threat analyst has so far been able to.
However, the announcement of this takedown also illustrates how fluid and difficult the ransomware environment is and the difficult job of threat analysts and law enforcement agencies when it comes to pinning down and identifying individual gangs and their members.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.