The FBI has taken down dozens of servers associated with Radar/Dispossessor’s ransomware operations, disrupting a group that originally profited from the activities of an existing ransomware gang but ultimately became a cybercriminal force to be reckoned with.

The agency dismantled several parts of the group’s global computer infrastructure, including three servers in the US, three in the UK, 18 servers in Germany, eight US-based criminal domains and one German-based criminal domain, FBI Cleveland revealed in a press release this week.

Radar/Dispossessor, run by an individual with the online moniker “Brain,” first appeared on the cybercrime scene in August 2023 as an operation that published data stolen by the LockBit ransomware gang in an attempt to generate profit. according to researchers at SentinelOne. However, it quickly evolved into a full-fledged ransomware gang.

At the time of the FBI operation, the group had grown into an international ransomware gang specifically targeting small to medium sized businesses (SMEs) and organizations from the manufacturing, development, education, healthcare, financial services and transportation sectors, the law enforcement agency said.

The FBI conducted its investigation and subsequent dismantling of the group’s infrastructure in cooperation with the British National Crime Agency, the Bamberg Public Prosecutor’s Office, the Bavarian State Criminal Police Office (BLKA), and the U.S. Attorney’s Office for the Northern District of Ohio.

Incessant pressure of double extortion

Radar/Dispossessor initially targeted U.S. organizations, but later expanded to the rest of the world. The FBI identified 43 victims, not only from the U.S., but also from Argentina, Australia, Belgium, Brazil, Honduras, India, Canada, Croatia, Peru, Poland, the United Kingdom, the United Arab Emirates, and Germany.

“During the investigation, the FBI identified numerous websites associated with Brain and his team,” the press release said.

Like many other groups, Radar/Dispossessor used double extortion as a criminal model, exfiltrating critical data from organizations in hostage-taking attacks, in addition to encrypting their computer systems. Typical attacks include finding vulnerabilities, leveraging weak passwords, and discovering a lack of two-factor authentication (2FA) as an entry point into the victim’s systems. Once initial access was gained, the group would elevate privileges to administrator status to access files, and then deploy ransomware-based encryption from there.

The group was known for its relentless pursuit of ransom, the FBI said. Once a company was attacked, Radar/Dispossessor proactively contacted employees of the company, via emails or phone calls, including links to video platforms with videos of stolen data to increase pressure, the agency said.

“This was always with the goal of increasing blackmail pressure and increasing the willingness to pay,” the FBI said. Radar/Dispossessor then used a separate leak page to set a countdown for the public release of victim data if organizations did not pay the ransom.

Software patching and password protection

Radar/Dispossessor joins a growing list of cybercriminal operations that disturbed significantly or indefinitely disabled by global law enforcement in recent years, including the infamous ransomware gangs SlotBit And ALPHV/BlackCat, as well as hacker forums such as BreachForums And Genesis.

However, most of these groups or forums resurface in one form or another, either as a single entity or by uniting with their former members into splinter cybercriminal gangs.

While the shutdown of cybercriminal infrastructure is “great news,” it would be even better if there were arrest warrants for the gang’s leaders and they were publicly identified, common communications that often accompany law enforcement actions, noted Roger Grimes, data-driven defense evangelist at security awareness training company KnowBe4. As ransomware remains a prevalent threat, law enforcement and security experts are urging organizations to remain vigilant to protect themselves from attacks.

Since initial access often involves exploiting software vulnerabilities and weak passwordsEvery organization must ensure that they regularly update applications to the latest versions and apply all necessary fixes, as well as strong password hygieneThese basic measures and protections are especially important for SMEs, which may not have the budgets to implement more robust and comprehensive protections.