The Federal Bureau of Investigation (FBI) spearheaded a global operation that successfully dismantled the infrastructure of the Radar/Dispossessor ransomware group, a criminal ransomware-as-a-service (RaaS) group led by someone known as ‘Brain’. The operation led to the takedown of the group’s 24 servers, including 3 in the U.S., and 9 criminal domains. Eight of the criminal domains were located in the U.S. The Radar/Dispossessor ransomware group operates by recruiting affiliates to carry out attacks and sharing a portion of any ransom collected. Active since August 2023, the group employs a double extortion tactic, where they not only encrypt victims’ files but also exfiltrate sensitive data, demanding a ransom payment to decrypt the stolen data and to prevent its public exposure.
The group exploits weak passwords and networks without two-factor authentication to access the victims’ data. Once inside, administrator access is gained to exfiltrate files and install the ransomware. If victims don’t contact the group to negotiate payment, a more aggressive approach is taken. The group reaches out to other company members through phone and email to pressure the company to pay. The group even sends the URLs of websites where the stolen data is uploaded. If these methods fail, the group lists the victim on its data leak site with a countdown timer, warning the victim that the stolen data will be published if contact is not made. The group also sometimes publishes on its leak site data that other ransomware groups have stolen, as a way to further extort from companies that were already targeted by other ransomware groups.
The group targets small to medium-sized companies, with most of its victims coming from the following sectors: education, healthcare, manufacturing, development, transportation, and financial services. HIPAA-covered entities need to prepare for attacks by this group, such as implementing HIPAA encryption to protect patient-sensitive data. While the group focused on attacking U.S. businesses at first, it has since expanded its operations globally. The group’s attacks have victimized at least 43 companies, with potentially a lot more impacted. The FBI has not determined the exact number of attacked companies given that the group employs various ransomware variants.
Although the law enforcement operation has likely slowed the group’s activities, this disruption is typically short-lived, because ransomware groups can rebuild their infrastructure and resume operations. The FBI is engaging the public to get information about Radar ransomware and the group’s leader, aiming to bring the ‘Brain’ to justice.
Photo credits: James Thew, AdobeStock.com
