The US Federal Bureau of Investigation (FBI) has announced the takedown of the notorious “Radar/Dispossessor” ransomware group, with an international law enforcement effort dismantling the gang’s servers across the United States, the United Kingdom, and Germany.
The group was led by an individual using the online moniker “Brain,” the FBI said. The operation resulted in the seizure of three US servers, three UK servers, 18 German servers, eight US-based criminal domains, and one German-based criminal domain. The collaborative effort was conducted alongside the UK's National Crime Agency, Bamberg Public Prosecutor’s Office, Bavarian State Criminal Police Office (BLKA), and the US Attorney’s Office for the Northern District of Ohio.
Radar/Dispossessor emerged in August 2023, targeting small to mid-sized businesses across various sectors, including production, development, education, healthcare, financial services, and transportation. The group initially focused on US entities, but investigations have revealed that their reach extended to 43 companies worldwide, with victims spanning across Argentina, Australia, Belgium, Brazil, Honduras, India, Canada, Croatia, Peru, Poland, the United Kingdom, the United Arab Emirates, and Germany.
Radar/Dispossessor employed a dual-extortion model similar to other notorious ransomware variants. The group would not only encrypt victims' systems but also exfiltrate sensitive data, holding it ransom. Their attacks targeted vulnerable computer systems, exploiting weak passwords and the lack of two-factor authentication to gain access. Once inside, the criminals would escalate their privileges to administrator level, allowing them full control over the systems and files.
Victims who failed to respond to the initial ransom demands were further harassed by the group. They would reach out to other employees within the victim's company, using email or phone calls to increase the pressure. These communications often included links to videos showcasing the stolen data, aimed at coercing the victims into paying the ransom. If the demands were not met, the group would announce the breach on a dedicated leak page, setting a countdown to the public release of the stolen data.