The US Federal Bureau of Investigation (FBI), through its Cleveland division, has announced the successful disruption of the criminal ransomware group known as “Radar” or “Dispossessor,” led by an individual using the alias “Brain.” This operation resulted in the dismantling of key infrastructure linked to the group, including three servers located in the US, three in the UK, and 18 in Germany. Furthermore, eight US-based criminal domains and one Germany-based domain were taken offline as part of the crackdown.

According to the FBI, Radar has been active since August 2023. The group quickly became a significant threat, mainly targeting small-to-mid-sized businesses and organisations. It focused on various sectors, including production, education, healthcare, financial services, and transportation. Initially, the group targeted entities within the US. However, the investigation later revealed that it had extended its reach globally. A total of 43 companies across countries such as Australia, Brazil, India, Canada, the UK, the UAE, and Germany were identified as victims.

A radar screen, used to illustrate a piece about radar ransomware.
The FBI and allied law enforcement agencies have announced their takedown of the ‘Radar/Dispossessor’ ransomware group. (Photo: Shutterstock)

Radar/Dispossessor taken down by international coalition

The ransomware employed by Radar/Dispossessor operates on a dual-extortion model, which is commonly seen in such cyberattacks. This method involves both encrypting the victim’s data, rendering it inaccessible, and threatening to release the data publicly unless a ransom is paid. The group specifically exploited vulnerabilities in computer systems, such as weak passwords and the absence of two-factor authentication, to gain access. Once inside, the attackers would obtain administrative rights, encrypt vital files, and effectively lock the companies out of their own data.

In an effort to exert further pressure, the attackers would reach out directly to other members of the victim organisations, using emails and phone calls. These communications often included links to video platforms displaying the stolen files, further increasing the coercion to pay the ransom. If the company did not respond, the attackers would escalate the situation by threatening to leak the compromised data on a dedicated website, setting a countdown for the public release if the ransom was not paid.

The FBI conducted the investigation and subsequent takedown of the group in collaboration with international partners including the UK’s National Crime Agency, the Bamberg Public Prosecutor’s Office and the Bavarian State Criminal Police Office (BLKA).

In a statement, the FBI said: “The FBI encourages those with information about Brain or Radar Ransomware—or if their business or organisation has been a target or victim of ransomware or currently paying a criminal actor—to contact its Internet Crime Complaint Center at ic3.gov or 1-800-CALL-FBI. Your identity can remain anonymous.”

Group latest to be toppled in very public sting operation

In late 2023 and early 2024, the FBI carried out significant operations against major ransomware groups, including the AlphV/BlackCat and LockBit ransomware groups. In December 2023, the FBI took down the AlphV/BlackCat ransomware group by seizing their darknet website and replacing it with a seizure notice. AlphV/BlackCat had compromised over 1,000 entities globally, extorting nearly $300m from its victims through sophisticated social engineering tactics. This action was part of a larger international law enforcement effort.

In February 2024, the FBI, in collaboration with the US Department of Justice and the UK’s National Crime Agency, disrupted the LockBit group, which had been responsible for over 2,000 attacks worldwide. This operation led to the seizure of LockBit’s infrastructure, including servers and websites, severely limiting the group’s ability to continue its criminal activities. Decryption keys were also obtained, enabling victims to recover their data without paying a ransom. The group’s destruction was only partial, however, with its founder claiming that the organisation was back up and running almost a week after the sting.

Read more: BlackCat hacks company, reports victim to SEC