Tuesday, November 12, 2024
HomeCyber CrimeDISPOSSESSOR And RADAR Ransomware Emerging With RaaS Model

DISPOSSESSOR And RADAR Ransomware Emerging With RaaS Model

Published on

Malware protection

Ransomware affiliates are forming alliances to recoup losses from unreliable partners. A prominent example involves ALPHV extorting $22 million from Change Healthcare but withholding funds from its data exfiltration affiliate. 

To remedy this, the affiliate has reportedly partnered with RansomHub to demand additional payment from Change Healthcare for data deletion, showcasing a new tactic in the evolving ransomware ecosystem where affiliates are safeguarding their interests through collaboration and secondary extortion attempts. 

A recent cyberattack on Long Island Plastic Surgery (LIPSG) highlights a common extortion tactic. Following data theft by an affiliate, the main threat actor, ALPHV, demanded a smaller ransom from the victim, but neither party paid the affiliate who had stolen the data. 

- Advertisement - SIEM as a Service

Unable to secure payment from LIPSG, the affiliate, claiming to be the RADAR locker group, publicly leaked the stolen data on the Dispossessor leak site, demonstrating a secondary extortion attempt when initial revenue streams fail. 

Dispossessor, a newly emerged cybercrime group, has been active since February 2024.

Despite initial claims of being a ransomware group following its March leak of data from 330 Lockbit victims, subsequent analysis indicates Dispossessor is primarily a data reseller, repurposing stolen data from other ransomware groups such as Clop, Hunters International, 8Base, and Snatch. 

The group operating similarly to LockBit has been misclassified as a ransomware group. Instead of deploying ransomware, Dispossessor acts as a data broker, redistributing stolen data from other, often defunct, ransomware groups. 

The decentralized RaaS model, which facilitates this opportunistic behavior, presents difficulties for law enforcement and highlights the evolving strategies used by cybercriminal organizations. 

SOCRadar observed a potential precursor to Dispossessor’s ransomware operations in December 2023 when a BreachForums user associated with the group sought to recruit OSCP redteamers. 

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access

This behavior, along with later job postings for penetration testers with specific technical skills and the fact that the user linked to Dispossessor praised one recruiter, strongly suggests that the group was actively hiring malicious cyberworkers and is about to switch to a ransomware-as-a-service model. 

Two distinct cybercrime groups, RADAR and DISPOSSESSOR, have formed a collaborative partnership, pooling resources and expertise. 

Both groups specialize in red teaming, leveraging shared tools, methodologies, and access to conduct joint attacks for financial gain.

Their online presence, including GitHub content and interviews, exhibits potential AI manipulation, complicating attribution and analysis efforts. 

RADAR and DISPOSSESSOR, a newly emerged Ransomware-as-a-Service (RaaS) group with a three-year operational history, has targeted two US healthcare organizations by offering sophisticated ransomware tools with customizable encryption options, data exfiltration capabilities, and aggressive leak site tactics, including streaming video proof of data theft. 

According to Data Breaches, despite threats of regulatory action, the group’s primary leverage remains data extortion, posing a significant risk to targeted organizations. 

Download Free Cybersecurity Planning Checklist for SME Leaders (PDF) – Free Download

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and...

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS...

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

Threat Actors Allegedly Claim Leak of 489 Million Lines of Instagram Data

A threat actor has allegedly scraped 489 million lines of Instagram user data, including...

Threat Actors Allegedly Claim Leak of Harley-Davidson Database

Threat actors known as "888" have allegedly leaked the database of Appleton Harley-Davidson, a...