DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

RADAR and DISPOSSESSOR shift to R-a-a-S model

Posted on July 30, 2024July 31, 2024 by Dissent

In April, Jim Walter of SentinelOne wrote an article about how some ransomware affiliates were teaming up with others to get paid if they had been cheated by previous partners. Perhaps the best-known recent example of this occurred after ALPHV allegedly secured a $22 million ransoms from Change Healthcare and then absconded with the money without paying a share to the affiliate who had exfiltrated the data. With the data still in the affiliate’s possession and nothing to show for it, the affiliate appeared to have teamed up with RansomHub to try to get Change Healthcare to pay to get the data deleted.

While the Change Healthcare incident is probably the best-known recent example of an affiliate being cheated and then pursuing payment via a second approach, DataBreaches noted the same situation occurred with Long Island Plastic Surgery. ALPHV allegedly secured a reduced payment from the victim, but the affiliate who did the exfiltration was not paid by either the victim or ALPHV. As DataBreaches reported, the unpaid affiliate, who claimed to be the RADAR locker group, wound up trying unsuccessfully to get LIPSG to pay them and then leaked the data on the Dispossessor leak site.

Dispossessor

One of the groups Walter discussed was Dispossessor, which emerged in February 2024.

On March 13—the same day that the Long Island Plastic Surgery Group listing appeared on Dispossessor’s leak site—a user on BreachForums called @Dispossessor announced the availability of data from 330 Lockbit victims. Not surprisingly, analysts looking at Dispossessor’s leak site at the time claimed that Dispossessor was not a ransomware group, but just a group trying to re-sell previously leaked or stolen data, including leaks from Clop, Hunters International, 8Base, and Snatch. On March 24, @RansomFeedNews tweeted: “In light of everything, from our point of view it is not ransomware, but a group of scoundrels trying to monetize (on nothing) using the claims of other groups.”

In May, SOCRadar profiled Dispossessor Ransomware. They concurred with @ransomfeednews’ assessment:

Dispossessor follows the Ransomware-as-a-Service (RaaS) model, similar to LockBit. This approach allows RaaS groups to distribute ransomware through affiliates, who then execute attacks on various targets. The decentralized nature of this model makes it challenging for law enforcement to completely dismantle their operations.

However, Dispossessor does not appear to possess ransomware capabilities; instead, it functions more accurately as a data broker. Since no instances of their ransomware have been observed, it is clear that they are primarily publishing data leaks from other groups, including those that are now defunct or have been shut down. This makes them opportunistic threat actors.

While Dispossessor did not appear to have been a ransomware group at the time, SOCRadar noted that in December 2023, a BreachForums user named @DISPOSSESSOR had posted that they were looking to hire OSCP redteamers. That post was subsequently removed, but in June, a user called @RADAR posted a listing looking to hire “pentesters/redteamers in AD to work with VPN, citric, RDP/VNC/RDWEB/shell etc accesses.”

And who vouched for @RADAR? It was @DISPOSSESSOR,

SOCRadar noted that the December recruitment of redteamers might indicate that Dispossessor was gearing up to become an actual ransomware operation. It appears that they were.

RADAR and DISPOSSESSOR

Dispossessor’s site is still called “Leaked Data,” but when Dispossessor responded to an inquiry from DataBreaches, they identified themselves as responding from”RADAR and DISPOSSESSOR team’s blog.”

Following up, DataBreaches inquired if there were two groups collaborating or one group with a double name.

“We are two groups RADAR and DISPOSSESSOR with a lot of oldschool redteamers, coders, OSINT-specialists, Sys-admins etc,” they replied. DataBreaches asked why the two groups decided to team up and whether both groups were involved in the same attacks. Their spokesperson answered:

Both groups RADAR and DISPOSSESSOR are redteamers and involved to same redteam attacks, we share private tools, methods, accesses between each other and share the profit.

The groups provide an expanded introduction to themselves on GitHub.  Their Github writing appears to have been written or edited by AI, as does an interview they gave to Red Hot Cyber that was published last week.

RADAR and DISPOSSESSOR: R-a-a-S

This week, their Leaked Data site includes two new victims in the U.S. healthcare sector. Neither of these incidents — one allegedly involving Delhi Hospital in Louisiana and one involving Aire Dental in New York — has ever shown up before by other threat actors.

Leaked Data’s website has a lengthy page of rules for affiliates and covers acceptable and prohibited targets, split (80/20), 1 BTC deposit at start, and all the features RADAR and DISPOSSESSOR claim to provide. Some of those features allegedly include:

– ability to generate builds with different settings, but with one encryption key for one corporate network;
– 2 different encryption lockers for Windows in one panel, written by different programmers, allowing to encrypt the network twice, if time allows, it will be useful for paranoiacs who doubt the reliability and implementation of the cryptographic algorithm and believe in free decryption;
– ability to edit the list to kill processes and services;
– ability to edit the list of exceptions – computer name, names and file extensions that do not need to be encrypted;
– the fastest and most efficient cleanup (without the possibility of recovery) of free space after encryption;

Although analysts report that Dispossessor emerged in February 2024, RADAR and DISPOSSESSOR claim to have been involved in ransomware for three years:

Stability: we have been working for 3 years, and no negative news regarding ransomware could scare and stop us, and so far we could not be caught by the FBI. If they couldn’t catch us in 3 years, they probably never will, and we will keep working.

Perhaps the three years includes time that they were admittedly affiliates for or partners with LockBit.

RADAR and DISPOSSESSOR continue to offer sales services to other groups or affiliates that want to list data for sale, but it seems clear that they have now moved into R-a-a-S and are one more group to be concerned about.

The group is already introducing their own style on their leak site. Although it still emulates LockBit’s layout and style of using lockdown clocks, instead of a few scanned images as proof of claims, RADAR and DISPOSSESSOR provide a streaming video of files. One video viewed by DataBreaches was 10 minutes long; another one was 41 minutes long,  In both cases, the threat actors indicated that they would release longer videos if their targets do not contact them by the time on a countdown clock ran down.

As some other groups have done, RADAR and DISPOSSESSOR also include threats of regulator action or lawsuits. What none of these non-U.S. groups seem to really understand is how seldom regulators like HHS actually take action. From a probability perspective, the more likely risk is a potential class-action lawsuit that may go nowhere but will take time and money.

 

Related posts:

  • Data allegedly from Change Healthcare ransomware attack raises more questions than answers (1)
  • More Woes for Change Healthcare and Patients
  • Developing: AlphV allegedly scammed Change Healthcare and its own affiliate (1)
  • International Investigation Leads to Shutdown of RADAR-DISPOSSESSOR Ransomware Group (1)
Category: Commentaries and AnalysesMalwareNon-U.S.

Post navigation

← Turning the tables: two gangs’ opsec fails exposed data; good guys deleted it
IBM: Cost of a breach reaches nearly $5 million, nearly $10 million for healthcare →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • British national “IntelBroker” charged with causing $25 million in damages; U.S. seeks his extradition from France
  • France issues press statement about arrest of ShinyHunters members
  • Patients Allege Home Delivery Pharmacy Failed to Timely Notify Them of Data Breach
  • Hackers breach Norwegian dam, open valve at full capacity
  • Patient death at London hospital linked to cyber attack on NHS
  • ShinyHunters and team members arrested in France (2)
  • Texas Enacts Liability Shield From Punitive Damages for Certain Small Businesses That Adopt Cybersecurity Programs
  • Dublin ETB fined €125,000 for data protection breaches
  • From $5,000 to $800,000: Days Apart, OCR Security Settlements Show Puzzling Math
  • Liberty Township in Ohio has recovered its network after a ransomware attack

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How Internet of Things devices affect your privacy – even when they’re not yours
  • Sky Views Personal Data as a Potential Weapon in IPTV Piracy War
  • Florida Used a Nationwide Surveillance Camera Network 250 Times To Aid in Immigration Arrests
  • Federal Court Strikes Down HIPAA Reproductive Health Care Privacy Rule
  • The Markup caught 4 more states sharing personal health data with Big Tech
  • Privacy in the Big Sky State: Montana’s Consumer Privacy Law Gets Amended
  • UK Passes Data Use and Access Regulation Bill

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.