In April, Jim Walter of SentinelOne wrote an article about how some ransomware affiliates were teaming up with others to get paid if they had been cheated by previous partners. Perhaps the best-known recent example of this occurred after ALPHV allegedly secured a $22 million ransoms from Change Healthcare and then absconded with the money without paying a share to the affiliate who had exfiltrated the data. With the data still in the affiliate’s possession and nothing to show for it, the affiliate appeared to have teamed up with RansomHub to try to get Change Healthcare to pay to get the data deleted.
While the Change Healthcare incident is probably the best-known recent example of an affiliate being cheated and then pursuing payment via a second approach, DataBreaches noted the same situation occurred with Long Island Plastic Surgery. ALPHV allegedly secured a reduced payment from the victim, but the affiliate who did the exfiltration was not paid by either the victim or ALPHV. As DataBreaches reported, the unpaid affiliate, who claimed to be the RADAR locker group, wound up trying unsuccessfully to get LIPSG to pay them and then leaked the data on the Dispossessor leak site.
Dispossessor
One of the groups Walter discussed was Dispossessor, which emerged in February 2024.
On March 13—the same day that the Long Island Plastic Surgery Group listing appeared on Dispossessor’s leak site—a user on BreachForums called @Dispossessor announced the availability of data from 330 Lockbit victims. Not surprisingly, analysts looking at Dispossessor’s leak site at the time claimed that Dispossessor was not a ransomware group, but just a group trying to re-sell previously leaked or stolen data, including leaks from Clop, Hunters International, 8Base, and Snatch. On March 24, @RansomFeedNews tweeted: “In light of everything, from our point of view it is not ransomware, but a group of scoundrels trying to monetize (on nothing) using the claims of other groups.”
In May, SOCRadar profiled Dispossessor Ransomware. They concurred with @ransomfeednews’ assessment:
Dispossessor follows the Ransomware-as-a-Service (RaaS) model, similar to LockBit. This approach allows RaaS groups to distribute ransomware through affiliates, who then execute attacks on various targets. The decentralized nature of this model makes it challenging for law enforcement to completely dismantle their operations.
However, Dispossessor does not appear to possess ransomware capabilities; instead, it functions more accurately as a data broker. Since no instances of their ransomware have been observed, it is clear that they are primarily publishing data leaks from other groups, including those that are now defunct or have been shut down. This makes them opportunistic threat actors.
While Dispossessor did not appear to have been a ransomware group at the time, SOCRadar noted that in December 2023, a BreachForums user named @DISPOSSESSOR had posted that they were looking to hire OSCP redteamers. That post was subsequently removed, but in June, a user called @RADAR posted a listing looking to hire “pentesters/redteamers in AD to work with VPN, citric, RDP/VNC/RDWEB/shell etc accesses.”
And who vouched for @RADAR? It was @DISPOSSESSOR,
SOCRadar noted that the December recruitment of redteamers might indicate that Dispossessor was gearing up to become an actual ransomware operation. It appears that they were.
RADAR and DISPOSSESSOR
Dispossessor’s site is still called “Leaked Data,” but when Dispossessor responded to an inquiry from DataBreaches, they identified themselves as responding from”RADAR and DISPOSSESSOR team’s blog.”
Following up, DataBreaches inquired if there were two groups collaborating or one group with a double name.
“We are two groups RADAR and DISPOSSESSOR with a lot of oldschool redteamers, coders, OSINT-specialists, Sys-admins etc,” they replied. DataBreaches asked why the two groups decided to team up and whether both groups were involved in the same attacks. Their spokesperson answered:
Both groups RADAR and DISPOSSESSOR are redteamers and involved to same redteam attacks, we share private tools, methods, accesses between each other and share the profit.
The groups provide an expanded introduction to themselves on GitHub. Their Github writing appears to have been written or edited by AI, as does an interview they gave to Red Hot Cyber that was published last week.
RADAR and DISPOSSESSOR: R-a-a-S
This week, their Leaked Data site includes two new victims in the U.S. healthcare sector. Neither of these incidents — one allegedly involving Delhi Hospital in Louisiana and one involving Aire Dental in New York — has ever shown up before by other threat actors.
Leaked Data’s website has a lengthy page of rules for affiliates and covers acceptable and prohibited targets, split (80/20), 1 BTC deposit at start, and all the features RADAR and DISPOSSESSOR claim to provide. Some of those features allegedly include:
– ability to generate builds with different settings, but with one encryption key for one corporate network;
– 2 different encryption lockers for Windows in one panel, written by different programmers, allowing to encrypt the network twice, if time allows, it will be useful for paranoiacs who doubt the reliability and implementation of the cryptographic algorithm and believe in free decryption;
– ability to edit the list to kill processes and services;
– ability to edit the list of exceptions – computer name, names and file extensions that do not need to be encrypted;
– the fastest and most efficient cleanup (without the possibility of recovery) of free space after encryption;
Although analysts report that Dispossessor emerged in February 2024, RADAR and DISPOSSESSOR claim to have been involved in ransomware for three years:
Stability: we have been working for 3 years, and no negative news regarding ransomware could scare and stop us, and so far we could not be caught by the FBI. If they couldn’t catch us in 3 years, they probably never will, and we will keep working.
Perhaps the three years includes time that they were admittedly affiliates for or partners with LockBit.
RADAR and DISPOSSESSOR continue to offer sales services to other groups or affiliates that want to list data for sale, but it seems clear that they have now moved into R-a-a-S and are one more group to be concerned about.
The group is already introducing their own style on their leak site. Although it still emulates LockBit’s layout and style of using lockdown clocks, instead of a few scanned images as proof of claims, RADAR and DISPOSSESSOR provide a streaming video of files. One video viewed by DataBreaches was 10 minutes long; another one was 41 minutes long, In both cases, the threat actors indicated that they would release longer videos if their targets do not contact them by the time on a countdown clock ran down.
As some other groups have done, RADAR and DISPOSSESSOR also include threats of regulator action or lawsuits. What none of these non-U.S. groups seem to really understand is how seldom regulators like HHS actually take action. From a probability perspective, the more likely risk is a potential class-action lawsuit that may go nowhere but will take time and money.