DISPOSSESSOR And RADAR Ransomware Emerging With RaaS Model

Ransomware affiliates are forming alliances to recoup losses from unreliable partners. A prominent example involves ALPHV extorting $22 million from Change Healthcare but withholding funds from its data exfiltration affiliate. 

To remedy this, the affiliate has reportedly partnered with RansomHub to demand additional payment from Change Healthcare for data deletion, showcasing a new tactic in the evolving ransomware ecosystem where affiliates are safeguarding their interests through collaboration and secondary extortion attempts. 

A recent cyberattack on Long Island Plastic Surgery (LIPSG) highlights a common extortion tactic. Following data theft by an affiliate, the main threat actor, ALPHV, demanded a smaller ransom from the victim, but neither party paid the affiliate who had stolen the data. 

Unable to secure payment from LIPSG, the affiliate, claiming to be the RADAR locker group, publicly leaked the stolen data on the Dispossessor leak site, demonstrating a secondary extortion attempt when initial revenue streams fail. 

Dispossessor, a newly emerged cybercrime group, has been active since February 2024.

Despite initial claims of being a ransomware group following its March leak of data from 330 Lockbit victims, subsequent analysis indicates Dispossessor is primarily a data reseller, repurposing stolen data from other ransomware groups such as Clop, Hunters International, 8Base, and Snatch. 

The group operating similarly to LockBit has been misclassified as a ransomware group. Instead of deploying ransomware, Dispossessor acts as a data broker, redistributing stolen data from other, often defunct, ransomware groups. 

The decentralized RaaS model, which facilitates this opportunistic behavior, presents difficulties for law enforcement and highlights the evolving strategies used by cybercriminal organizations. 

SOCRadar observed a potential precursor to Dispossessor’s ransomware operations in December 2023 when a BreachForums user associated with the group sought to recruit OSCP redteamers. 

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access

This behavior, along with later job postings for penetration testers with specific technical skills and the fact that the user linked to Dispossessor praised one recruiter, strongly suggests that the group was actively hiring malicious cyberworkers and is about to switch to a ransomware-as-a-service model. 

Two distinct cybercrime groups, RADAR and DISPOSSESSOR, have formed a collaborative partnership, pooling resources and expertise. 

Both groups specialize in red teaming, leveraging shared tools, methodologies, and access to conduct joint attacks for financial gain.

Their online presence, including GitHub content and interviews, exhibits potential AI manipulation, complicating attribution and analysis efforts. 

RADAR and DISPOSSESSOR, a newly emerged Ransomware-as-a-Service (RaaS) group with a three-year operational history, has targeted two US healthcare organizations by offering sophisticated ransomware tools with customizable encryption options, data exfiltration capabilities, and aggressive leak site tactics, including streaming video proof of data theft. 

According to Data Breaches, despite threats of regulatory action, the group’s primary leverage remains data extortion, posing a significant risk to targeted organizations. 

Download Free Cybersecurity Planning Checklist for SME Leaders (PDF) – Free Download