The US Federal Bureau of Investigation (FBI) announced on Monday that the online infrastructure of an emerging ransomware group called Dispossessor (also known as Radar) has been disrupted.

The effort saw the takedown of three US servers, three UK servers, 18 German servers, eight US criminal domains, and one German criminal domain. Dispossessor is said to be run by an individual(s) known online as “Brain.”

“Since its inception in August 2023, Radar/Dispossessor has quickly evolved into a globally impactful ransomware group that targets and attacks small to medium-sized businesses and organizations in the manufacturing, development, education, healthcare, financial services, and transportation sectors,” the FBI said in a statement.

As many as 43 companies have been identified as victims of Dispossessor attacks, including companies in Argentina, Australia, Belgium, Brazil, Canada, Croatia, Germany, Honduras, India, Peru, Poland, the UAE, the UK and the US.

Dispossessor first emerged in August 2023 as a ransomware-as-a-service (RaaS) group that followed the same dual-extortion model pioneered by other e-crime gangs. Such attacks work by exfiltrating victim data to demand ransom payments, in addition to encrypting their systems. Users who refuse to comply are threatened with data exposure.

It has been observed that the attack chains set up by the cyber criminals use systems with security holes or weak passwords as an entry point to compromise targets and gain elevated access rights to lock their data behind encryption barriers.

“Once the business was compromised, they did not contact the criminal party. The group then proactively contacted others within the business, either via email or phone,” the FBI said.

“The emails also contained links to video platforms on which the previously stolen files had been presented. This was always with the aim of increasing the blackmail pressure and increasing the willingness to pay.”

Earlier reports from cybersecurity firm SentinelOne indicated that the Dispossessor group was already offering leaked data for sale. The company added that it “is apparently republishing data previously linked to other activities, such as Cl0p, Hunters International and 8Base.”

The frequency of such takedowns is yet another indication that law enforcement agencies around the world are ramping up their efforts to combat the ongoing ransomware threat. At the same time, threat actors are looking for ways to innovate and thrive in the ever-changing landscape.

This includes an increase in attacks being carried out via contractors and service providers, underscoring how cybercriminals are using trusted relationships as a weapon to their advantage. “This approach enables large-scale attacks with less effort, and often goes undetected until data breaches or encrypted data are discovered.”

Palo Alto Networks Unit 42 data from breach sites shows that the industries most affected by ransomware in the first half of 2024 were manufacturing (16.4%), healthcare (9.6%), and construction (9.4%).

The most targeted countries during this period included the US, Canada, the UK, Germany, Italy, France, Spain, Brazil, Australia and Belgium.

“Newly disclosed vulnerabilities primarily drove ransomware activity as attackers sought to exploit these opportunities quickly,” the company said. “Threat actors frequently target vulnerabilities to gain access to victim networks, escalate privileges, and move laterally throughout breached environments.”

One notable trend is the emergence of new (or revamped) ransomware groups, which accounted for 21 of the 68 unique groups posting extortion attempts, and the increasing focus on smaller organizations, Rapid7 said.

“There could be several reasons for this, the most important of which is that these smaller organizations hold much of the same data that threat actors are after, but they often have less sophisticated security measures in place,” the report said.

Another important aspect is the professionalization of RaaS business models. Ransomware groups are not only more sophisticated, they are also increasingly scaling up their activities to look like legitimate business enterprises.

“They have their own marketplaces, they sell their own products, and in some cases they have 24/7 support,” Rapid7 pointed out. “They also seem to be creating an ecosystem of collaboration and consolidation in the types of ransomware they deploy.”