The Rise of RADAR and DISPOSSESSOR: A New Ransomware-as-a-Service
In April, a security researcher named Jim Walter from SentinelOne published an article detailing how some ransomware affiliates have begun collaborating to secure payment if deceived by previous partners.
The most notable recent incident involved the ALPHV group, which allegedly received a $22 million ransom from Change Healthcare and absconded with the money, leaving the data-exfiltrating affiliate unpaid. Left without funds and possessing the data, the affiliate turned to RansomHub to pressure Change Healthcare into paying for data deletion.
A similar situation occurred with Long Island Plastic Surgery (LIPSG). ALPHV allegedly received a reduced ransom from the victim, and the data-stealing affiliate received no compensation from either the victim or ALPHV. Consequently, the affiliate, identifying as RADAR, attempted unsuccessfully to obtain payment from LIPSG, ultimately leaking the data on the site Leaked Data, operated by the hacker DISPOSSESSOR.
DISPOSSESSOR emerged in February 2024, announcing on BreachForums the possession of data from 330 Lockbit victims. Analysts indicated that DISPOSSESSOR was not a ransomware group but a reseller of previously stolen data, including leaks from Clop, Hunters International, 8Base, and Snatch. By May, it became clear that DISPOSSESSOR followed a Ransomware-as-a-Service (RaaS) model akin to LockBit, functioning as a data broker rather than a ransomware group.
In June, RADAR posted a hiring announcement for pentesters on BreachForums, vouched for by DISPOSSESSOR. Around this time, both hackers transitioned into full-fledged ransomware gangs.
DISPOSSESSOR’s leak site remains named “Leaked Data,” yet when approached by DataBreaches for an interview, they presented themselves as the “RADAR and DISPOSSESSOR” team. In the conversation, the cybercriminals explained that both groups now participate in the same attacks, share tools and methods, and split the profits.
This week, Leaked Data added two new victims from the US healthcare sector: Delhi Hospital in Louisiana and Aire Dental in New York. These incidents had not been reported by other groups.
The Leaked Data site includes detailed rules for affiliates and describes the features provided by RADAR and DISPOSSESSOR, including build generation with various configurations, two distinct Windows encryptors, process and exclusion list editing capabilities, and rapid, efficient free space wiping after encryption.
Despite their brief public activity, RADAR and DISPOSSESSOR claim three years of operational experience, noting they have not been apprehended by the FBI. The team continues to offer its services to other groups or affiliates wishing to market stolen data, and their shift to a RaaS model, becoming yet another group operating on this principle, raises concerns among experts.
On their leak site, RADAR and DISPOSSESSOR maintain their style of pre-publishing data. Instead of screenshots of stolen information, they attach short videos to the leaked page, visually showcasing directories of the stolen data. If victims do not contact the criminals before the countdown expires, the hackers release a longer video detailing all the leaked data.
Like some other groups, RADAR and DISPOSSESSOR also threaten their victims with regulatory actions or lawsuits, although the likelihood of such threats being carried out is minimal due to the anonymity of these malicious actors.