FBI strikes down rumored LockBit reboot

The criminal ransomware group Dispossessor, a suspected rebrand of LockBit, has been disrupted by an international law enforcement operation, according to the FBI.

“On August 12, FBI Cleveland announced the disruption of ‘Radar/Dispossessor’ — the criminal ransomware group led by the online moniker ‘Brain’ — and the dismantling of three US servers, three United Kingdom servers, 18 German servers, eight US-based criminal domains, and one German-based criminal domain,” the FBI said.

The joint takedown, led by the FBI, was conducted in conjunction with the UK’s National Crime Agency, Bamberg Public Prosecutor’s Office, Bavarian State Criminal Police Office (BLKA), and the US Attorney’s Office for the Northern District of Ohio.

Nascent yet prominent group

With activities traceable to August 2023, the group quickly grew fame as a formidable threat agency and made a dark web entry in February 2024, advertising leaked data on recently disrupted BreachForums and other leak sites.

The group, the FBI pointed out, had claimed many victims internationally which included 43 companies from countries including Argentina, Australia, Belgium, Brazil, Honduras, India, Canada, Croatia, Peru, Poland, the UK, the United Arab Emirates, and Germany.

Radar runs a Ransomware-as-a-service model which allows the group to license out its ransomware kit to many affiliates, who then carry out attacks on various targets. The decentralized structure of this model makes it difficult for law enforcement to fully shut down their operations.

“As ransomware can have many variants, such as this case, the total number of businesses and organizations affected is yet to be determined,” the FBI added.

A LockBit reboot?

The February 2024 postings from the group immediately followed Operation Cronos, a coordinated international operation that took down the notorious LockBit group, fueling suspicions that the group might be a rebranding of the latter.

The February postings primarily consisted of a renewed availability of 330 LockBit victims. Moreover, X account @ransomfeednews, the handle for an entity reporting on ransomware threats, recently posted regarding this group as “not ransomware, but a group of scoundrels trying to monetize (on nothing) using the claims of other groups. Out of the 332 claims Dispossessor had at the time, the post pointed out, 328 were old ones originally made by other threat actors.

Cybersecurity threat intelligence provider SOCRadar, in its profiling of the group, said that Radar’s website had a “striking resemblance” to the now-defunct LockBit site. “The layout, color scheme, and typefaces are nearly identical, suggesting either a rebranding effort by the same operators or a new group leveraging LockBit’s infrastructure,” SOCRadar added.

FBI might just be catching up to LockBit’s many affiliates should these speculations check out in their scrutiny of the servers seized during the operations.