Dispossessor Ransomware

Rebranding: Dispossessor could be a full rebrand of LockBit, with core members attempting to evade law enforcement and continue operations under a new name.

Infrastructure Reuse: The group might be leveraging LockBit's existing infrastructure (servers, code, etc.) that was not fully seized during the takedown.

Affiliate Exodus: Dispossessor may consist primarily of former LockBit affiliates who were left without a platform after the takedown and sought a new avenue to monetize their skills.

Opportunistic Data Brokerage: A crucial distinction is that Dispossessor doesn't appear to develop or deploy its own ransomware. Instead, it primarily acts as a data broker, publishing and selling data stolen by other ransomware groups, including defunct operations. This suggests an opportunistic approach, capitalizing on the chaos in the ransomware ecosystem. It has been observed reposting data previously associated with other operations such as Cl0p, Hunters International, and 8Base.

Ransomware-as-a-Service (RaaS) Model Utilization: Although Dispossessor's core business is data brokerage, their platform's structure and communications indicate they utilize the outputs of RaaS operations.

Affiliate Program: The group actively recruits "red teamers" (penetration testers) on hacking forums. They offer affiliates access to a Tor-based admin panel, secure communication, automatic decryption tools, and the StealBit stealer for data exfiltration. The platform supports Windows, ESXi, and multiple Linux distributions.

Affiliate Rules and Requirements: Dispossessor enforces strict guidelines for affiliates, emphasizing operational security. These include prohibitions on sharing panel access, requirements to fulfill pre-payment agreements, and mandates to exfiltrate valuable data. They claim to prohibit attacks on critical infrastructure (nuclear, medical where data loss leads to death), a common but often disregarded claim among ransomware groups.

Deposit Requirement: New affiliates are required to deposit 1 Bitcoin, purportedly to deter novices, law enforcement, journalists, and competitors.

Initial Access: Common entry points include exploiting vulnerabilities in publicly exposed systems, phishing campaigns with malicious attachments or links, and compromised credentials (often obtained through brute-force attacks or purchased on the dark web).

Lateral Movement: Once inside a network, attackers move laterally to gain access to more valuable systems and data. This often involves exploiting internal vulnerabilities, leveraging compromised credentials, or using tools like Cobalt Strike.

Data Exfiltration: Before encryption, data is stolen. This "double extortion" tactic increases pressure on victims to pay, as the attackers threaten to release the sensitive data publicly. StealBit is a common tool for this purpose.

Encryption: Files are encrypted, rendering them inaccessible to the victim. The specific encryption algorithms used can vary depending on the ransomware strain employed by the affiliates providing data to Dispossessor.

Dual Extortion: Contacting victims by email or phone and showing proof of data that was exfiltrated to pressure victims into paying.

Small-to-Mid Sized Businesses (SMBs): SMBs are common targets, likely due to often having less robust security postures compared to larger enterprises.

Diverse Industries: Dispossessor's victims span a wide range of sectors, including production, development, education, healthcare, financial services, and transportation. This indicates that they are not highly specialized in their targeting.

Global Reach: The group has impacted organizations in numerous countries, including Argentina, Australia, Belgium, Brazil, Canada, Croatia, Germany, Honduras, India, Peru, Poland, the U.A.E., the U.K., and the U.S. This demonstrates a wide geographical scope.

LockBit-related Attacks: Given the strong evidence suggesting a connection to LockBit, many of the initial victims listed on Dispossessor's site were likely victims of LockBit's extensive campaigns before its takedown. LockBit targeted a wide range of industries globally.

Cl0p-Related Data: Dispossessor's reposting of data associated with Cl0p, Hunters International, and 8base indicates that the effects of the earlier widespread attack campaigns can still be seen.

Ongoing Threat: Even though they don't deploy their ransomware, the monetization of stolen data fuels the ransomware ecosystem, incentivizing further attacks by other groups. To effectively respond to cyber incidents, having a well-defined cyber incident response plan is essential.

Regular Data Backup: Implement a robust backup and recovery strategy, including offline backups, to ensure data can be restored in the event of an encryption attack. Regularly test backups to ensure their integrity.

Security Awareness Training: Educate users about the risks of phishing, social engineering, and malicious websites. Conduct regular training sessions and simulations to improve user awareness.

Patch and Update Management: Keep all software and systems up-to-date with the latest security patches. Vulnerability exploitation is a common entry point for ransomware.

Network Segmentation: Divide the network into segments to limit the lateral movement of attackers in the event of a breach.

Access Control: Implement the principle of least privilege, granting users only the access they need to perform their jobs. Use multi-factor authentication (MFA) wherever possible.

Email and Web Security: Deploy robust email security gateways to filter out phishing emails and malicious attachments. Use web filtering to block access to known malicious websites.

Endpoint Protection: Install and maintain comprehensive endpoint security solutions, including antivirus, intrusion detection systems (IDS), and endpoint detection and response (EDR) tools.

Incident Response Plan: Develop and regularly test an incident response plan specifically tailored to ransomware attacks. This plan should outline steps for containment, eradication, recovery, and communication.

Regular Security Audits: Conduct regular security audits and penetration testing to identify and address vulnerabilities.

Threat Intelligence: Utilize up-to-date threat intelligence to monitor emerging threats and attack vectors.

FBI Report: Reach out to the Internet Crime Complaint Center (IC3) if you're a victim or have any information. To detect suspicious events, consider implementing user and event behavioral analytics.

Ransomware Payments Drop 35% in 2024 as Law Enforcement Disrupts Cybercrime

Israeli Court to Hear Extradition Case for LockBit Ransomware Developer

FTC Cracks Down on Major Data Brokers Banned from Selling Sensitive Location Data

AI-Driven Ransomware FunkSec Targets 85 Victims in December 2024

SafePay Ransomware Breaches Microlise, Steals 1.2 TB of Data