Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,177
- Points
- 113
Innovative approaches to ransomware take hackers to new heights.
In April, a security researcher named Jim Walter from SentinelOne published an article about how some ransomware partners started teaming up to get paid if they were cheated by previous partners.
The most famous recent case involved the ALPHV group, which allegedly received a $ 22 million ransom from Change Healthcare and went into hiding with the money without paying a share to the partner who extracted the data. With no money and no data, the partner turned to RansomHub to try to force Change Healthcare to pay for the data deletion.
A similar situation occurred with Long Island Plastic Surgery (LIPSG). The ALPHV group allegedly received a reduced ransom from the victim, and the partner who carried out the data theft did not receive any money from either the victim or ALPHV. As a result, the partner, who called himself RADAR, tried to re-receive payment from LIPSG, but without success, and then leaked the data to the Leaked Data leak site owned by the hacker DISPOSESSOR.
DISPOSESSOR appeared in February 2024, when it announced on the BreachForums forum the availability of data from 330 Lockbit victims. Analysts then said that DISPOSESSOR is not a ransomware group, but only resells previously stolen data, including leaks from Clop, Hunters International, 8Base and Snatch. In May, it became clear that DISPOSESSOR follows a Ransomware-as-a-Service (RaaS) model similar to LockBit, but is actually a data broker, not a ransomware group.
In June of this year, a RADAR user posted an ad on BreachForums about hiring pentesters, and DISPOSESSOR vouched for it. From about this point on, both hackers were re-qualified as full-fledged ransomware gangs.
The site with the leaks of the hacker DISPOSESSOR is still called "Leaked Data", but when contacting DataBreaches for an interview, the resource introduced itself as the "RADAR and DISPOSESSOR" team. In the conversation, cybercriminals explained that both groups are now involved in the same attacks, exchange tools, methods and share profits.
This week, Leaked Data added two new victims from the US healthcare sector: Delhi Hospital in Louisiana and Aire Dental in New York. These incidents have not previously been reported by other groups.
The Leaked Data site includes detailed rules for partners and describes the features that RADAR and DISPOSESSOR provide, including generating builds with different settings, two different cryptographers for Windows, the ability to edit process and exception lists, and fast and efficient removal of free space after encryption.
Despite their brief public activity, RADAR and DISPOSESSOR hackers claim three years of experience, noting that during this time they were not caught by the FBI. The team continues to offer its services to other groups or partners who want to put data up for sale, and the fact that they have switched to the RaaS model, becoming another group operating on this principle, is of concern to experts.
On their leak site, RADAR and DISPOSESSOR follow their own style of pre-publishing data. So, instead of screenshots with stolen information, hackers attach small videos to the leak page, where they clearly demonstrate directories with stolen data. At the same time, if the victims do not contact the criminals before the countdown time expires, hackers merge a longer video, where all the leaked data can be seen in detail.
Like some other groups, RADAR and DISPOSESSOR also threaten their victims with regulatory actions or legal actions, although in practice the probability of their implementation is low due to the anonymity of such malicious actors.
Source
In April, a security researcher named Jim Walter from SentinelOne published an article about how some ransomware partners started teaming up to get paid if they were cheated by previous partners.
The most famous recent case involved the ALPHV group, which allegedly received a $ 22 million ransom from Change Healthcare and went into hiding with the money without paying a share to the partner who extracted the data. With no money and no data, the partner turned to RansomHub to try to force Change Healthcare to pay for the data deletion.
A similar situation occurred with Long Island Plastic Surgery (LIPSG). The ALPHV group allegedly received a reduced ransom from the victim, and the partner who carried out the data theft did not receive any money from either the victim or ALPHV. As a result, the partner, who called himself RADAR, tried to re-receive payment from LIPSG, but without success, and then leaked the data to the Leaked Data leak site owned by the hacker DISPOSESSOR.
DISPOSESSOR appeared in February 2024, when it announced on the BreachForums forum the availability of data from 330 Lockbit victims. Analysts then said that DISPOSESSOR is not a ransomware group, but only resells previously stolen data, including leaks from Clop, Hunters International, 8Base and Snatch. In May, it became clear that DISPOSESSOR follows a Ransomware-as-a-Service (RaaS) model similar to LockBit, but is actually a data broker, not a ransomware group.
In June of this year, a RADAR user posted an ad on BreachForums about hiring pentesters, and DISPOSESSOR vouched for it. From about this point on, both hackers were re-qualified as full-fledged ransomware gangs.
The site with the leaks of the hacker DISPOSESSOR is still called "Leaked Data", but when contacting DataBreaches for an interview, the resource introduced itself as the "RADAR and DISPOSESSOR" team. In the conversation, cybercriminals explained that both groups are now involved in the same attacks, exchange tools, methods and share profits.
This week, Leaked Data added two new victims from the US healthcare sector: Delhi Hospital in Louisiana and Aire Dental in New York. These incidents have not previously been reported by other groups.
The Leaked Data site includes detailed rules for partners and describes the features that RADAR and DISPOSESSOR provide, including generating builds with different settings, two different cryptographers for Windows, the ability to edit process and exception lists, and fast and efficient removal of free space after encryption.
Despite their brief public activity, RADAR and DISPOSESSOR hackers claim three years of experience, noting that during this time they were not caught by the FBI. The team continues to offer its services to other groups or partners who want to put data up for sale, and the fact that they have switched to the RaaS model, becoming another group operating on this principle, is of concern to experts.
On their leak site, RADAR and DISPOSESSOR follow their own style of pre-publishing data. So, instead of screenshots with stolen information, hackers attach small videos to the leak page, where they clearly demonstrate directories with stolen data. At the same time, if the victims do not contact the criminals before the countdown time expires, hackers merge a longer video, where all the leaked data can be seen in detail.
Like some other groups, RADAR and DISPOSESSOR also threaten their victims with regulatory actions or legal actions, although in practice the probability of their implementation is low due to the anonymity of such malicious actors.
Source
