Threat Research

Dark Web Profile: Dispossessor Ransomware – SOCRadar® Cyber Intelligence Inc.

SocRadar

Dispossessor has emerged in the ransomware landscape and mirrors the structure of LockBit after global law enforcement seized its domains. It functions as a data broker under an RaaS-like model, leaking data from other groups and operating via a sprawling affiliate network. #Dispossessor #LockBit #BreachForums #XSS #RaaS #StealBit #ChangeHealthcare #OperationCronos

Keypoints

  • Dispossessor imitates LockBit’s branding and site structure after enforcement actions against LockBit.
  • It acts mainly as a data broker, publishing leaks from other ransomware groups rather than deploying its own ransomware.
  • Operates a Ransomware-as-a-Service (RaaS) model via affiliates to spread activity across targets.
  • Launched on the dark web in February 2024 with data-leak announcements on BreachForums and XSS (per SentinelOne).
  • Affiliate program is inclusive and monetizes through a 1 Bitcoin deposit, with a toolkit including an admin panel on Tor, secure channels, and StealBit stealer.
  • Victim catalog comprises about 300 company names across 17 pages, many previously linked to LockBit, Cl0p, or Snatch; red teamers are sought to expand capabilities.
  • Mitigation emphasizes general ransomware defense measures: backups, training, patching, segmentation, access control, email/web security, endpoint protection, IR planning, audits, and backup testing.

MITRE Techniques

  • [T1583] Acquire Infrastructure – Dispossessor follows the RaaS model, distributing ransomware via affiliates. ‘Dispossessor follows the Ransomware-as-a-Service (RaaS) model, similar to LockBit. This approach allows RaaS groups to distribute ransomware through affiliates, who then execute attacks on various targets.’
  • [T1090] Proxy – Admin panel on the Tor network used for operational security and control. ‘an admin panel on the Tor network’.
  • [T1041] Exfiltration – StealBit stealer enables the theft of valuable data and data leaks by affiliates. ‘StealBit stealer, which enables the theft of valuable data.’

Indicators of Compromise

  • [Tool/Software] StealBit stealer – used to steal data from victims; referenced as part of the Dispossessor toolkit. StealBit stealer, which enables the theft of valuable data.
  • [Infrastructure] Tor-based admin panel – administrative access via the Tor network for affiliates; admin panel on the Tor network.

Read more: https://socradar.io/dark-web-profile-dispossessor-ransomware/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint