Linkedin X-twitter
    • October 5, 2025

    New threat actor “Radar”

    Radar is a crime group that emerged in September 2025, using double extortion to lock and leak victim data. Their ransomware encrypts files and adds a random eight-character extension.

    Intelligence confirms Radar is a rebrand of the “Dispossessor” ransomware operation, which was active until a law enforcement takedown in August 2024. The group’s core leadership and methods have remained the same, showing a resilient adversary.

    Led by an individual known as “Brain,” the group operates a Ransomware-as-a-Service (RaaS) model, providing its tools to affiliates for a share of the profits. They consistently target small-to-mid-sized businesses by exploiting weak credentials and a lack of multi-factor authentication.

    Implications

    The group’s rapid re-emergence as Radar after a major law enforcement takedown shows the resilience of organized cybercrime. Infrastructure-focused disruptions are often only temporary setbacks when the core leadership is not apprehended.

    The Dispossessor group acted as an opportunistic predator, reposting data stolen by other defunct gangs like LockBit to build its reputation. This tactic allowed them to attract new affiliates and potentially re-extort victims with minimal effort.

    The group’s focus on small-to-mid-sized businesses in sectors like transportation and finance is a calculated strategy. These organizations are ideal targets because they are sensitive to disruption but often lack robust cyber defenses.

    The group’s attack methodology is a refined and effective playbook. It involves a systematic progression from exploiting weak credentials to deleting backups and forensic evidence to pressure victims.

    Attribution

    The FBI and other sources confirm that Radar and Dispossessor are the same group, led by a threat actor known as “Brain”. The rebranding to Radar was a direct result of the August 2024 law enforcement disruption, a common tactic for such groups to evade scrutiny.

    Summary

    The group began as Dispossessor in August 2023, initially targeting U.S. businesses before expanding globally. By the time of its disruption, the FBI had identified at least 43 victims worldwide.

    Operating a RaaS model under the leader “Brain,” Dispossessor’s early strategy involved mimicking the notorious LockBit ransomware gang. Its data leak site was nearly identical to LockBit’s in layout and design.

    This mimicry was a calculated strategy, as Dispossessor began reposting data from former LockBit victims after that group was disrupted. This allowed them to appear highly successful, attract new affiliates, and potentially re-extort victims.

    Takedown

    The group’s growing notoriety led to a coordinated international law enforcement operation on August 12, 2024, which dismantled its core infrastructure. The operation was led by the FBI in collaboration with agencies in the U.K. and Germany.

    The operation seized 24 servers across the U.S., U.K., and Germany, and took nine criminal domains offline. However, its long-term impact was limited because the group’s leader, “Brain,” and other core members were not apprehended.

    Relaunch

    The takedown proved to be only a temporary setback, a classic example of the “hydra effect” in cybercrime enforcement. With the core leadership and resources intact, the criminal organization was able to regenerate and improve its operations.

    Just one month after the takedown, in September 2025, the group re-emerged under the new name “Radar” with a new data leak site. The new operation showed clear continuity with its predecessor, immediately listing new victims and demonstrating that infrastructure takedowns without arrests are often only a temporary disruption.

    Attack

    The Radar/Dispossessor group uses a systematic attack chain with common but effective techniques to compromise networks and evade detection. This analysis maps their TTPs to the MITRE ATT&CK framework.

    MITRE Map

    Access

    The group’s primary initial access method is exploiting weak passwords and the absence of multi-factor authentication (MFA). This simple but effective approach has a high success rate against their target demographic of SMBs.

    Persistence

    After gaining access, operators establish persistence by manipulating the Image File Execution Options (IFEO) registry key (T1546.012). This involves abusing a legitimate Windows feature for malicious purposes, a sign of a mature threat actor.

    The IFEO feature allows a developer to attach a debugger to an application, but an adversary can abuse this by pointing the ‘Debugger’ value to their own malware. This causes the malicious payload to execute whenever the legitimate application is launched, providing a stealthy persistence mechanism.

    This technique is strategically chosen over more common methods because it abuses a legitimate system feature, making it harder for security tools to detect. This “living-off-the-land” approach helps the malware blend in with normal system activity and avoid suspicion.

    Evasion

    Radar uses a layered defense evasion strategy to frustrate both automated security tools and human analysts. This approach is critical for giving them enough time to steal data and deploy their ransomware.

    A key part of their strategy is anti-analysis, where the ransomware checks if it’s running in a sandbox or being debugged. If an analysis environment is detected, the malware will shut down or change its behavior to avoid being studied.

    The group also works to impair defenses by disabling or modifying security tools like antivirus on compromised systems. This allows the attackers to operate more freely without triggering security alerts.

    Finally, the actors cover their tracks by deleting forensic artifacts and diagnostic logs, such as the file C:$SysReset\Logs\Timestamp.xml. This removal of evidence makes it much harder for incident responders to investigate the attack.

    Impact

    The final stage of a Radar attack is designed to create a crisis for the victim and compel them to pay the ransom. This is done through a combination of data encryption, preventing recovery, and applying psychological pressure.

    A critical step for the attackers is to inhibit system recovery by deleting all Volume Shadow Copies (VSS) before encrypting files. By using tools like vssadmin.exe to wipe these backups, they remove the victim’s primary recovery option and increase their leverage.

    The core of the attack is encrypting the victim’s data, making files inaccessible and adding a random eight-character extension. A ransom note named README_FOR_DECRYPT.txt is then left in directories with instructions for the victim.

    This is combined with financial extortion, as the ransom note states that data has also been stolen and will be published if the ransom isn’t paid. The group increases pressure by calling and emailing employees with proof of the data theft to create a sense of panic.

    Victims

    The Radar/Dispossessor group consistently targets a diverse range of industries. The most frequent victims are in transportation, construction, financial services, and hospitality.

    Other impacted sectors include manufacturing, software development, education, and healthcare.

    This targeting is a calculated strategy, focusing on organizations that are highly sensitive to disruption but may have weaker cyber defenses. Industries like transportation and construction rely on real-time data, making them more likely to pay a ransom to restore operations quickly.

    Profile

    The group’s campaigns primarily focus on victims in the United States and Europe. As Dispossessor, their reach was even broader, affecting organizations on multiple continents.

    A key characteristic of their targeting is a focus on small to mid-sized businesses (SMBs). These organizations are a strategic sweet spot, as they are large enough to pay a ransom but often lack the robust security of larger corporations.

    Case study

    The September 2025 attack on Virginia-based engineering firm Robert G. Dashiell Jr. PE Inc. is a compelling case study of Radar’s methods and impact.

    Attackers exfiltrated approximately 500 GB of the company’s most sensitive data, including internal documents, client contracts, and employee PII. The stolen information also contained financial records like bank statements and tax documents.

    This precise data theft shows a sophisticated understanding of how to maximize leverage, creating threats to the company’s competitive standing and business relationships. The theft of employee PII adds another layer of pressure, creating significant legal and regulatory liabilities for the victim organization.

    Known victims

    The following table consolidates publicly identified victims of the Radar ransomware group since its emergence in September 2025, illustrating the group’s targeting patterns.

    Defense

    Based on the group’s TTPs and targeting strategy, the following recommendations can help organizations defend against this threat. These are divided into strategic considerations for leadership and tactical mitigations for security practitioners.

    Strategy

    Since the group’s primary access vector is weak credentials and no MFA, leadership must prioritize enforcing strong password policies and mandatory MFA. Special attention should be given to securing remote access solutions like VPNs and RDP.

    Organizations should adopt an “assumed breach” strategy, as determined threat actors can return even after law enforcement action. This means prioritizing rapid response and recovery, including investing in immutable or air-gapped backup solutions.

    Regular tabletop exercises simulating a ransomware attack should be conducted to validate incident response preparedness. These exercises are crucial for testing the effectiveness of response plans and decision-making processes under pressure.

    Tactics

    Security practitioners should implement robust access control by enforcing the principle of least privilege and using network segmentation to limit lateral movement. Access to administrative tools and credentials must be tightly controlled and monitored.

    Given Radar’s use of IFEO for persistence, security teams must actively monitor for changes to the Image File Execution Options registry key. EDR and SIEM solutions should be configured to alert on any modifications to the ‘Debugger’ value in this path, especially for common system executables.

    Security policies should be deployed to protect Volume Shadow Copies from unauthorized deletion, starting in an audit mode before moving to a block mode. It is also critical to ensure primary data backups are immutable and stored in a location inaccessible from the production network.

    Security teams should proactively hunt for Radar’s known Indicators of Compromise and behaviors mapped to the MITRE ATT&CK framework. This includes searching for evidence of VSS deletion, IFEO hijacking, and the removal of specific forensic artifacts.

    IoCs

    The following table contains specific indicators associated with the Radar/Dispossessor operation. These can be used in security tools to detect and block related activity.

    Conclusion

    The Radar ransomware group, an evolution of the Dispossessor operation, is a persistent and adaptive threat, especially to small and mid-sized businesses. Its ability to quickly re-emerge after a law enforcement disruption highlights the resilience of modern cybercrime.

    An analysis of their TTPs shows a methodical approach focused on stealth and disabling recovery capabilities. Their use of IFEO for persistence and the deletion of Volume Shadow Copies demonstrates a sophistication aimed at maximizing impact.

    Defending against Radar requires a multi-layered strategy that includes prioritizing security hygiene like MFA and focusing on resilience through immutable backups and validated response plans. Security teams must understand the group’s specific TTPs to develop effective detection and hunting strategies.