Operator dossier

Dispossessor is a ransomware operator no longer publishing new disclosures. Darkfield has indexed 344 public victims claimed by this operator between April 19, 2024 and August 11, 2024. Dispossessor is a recently emerged ransomware group that began operations in April 2024, primarily motivated by financial gain through extortion campaigns targeting organizations across multiple sectors. The group's country of origin and potential affiliations with other ransomware operations remain unclear based on publicly available intelligence, and there is insufficient documented evidence to confirm whether they operate as a Ransomware-as-a-Service model or as an independent entity. Given the group's recent emergence, detailed technical analysis of their attack methodology, specific initial access vectors, encryption techniques, and data exfiltration practices have not been extensively documented by major cybersecurity firms or law enforcement agencies, though their targeting patterns suggest they employ typical ransomware deployment strategies against business services, healthcare, technology, financial services, and manufacturing sectors. The group has reportedly compromised 344 victims since their emergence, with primary targeting focus on organizations in the United States, Canada, France, the United Kingdom, and India, indicating a preference for English-speaking and Western European targets. As of current reporting, Dispossessor appears to remain active with no documented law enforcement disruption actions or confirmed rebranding activities, though the limited timeframe since their emergence in April 2024 means their operational longevity and persistence remain to be determined.

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Inactive ransomware operator

← All groups

Dispossessor

344 victims indexed · first seen 2 years ago · last activity 2 years ago

344

Victims indexed

#27 of 348 tracked operators

Active period

Apr 2024 → Aug 2024

Countries hit

top United States · 66

At a glance

Status: inactive
First seen: 2 years ago
Last activity: 2 years ago
Onion sites: 5 known endpoints
Primary sector: Business Services · 82 hits

About

Dispossessor is a recently emerged ransomware group that began operations in April 2024, primarily motivated by financial gain through extortion campaigns targeting organizations across multiple sectors. The group's country of origin and potential affiliations with other ransomware operations remain unclear based on publicly available intelligence, and there is insufficient documented evidence to confirm whether they operate as a Ransomware-as-a-Service model or as an independent entity. Given the group's recent emergence, detailed technical analysis of their attack methodology, specific initial access vectors, encryption techniques, and data exfiltration practices have not been extensively documented by major cybersecurity firms or law enforcement agencies, though their targeting patterns suggest they employ typical ransomware deployment strategies against business services, healthcare, technology, financial services, and manufacturing sectors. The group has reportedly compromised 344 victims since their emergence, with primary targeting focus on organizations in the United States, Canada, France, the United Kingdom, and India, indicating a preference for English-speaking and Western European targets. As of current reporting, Dispossessor appears to remain active with no documented law enforcement disruption actions or confirmed rebranding activities, though the limited timeframe since their emergence in April 2024 means their operational longevity and persistence remain to be determined.

References

5 links

External sources curated by the MISP threat-intel community.

Timeline

4 months

2024-04-01T00:00:00+00:002024-08-01T00:00:00+00:00

Top countries

🇺🇸 United States

🇨🇦 Canada

🇫🇷 France

🇮🇳 India

🇬🇧 United Kingdom

🇹🇼 Taiwan

🇶🇦 QA

🇳🇦 NA

United States dossier →Canada dossier →France dossier →India dossier →

Top sectors

Business Services

Healthcare

Technology

Financial

Manufacturing

Not Found

Government

Hospitality and Tourism

Business Services dossier →Healthcare dossier →Technology dossier →Financial dossier →

MITRE ATT&CK

5 techniques · 4 tactics

Tactics

Initial AccessExecutionDefense EvasionImpact

Techniques

T1566Phishing
T1190Exploit Public-Facing Application
T1204User Execution
T1027Obfuscated Files or Information
T1486Data Encrypted for Impact

Recent victims

Loading…

Onion infrastructure

5 known

http://disposessor.com
http://e27z5kd2rjsern2gpgukhcioysqlfquxgf7rxpvcwepxl4lfc736piyd.onion
http://e27z5kd2rjsern2gpgukhcioysqlfquxgf7rxpvcwepxl4lfc736piyd.onion/
http://e27z5kd2rjsern2gpgukhcioysqlfquxgf7rxpvcwepxl4lfc736piyd.onion/back/getallblogs?search=&page=1
http://radar.ltd

Source

Updated 2 years ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.