Cyber Crime Junkies

Translating Cyber into Plain Terms. Newest AI, Social Engineering, and Ransomware Attack Insight to Protect Businesses and Reduce Risk. Latest Cyber News from the Dark web, research, and insider info. Interviews of Global Technology Leaders, sharing True Cyber Crime stories and advice on how to manage cyber risk.

Find all content at www.CyberCrimeJunkies.com and videos on YouTube @CyberCrimeJunkiesPodcast

All Episodes

Cyber Crime Junkies

Fall of a Cyber Crime Gang

August 26, 2023 • Cyber Crime Junkies-David Mauro • Season 2 • Episode 74

Legendary Security Researcher and Author, Jon DiMaggio, of Analyst1, joins us to discuss LOCKBIT and his latest Ransomware Diaries Vol3 release and the fall of a cyber crime gang.

Key Topics: rise and fall of a cyber crime gang, betrayal in cyber crime , fall of a cyber crime gang, take down of a cyber crime gang, when a cyber crime gang implodes, when cyber crime turns on each other, when cyber crime does not pay, when cyber crime gangs get breached, how cyber crime gangs hack each other, when cyber crime gangs hack each other, why cyber crime gangs hack each other, cyber crime gangs turn on each other, betrayal of a cyber crime gang, when notorious cyber crime gangs fail, when cyber crime gangs fail, when cyber crime gangs betray, cyber crime fails, when cyber crime fails,

Subscribe for Behind-Scenes and Better Content. It's FREE. @Cybercrimejunkiespodcast https://www.youtube.com/channel/UCNrU8kX3b4M8ZiQ-GW7Z1yg

Want more true cyber crime stories? Check out Https://cybercrimejunkies.com

Jon DiMaggio’s latest blockbuster report Ransomware Diaries VOL 3: https://analyst1.com/ransomware-diaries-volume-3-lockbits-secrets/

VIDEO of LIVE DISCUSSION: https://www.youtube.com/live/piM5OjY6x58?si=9o3G6RlPHeb90KB5

Send us a text

Growth without Interruption. Get peace of mind. Stay Competitive-Get NetGain. Contact NetGain today at 844-777-6278 or reach out online at www.NETGAINIT.com

Have a Guest idea or Story for us to Cover? You can now text our Podcast Studio direct. Text direct (904) 867-4466

🎧 Subscribe now http://www.youtube.com/@cybercrimejunkiespodcast and never miss a video episode!

Follow Us:
🔗 Website: https://cybercrimejunkies.com
📱 X/Twitter: https://x.com/CybercrimeJunky
📸 Instagram: https://www.instagram.com/cybercrimejunkies/

Want to help us out? Leave us a 5-Star review on Apple Podcast Reviews.
Listen to Our Podcast:
🎙️ Apple Podcasts: https://podcasts.apple.com/us/podcast/cyber-crime-junkies/id1633932941
🎙️ Spotify: https://open.spotify.com/show/5y4U2v51gztlenr8TJ2LJs?si=537680ec262545b3
🎙️ Youtube (FKA Google) Podcasts: http://www.youtube.com/@cybercrimejunkiespodcast

Join the Conversation: 💬 Leave your comments and questions. TEXT THE LINK ABOVE . We'd love to hear your thoughts and suggestions for future episodes!

Legendary Security Researcher and Author, Jon DiMaggio, of Analyst1, joins us to discuss LOCKBIT and his latest Ransomware Diaries Vol3 release and the fall of a cyber crime gang.

Subscribe for Behind-Scenes and Better Content. It's FREE. @Cybercrimejunkiespodcast https://www.youtube.com/channel/UCNrU8kX3b4M8ZiQ-GW7Z1yg

Want more true cyber crime stories? Check out Https://cybercrimejunkies.com

Jon DiMaggio’s latest blockbuster report Ransomware Diaries VOL 3: https://analyst1.com/ransomware-diaries-volume-3-lockbits-secrets/

VIDEO of LIVE DISCUSSION: https://www.youtube.com/live/piM5OjY6x58?si=9o3G6RlPHeb90KB5

Support the show

Thank you listening! Come Watch the Video episode!

Please consider subscribing to our YouTube Channel for ALL Video episodes.
It's FREE. It helps us help others.

Our YouTube Channel @Cybercrimejunkiespodcast
https://www.youtube.com/channel/UCNrU8kX3b4M8ZiQ-GW7Z1yg

Fall of a Cyber Crime Gang

[00:00:00] Come join us as we dive deeper behind the scenes of security and cybercrime today, interviewing top leaders from around the world and sharing true cybercrime stories to raise awareness. But first a huge thank you to all of our executive co producers who subscribed to our Prime membership and fueled our growth.

So please help us keep this going by subscribing for free to our YouTube channel and downloading our episodes on Apple or Spotify podcasts so we can continue to bring you more of what matters. This is Cyber Crime Junkies. And now, the show.

Well, alright. Welcome everybody to Cyber Crime Junkies. I am your host, David Mauro, and in the studio today is my illustrious, always positive, and fantabulous co host, according to my [00:01:00] insincere things to say to coworkers app, Mark Mosher. How are you, Mark? Oh, I'm doing wonderful, David. I'm so excited about this episode.

We, this is our, this is our guide, like this is the most interesting thing ever. Number 17 on the field, number one in your heart. Who do we got today, David? We have the John DiMaggio, security researcher, leadership over at AnalystOne and undercover boss. So, John, welcome, sir. Thank you so much for joining.

Always, always great to see you so you just released Ransomware Diaries Volume 3 in your, in your series that is going to be something bigger than, like, the Twilight series eventually. Which David had read all, all of that series. Well, yeah, I'm part of the fan club. So so a couple things, you know, you have a warning right in the beginning of your Ransomware [00:02:00] Diaries and we've, we've, we've, We talk about this every now and then, but we don't do it enough.

And that is, please don't try this stuff at home, right? Like dealing, engaging with ransomware criminals and cyber crime gangs is not. Freaking joke like it's not something to be taken lightly. There's specific training and expertise that the people that undergo those processes do and John you know walk us through kind of what reason because I Read the whole thing and in your you some of this just happened this month just like a couple weeks ago, right?

So Yeah, we were down to the wire on this one. I was rewriting this parts of this days before it came out because unbelievable. So tell us hang on. Let me switch the video here real quick. Not what I wanted There we go. Let me get [00:03:00] rid of that. All right. So LockBit. From a high level, for those that might not be aware, or have heard or seen any of our prior episodes, one of the leading, notorious cyber crime gangs on the planet.

Yeah, I would say the leading, you know, based on the sheer volume, numbers, and, I don't know the way to say it, popularity in the criminal world yeah, they're definitely, out of my research of all the years, they're definitely the most notorious, I mean, at this point, they've even beat legal for being Mark and I subscribe to several things that pull things from the dark web, right?

And we just see the breaches as they happen, like during the day. And it's like lock bit, lock bit, lock bit, clop with move it. And it's like lock bit, lock bit. And then a couple of like new kids on the block. I'm like, who are you guys? You know? And then we're just like, it goes lock bit and like, so. You uncovered some really shocking things [00:04:00] and I've some of the mainstream media starting to pick up some of this, like, is, is LockBit, you know, folding?

Are they having, are they imploding? Are they having issues? There were several things that you kind of uncovered. So you want to walk us through it from a high level and then, you know, we can get into some specifics. Yeah. Yeah, sure, sure. So you know, there's, there's a lot to the story, obviously, 70 pages of research, but the, you know, the short, I guess, cliff notes to the point version of this, you know, really you know, there's been a number of problems that LockBit's had with with its operation.

And that is a problem that it was lying to not just the general public to protect its reputation, but to its direct partners. And, and I'll talk about it here in a second, but as I, as I worked through this and I began to realize these things As I reached out to some of their top affiliates and partners in getting the confirmation [00:05:00] of this and having them tell me, Hey, we're leaving the operation or we've left their operation because of it.

I was like, how does the rest of the world not know this? And I'm sure I'm not the only researcher that found it. There's got to be other people that saw it. If I did, but as far as I know, I'm the only one that's. That's talked about it or brought to the public. So in, in, in essence you know, they've been extorting people for money and they've been struggling to actually follow through with their threats of posting data.

That's the most significant finding. And think about it. They're, they're hosting a massive infrastructure on the dark web. In June of 2022, they switched up to a new ransomware called Lockbit 3. 0. they more than doubled in their number of affiliates and their attacks just blew up. I don't have the specific metrics on it, but they've more than doubled what they did the year before.

Let me interject one thing, just by way of background for those that might not be aware. LockBit is like the core group, right? The name of the [00:06:00] cybercrime gang is basically named after the code that they originally developed, right? It's the brand name of it. And then they themselves don't go and... hack into the, the victim's networks.

They engage these affiliates and they pay them, you know, we've talked about it in other episodes. LockBit is really a unique model because they let the affiliates, these digital mercenaries essentially go and. Go and collect the money and then cut LockBit their share and the, and the funds are extremely generous.

As you've pointed out, it's not like buy a new car or even a new house type money. This is like buy an island type money. Yeah, right, yeah. Correct. It's like buy an island type of money. You're 100% correct. And yeah, so LockBit's core gang, yeah, it's like a business operation that they run. Last time I asked, they had around 100 employees.

That does not [00:07:00] count what they call their partners, what we'll call their mercenary hackers or affiliates. And, you know, they, they pay them literally to, to go out and, and to compromise and hack organizations, steal their data, expose, you know, their, their sensitive information. And if they don't pay them, They claim that they're going to post their data and historically they've always done that, but that's kind of what I was leading to earlier is with with such a large volume you know, they've just exploded with with the amount of attacks and how much data they're stealing, and they've made such an easy to use interface where it's literally point and click.

Okay, I have the data right now. I'm gonna do it. Load it up onto the website and it's going to create a victim entry. And now a timer starts. You're the victim. When this timer hits zero, I'm going to put your data out there. And it's that simple. The thing is they've made such a strong reputation for themselves over the years now.

You know, September will be four years for them. They've made such a strong reputation that I think people just stopped actually looking to see if they could download the data or. When they did, they just assumed, Oh, [00:08:00] maybe it's like, I'm not used to using the dark web. I don't know. Maybe it's not working, but nobody realized that it's more than a prop, that it's more of a problem.

I'd started to pick up on it when well, I stalked their sites. So, I mean, I, I started to figure something was wrong, but when they, let's remember that after John released his last. Kind of expose. Oh yeah. On on lock bit. On lock bit's. Dark web site. Their profile had John's picture there. . Oh God. There's nothing that lets you sleep well at night.

Well that, yeah, that know that the most notorious. Crime gang out there has your picture as their, as their avatar. They do. They do. Yes. So so anyway, what I realized though is that they're not actually posting that data. In a couple months... So they, in the back end, so the public doesn't ever see this even on their leak site, nobody sees this, but if you're in the, like, with them, the way they communicate on the back [00:09:00] end, they use specific protocols and fairly uncommon, we'll call them apps, that they use to communicate on that app, it's almost like that too.

Yes. It's almost like their customer service communication methods. It's

like Slack for Chrome. Yeah, but with a lot less features. But it's the way that I come to you and I say, Hey, my decryption key's not working, I got this victim ready to pay, I'm gonna make 10 mil, I need you to help me with this, and LockBit will help them out and get it going. BlockBit you know, shut down for, for just like a day or two.

And he did that because they were doing in updates, their infrastructure. So after that update, I thought, Oh man, I was out of the middle of writing my report. I'm like, Oh man, this sucks. They fixed it. More victim data is going to get out there. But what he actually did was that it was almost like a a facade.

He made the website now look like, so instead of posting the data, it would be like pay, you know, let's say the ransom was a hundred million after it expires. Now a criminal could buy [00:10:00] it for 60, 000 or the victim, but so that's like giving him an excuse to not post it, but he still said, you know, it still says all of your data is exposed, but you can't get it, can't get it.

And then in other instances, it would just say it's exposed. But the data just wasn't there still. And then there's a third scenario where they claimed that it would be exposed and then there'd be like a link to some you know, public file sharing service. Well, here's the thing. Those public file sharing services can be taken down.

And that's one of the things that these affiliates pay for is to have locks. So that they can't get caught. And so, and so that it can't get taken down. Right. And this gets to the very heart of it, doesn't it? If you can't actually deliver. On the thing you're threatening people on. Right. Your whole business model kind of goes up.

It's gone. It does. It does. And you know, not, not all affiliate hackers are equal. So these guys, they're hiring, they work for a couple different gangs. [00:11:00] Right. Some might work for clo, for for good one, some might work for Exactly. It all kind. It's project based basically. Right. Yeah, mostly they're hired guns.

Exactly. They want to get paid. They'll work for multiple gangs, but many of the top gangs, at least the ones that I actually, I communicate with them often at this point in my career from all the research that I've been doing and feel like I know them as well as somebody could know them that's on the outside.

And, you know, these guys were, they were, they were leaving there. They're like, you know, this is, I don't know. This is ridiculous. Like, I mean, it was literally like, like they were upset with the customer service. They were upset they weren't getting what they were paid for. They don't treat it like, you know, like they're criminals.

They treat it literally like this is a business they're not getting what they want. And then it just grew so fast that, that, that the customer service couldn't, couldn't keep up with the demand. And, and to make it worse, this, this tox communication method, because it is so limited, and they [00:12:00] now have so much business, that it sometimes takes over a week to get a response, so, now, so, I mentioned they were gone for two days, well that was nothing, they came back, And, you know, but you were still waiting for like a week to come back.

So it's been a big problem. I, you know, I used the analogy in my report because it just happened to me. If you've been on the phone trying to get your something fixed with an airline and you're sitting there for hours, you are so frustrated. Now imagine that you're paying them millions of dollars. Think about that.

There's, there's 10 million or a hundred million dollars that you're. Negotiating or ransoming and you need answers and they take a week to even get back to you. Wow. Wow. Yes, yes. It's crazy. And, and then the other, I guess big thing that happened was, again, you have to really I like to use the word stalk, stalk them to know when they're gonna have dates and new updates and things like that.

Over the past year, around June, they come out with their new, their new and improved version of their product. Right. Their platform. Right? Yes. And they didn't this year, [00:13:00] but they did not this year, they missed. Instead, a few months earlier, in January, so like six months earlier in January, they I think it was January, yeah, they essentially, what they did is they took a leaked version of one of their competitors, the Conti Ransomware Gang, they took their leaked version, and they just altered it to have their note, the LockBit Ransomware note in it instead, and offered that up, calling it LockBit Green.

Here's the problem. I've had that on a VM of mine since February of 2022. This it's not new. We've, there's some signatures out there to identify it. There's lots of things. So that's fine for us as, as defenders, but when, again, but it's trouble for lock bit when bad guys are expecting to use that the one thing they did have going for them is the, the affiliates who liked working for Conti are like, okay, well, I like this malware.

I can continue to use it. But again. We've got signatures. It's not new. It can be defeated. Good for us, bad for them. But these are all things that just weren't really getting put out there. And LockBit has a strong narrative on these [00:14:00] forums and it's that everything's great business as usual on the, you know, top villain of the underworld, you know, and everybody buys it.

So I just wanted to shine some light where there hadn't been light in a long time and sort of. You know, challenge them that lock bit and be like, Hey, you know companies, if you're a victim, you know, really assess whether you want to pay, because you, you could roll the dice and, and you've got a good shot that they're not going to post it.

Now, I, again, that doesn't mean that they may not try to post it to one of these files sharing services, but again, you can work with law enforcement and things to take it down. Still a risk. I understand, but it's not the same level. It definitely helps. It definitely helps. those on the, on the right side of, of cybercrime.

But that's gotta, that's gotta damage their brand, right? Like, because there's certain, you know, I guess, street respect that they give, but now you're repackaging and relabeling Conti's ransomware. Yeah, here's the best part, and this really shocked me, yesterday or the day before on the forums, [00:15:00] LockBit posted, and it's funny because they call me Johnny, and they're like, Yep, Johnny was right, he got us on this, but you know what, now that he's pointed it out, we're gonna fix it.

Fortunately, it's not that easy to just fix. And I knew he was going to kind of play it that way. I don't think Lockheed will go away completely, because, I mean, look at all the new ransomware gangs that stand up. It's not like it takes a lot to get it going, but to become the top dog, and running the whole thing, and making hundreds of million dollars a year...

That is potentially what could be swayed, and my real hope is that getting, shining this light, not just tells the public, but it lets criminals know, Hey, if you're gonna invest, think wisely before you join. If you don't, yeah, yeah, you could be, you know, wasting your time. And I have such a weird relationship with, with LockBit now and, and the people.

Compared to other people that have relationships with Cyber Crime Junkies. I have a real good relationship with the drafter guy at Arby's, you know, that's about as deep as I can go. Well, it was like yesterday, a [00:16:00] friend of mine who's working a an IR investigation for a small company. They haven't been able to, their, their ID that you use to start negotiation on the chat log.

He couldn't get it to work. So he was like, Hey, I've never used, you know, the talks to talk to them directly. We always, you know, use the proper channels. Can, can you get me their talks ID? And I was like, sure. So I went to log in and sure, as I'm doing it, I couldn't believe it. Cause, cause I honestly have been feared for, that there was going to be retaliation and, and LockBit pops up and he's like, Whoa, so, so let me ask you about that.

LockBit, the name of the code, the name of the gang. Right? There's the core group, and you said that core group has about a hundred regular employees that are part of the core group, but then there's also all of the affiliates. So this is a large organization. This is a large criminal organization. This is huge.

This [00:17:00] is organized crime. Especially the way that it's, especially the way, and correct me if I'm wrong, but especially the way that it's organized in the sense that some people do this task, some people do that task, and they don't know each other. Like, that's the definition of organized crime. Correct.

Exactly what you're saying. Well, ironically, criminals got upset that I called it that and called me naive and said how dare I make those accusations. And I'm like, maybe you watch too many movies. This is my Sopranos. This is like actual organized crime. This is what it's become though. And that's exactly, this is like exactly what it is.

And it's the, one of the, the top, if not the top organization in Russia that's doing the, you know, the, these type of of, of operations. So it definitely is, is an organized criminal crime syndicate for sure. Mr. Locket, the sub kind of yeah. When, when he shows up and says, Hey Johnny, I'm back. A couple things pop in my mind.

One, run as fast as I can down the street and call my parents. Like, I [00:18:00] don't know what to do. Two, but honestly, what so is there one? Head, because in our last, in your last research, you, you said the one managing the administrator of all this is basically who we're calling Lockbit, but there was really another one you felt was also like a president and like a vice president, kind of.

Yeah, there's one core guy who, who is behind it all. And then he has, you know, just like any, any type of crime theory, he has people who've got your captains, you've got your street soldiers, you've got your affiliates. Yeah, and, and now the operation is so big with talks. It used to be, you know, if you tried to talk, you would talk to him or one other person.

And now, you know, they're 24 seven now. So and it takes over a week for them to get back sometimes. So yeah, they've got multiple people that are, that are working that, that channel. But, but it's, I've, I've talked to them enough that it's obvious. Yeah. You can tell the [00:19:00] persona from the type of language, or the way they're speaking and what they're speaking to.

And I've talked to him enough that it's just, it's usually now, it's usually the one, the, the, the leader that I usually talk to, but sometimes it's, there's a guy who's younger there that's way more friendly but they're always professional with me. They're never shitty with me. And it shocks me. Because they do.

I see them get shitty with people. And you know, I mean, I'm, maybe it's because I'm professional with them. I, I don't know, but I prefer it that way, but it's just, it's weird for me because it's at a point now, like and I can, I can tell you guys a story if you want, but, but there was a moment where somebody That would be in the know, was concerned that the leader of Lock, but might've been killed and he was not.

But, but literally like, these people are gonna not like me for saying this, but I, I don't wanna see physical violence or harm happen to, to this person. They should be in jail, but I don't wanna see something horrific happen to them. So I was honestly relieved when I found out that, that, that they weren't dead.

And I know that sounds crazy because people are like, oh yeah, you know, [00:20:00] they're, they're doing these horrible things, but I, I just, I don't wanna see the person that's not, if you talk to people in federal law enforcement, they feel. Somewhat similar when they go after organized crime, right? They've kind of developed professional relationships with them in the sense that, look, there's a foul on the play.

You've got to go into the penalty box, right? You've got to do that, but I don't want to, like, hurt the person necessarily, right? Like, I'm not trying to, like, physically harm the person. I don't wish that on them. You just want them to play by the rules. Come work for come work, like, take a huge pay cut, but come work for the right side, you know?

I think, I think the leader of luck, but it's past that. But you know, I want to see him in the past.

You know what are some of the reasons these guys don't come to justice? And I'm only asking that, I know the, I think I know the answer, but I want to ask based [00:21:00] on your experience. Yeah, well, so honestly my answer is different than what it would have been a month ago. So a month ago, I would have told you, you know, it's, and it, this is still part of it.

You know, I would send it, it's. It's the money, it's the, the street cred, it's the, you know, being infamous and known throughout the world and the allure to it. But honestly, what I've, I've really been trying to understand more, and I've got a long way to go, but sort of the, the culture there, and you know, I was talking to somebody who is in the legal system and represents people involved in, in ransomware crimes.

And one of the things he pointed out to me was, a lot of the people, if you look, are really young. And the reason they get into this is because they come from parts of the world where they don't have any opportunity. Their families and themselves are even threatened at times. And this is a no brainer for them.

And I really hadn't looked at it that way. So to answer your question, some of them, it, it, It's the path that [00:22:00] makes the most sense for them and their situations. The last, the last Ransomware Diaries, Volume 2, where you heard his story and the reason why he got into it, because when his mom was in the hospital and things like that, there was no other way to pay for the medical care, right?

Because of the part of the world that they're living in. Correct. Yes. That is correct. And you know, it's like this kid that got arrested I think it was in Arizona you know. who, who was working for a lock bit and, and, you know, he came from, from Eastern Europe. That's where he's from, but he just got arrested here.

But the point being, he was 17 when he started working for him and I was pretty hard on him in the report. But in reality, like I hope that person learns, like he's going to, he's going to get another chance. He's young enough. He's going to have a second chance and I really hope that things change for him and he takes a different path.

But, but, but again, I didn't quite look at the reason why I'm like, why would they do this? So stupid, but. You know, I have a whole different life than we have a whole different life. [00:23:00] It doesn't make it okay. I'm just saying I'm less judgmental about the, about it now. It's absolutely wrong, but I'm gonna, I, it can be wrong and I can come after you and want to get you arrested and chase you without judging you, I guess is what I'm saying.

Yeah, and I it is the, when they do leak the data, if they can get their infrastructure fixed, if they actually do leak the data. You know, the harm that comes when it's medical records and it's private things that are, you know, sacred to people and they get, and they get released and, you know, that stuff can be used to, you know, harass and torment people for years to come.

The financial records, right? It can, it can be used for identity theft and, you know, identity theft and things like that have been shown to lead to suicidal ideation, depression, a whole, it's causing a lot of harm. It's not just data, right? It's not just a bunch of Excel spreadsheets with data. Like, it's not just that.

It [00:24:00] actually is, is really harming a lot of people. So let's not ever lose track of that, but some of the people and the reasons, clearly justifiable if you think about it, right? So let me ask you, was, was were they breached, do you think? Was Lockbit breached? Or were they taken down? What do you think happened?

Don't... Can I say that part of the story? Cause that's super interesting and it just happens. Yeah, so it was, I was at I was at Black Hat. Just a couple weeks ago. In DEF CON which, yeah, a couple weeks ago. And while I was there right before I left, I had made a, a social media post, which. In hindsight, it may not have been the smartest thing I've done.

It was a joke. I took LockBit's data leak site, took a screenshot of it, I made a counter to match when my report was gonna come out, and I basically, oh, and I made LockBit it from LockBit 3. 0 to LockBit 3. 0, and I put my face on it as the bad guy, and I made them the [00:25:00] victim entry. And I said, give me 10 million or I'm unleashing all of your secrets on whatever it was, August 15th And it was, I mean, it was a joke.

I thought it was very obvious. The, unfortunately, at the same time that I did that, someone actually hacked or tried to hack LockBit. So at the same time I did that, LockBit actually disappeared on Tox. They went offline and they were gone. Yeah, they were gone for, it was like 10, 12 days, something like that.

They were just gone. And that has not ever happened since they've been in existence. One or two days was the longest we'd seen before. So this was huge. And so these, you know, affiliates who I have relationships with started reaching out to me and they're like, are you, did you really hack our infrastructure?

Are you, are you de anonymizing us? And do you, are you going to release our identities? And first off, I, even if I could do that, I would never release our identities. Oh, dox at all. No. I mean, like, look, law enforcement right, knows who these [00:26:00] players are to the extent that they do. There's not, it's not like that's, you know, that, that, that could lead to physical harm, of course.

Yeah. Right. It's not, it's not your personality. I'm not out there publicly and embarrass people. Like that's, that's not what I'm about. Whether you're a criminal or whoever. It's just not how I handle things. But anyway, I'm not a hacker either.

I didn't think I could do that, but, you know, I haven't hacked in probably, you know, 15 years that was legally for a job when I used to do that, but anyway I'm like, you know, I don't have that kind of skill set. I couldn't do it, but the, here's what the problem though is, is multiple people coming to me that, that are.

Senior level people. And I realized it's not just me. I thought LockBed just blocked me. I didn't realize no one could talk to him. And that's when I realized, Oh my goodness, like this is a lot bigger than I thought. So it looks like I was extorting them and their infrastructure went down. And then was this your post?

Yes. [00:27:00] I just wanted to share that with everybody. So this is, this is this is John's post. Check that out. Let me zoom in for everybody. And you can kind of see, what all did you say? You said lock bit you have until the 15th of August to pay 10 million. And then right after that was when Yes, the right after that is when they disappeared.

I started getting people asking me you know, if I had actually hacked them and I was like, Oh, this is what happened. Like, this is, like I said, it was supposed to be a joke. Wow.

It was Like, was it a DDoS attack? Was it just infrastructure? The hosting? side. So, the next day, I got a message from somebody that I don't know and they showed me a screenshot from a private report from a cyber [00:28:00] security company who I'm not gonna name just because it's not my business to name them and in that report, there, there was a picture of the admin panel, the admin panel is not something that very only like affiliates, people close in really know about it.

There's, I mean, I'm sure there are some other researchers that have figured it out like me, but what I'm saying is 95% of the, of the ransomware population doesn't know it unless you're working for LockBit. So I knew that this legitimized the report, the fact that they had the right, you know tour link, the URL, the onion link, and they had a screenshot of the panel and then where you log in, it said, but do we really have to indicating that they'd found a way to bypass it?

And you know, there was other information that then was given to me that there, that LockBit, the, the leaders or the, the crew, the main crew of LockBit had found some, some code on their infrastructure that shouldn't be there. And, you know, so I'm, I can't reach out and tell them it's not me. Cause everything's, the comms are down.

So. [00:29:00] Yeah, and I was sweating it. I was already having other security related concerns at the conference and yeah, it was I mean, this is the life that I live. I'm not complaining, but I'm just, I'm just trying to explain so you can like life, you know, day in my life. Like, yeah, that was a, it was, it was definitely stressful.

But you know that's why I like, I've always tried to be professional and establish a relationship even with bad guys, because I think that's probably what saved my ass that people believe me. Yeah. was, was that I, the bad guys believe me is that I did have that relationship and I guess they came to, to realize that it was not actually me.

And, and I'm not gonna lie, I told them, I mean, I knew the report was coming out in a couple days, so I told them, I'm like, look, somebody hacked you, but it wasn't me. And before... Or I, I did anything with communicating that to them. The first thing I did before I said anything about that was, was reached out to, to law enforcement to make sure I wasn't going to be intercepting some operation or something.

And if they, if that's not done, it wouldn't be a great point. Yeah, I didn't even think about that. That could have been a takedown. Through, through law enforcement, through an offensive [00:30:00] means, right? I learned the hard way many years ago to, to make sure I didn't get conflicts and stuff out publicly. That's not fun when they show up.

Yeah, you don't want them mad at you too. No, we're on the same side, right? Like, we're not trying to, just don't let us muck it up. That's what we're trying to do. So, let me ask you, did you, have you heard from Bastralorder? Did you, did you get any sense from him? I thought there was some mention in your, in your recent report.

Because... that he was the subject of like the human side of ransomware. He was an affiliate. You understood the human reasons why he was drawn to this life of crime. And then and there was at the end of that, we kind of left it with, you know, it looked like he was thinking of getting out of it or not, you know, some like, who knows, but now that LockBit was having these struggles, did he, did he, have you communicated with him?

Well, what's his feedback? So I [00:31:00] communicate with him fairly regularly, like, you know, maybe once a week, once every other week, you know, we'll, we'll have a chat here and there. When I need it, if I need information about non lock bit stuff, sometimes I'll ask him because, you know, he's connected with the National Hazard Agency, which works for a bunch of different packing crew ransomware crews.

So, so yeah, I'll talk to him and ask him about things and, you know. When, when this stuff was going on, I definitely, you know, reached out and I, and asked him. And you know, he just like, like many of the other ones thought that I, I was behind it. You know, and, and you know, of course I assured him that I, that I wasn't.

But, but yeah, he, he, he definitely thought that I, I, I had done it also, which again, just shocked me that, that people mm-hmm. , I couldn't believe that people believed it. It makes sense, the post. I appreciate you thinking so highly of my skillset, but this was probably beyond what I could do. Meanwhile, my, my email crashed.

So, so the, the you have a [00:32:00] picture in your Ransomware Diaries Volume 3 of this. Tattooed young lad who's got like snakeskin pants on and stuff and he's, that's the FBI's Newark, New Jersey field office saying that they've been very busy. It was that the one, the gentleman that got indicted that it was the former lock bit affiliate.

He is indicted and he is a former affiliate, but that's not the one I was referring to earlier. Boris is a lot smarter than the other gentleman I was talking about. Boris, his name really is not Boris, his, his last real last name is... And he hasn't been caught, correct? Right. He has not been caught, no, no.

He's, there's a ten million dollar reward for him. Ten million dollars on your head. Well, that's why he's got the snakeskin pants and the full arm tattoo. Right, you know, I talk to him, you know, I've talked to him not as frequently as Bastardlord, but, but still once every couple weeks. Does he work for [00:33:00] other organizations too, like LockBit and Conti or Klopp or whatever?

He did. He doesn't now, now, so that's what I, I wanted to know what he was doing, you know, so he, he was behind a lot of the big groups, you know, he, he had worked with, he was one of the guys behind the Washington D. C. Ransom that took place a couple years back and some other big ones, but, but he's connected to a bunch of gangs.

But Lockbit was one of the core ones that he worked for and you know, so that was one of the things I wanted to know since I talked to him, you know, fairly regularly. I asked him, I'm like, Hey man, are you like still working ransoms now that you've got so much action? Are you still doing that? And he said, no, he's taking a break.

And his is his version of a break is he's now looking at developing, you know zero day exploits. He didn't say this part, I'm saying this, I'm sure he's going to sell those to ransomware. Of course. But yeah, he was working when I talked to him, he was working on a a new vulnerability for Microsoft SharePoint that he was trying to polish and polish off.

But he also, and this didn't put this in my report, I wouldn't share this except he [00:34:00] put it out there you know, publicly. So yeah, he's, he's, he's doing well, he's getting married, things like that. So he's not he, he's not, he's not. feeling the heat, this indictment, if anything, his street credibility, that doesn't mean he shouldn't be indicted.

FBI has got to do what they got to do. But the fact nobody keeps them out of traveling to the West, I guess. Right? It does. It does. He's not coming to play at the Daffodil County any time soon. Share his new exploits of SharePoint. Yeah, so, wow. Lots of, lots of things to discuss. So, can I, can I ask you on, on separate from your ransomware diaries?

The, the MOVIT exploit has been all over, right? And with, with the CLOP ransomware gang, which is traditionally operates kind of like LockBit, right? But now they haven't really been launching ransomware. They've been, they took advantage of that zero day exploit for this [00:35:00] file transfer program that it seemed like.

everybody in the world was using at the time. And they're just going to pure extortion. They're just like going in, stealing data and then leaking it. And apparently their infrastructure works because it's constantly being leaked. What's your take on that? I mean, is there, how common it, it seems to be growing.

Every week, it seems to be, it's something we've been following from the beginning because my fear right off the bat was this is going to be like another SolarWinds. And it seems like it's growing and growing and growing. There's more and more of it. Yeah. Well, here's, here's the thing. You know, they get the, the zero day is the most effective when people don't know about it or there's not a patch what, what I was talking with some other analysts and kind of had this common, you know, idea, theory, what, what really happened here is they use that and they got into all these companies, but as soon as they got in, they created additional backdoors.

So by the time All these companies are hearing about it, and they're [00:36:00] patching it. They think they're clean, and they're not, and that's why we keep so many victims rolling in. It doesn't matter if you patch it, right? They still have the back doors. Yeah. Right. And that also allows them to control the amount of data they have to host at one time, the negotiations they have to do at one time.

It's, it's, it's a controlled release as opposed to how LockBit, you know, went last year when they ramped up their program and had this huge boom that's causing them all these problems. So there, ransomware groups. Not a lot of them, but a couple of them are doing it a little bit differently.

Interesting. Interesting. So, so what's next for LockBit in your opinion? Like what, like, I mean, I, I was almost sensing when I first read this, it reminded me of REvil and REvil and how they kind of got too big. They might've done something wrong with the Russian government, the FSB or something. And then they got taken down this big, you know, this big visual display.

[00:37:00] Or did they, right? What, what, what happens next now for

LockBit? You know, here's the thing. I, LockBit's going to do everything humanly possible to, to fix their program. I don't know why they just don't go away. They've made so much money. I honestly, you know, I can't figure it out, but they, they're not going to go away. They've made that very clear to me.

They're not going to go away. They're addicted to try. They enjoy, they enjoy the day in and day out part of it. Right. What I think will happen, I think that they'll continue to have problems. I think that it, you know, over the next year we're going to see, you know, it starts to really... We've already seen some of the impacts.

They're booming again right now, but we've already seen some of the impacts. And I think that they're going to... It business will, will, will slow down and as it slows down, their problems will, will also start to get better because of the less, the less data and there's, you know, new kids on the block that are coming up, eventually somebody's gonna gonna become more [00:38:00] popular and, and lock bit will, will go down in, in the numbers, but they'll still make lots of money and it'll still be a pain.

But I. I hope that they completely fold and that happens. The only reason that I'm saying that I can't go on a limb and say that's gonna happen is because these guys are just they're so dedicated. They're as dedicated to running their program as I am to chasing them. I mean, they're just, they love what they do.

It's strange, but they do. And and so I don't see them just... Folding, but all these things, all these problems, they have all these issues. You know, one, one of the things somebody said to me was like, you know, Hey, whether I agree with or not, they said, Hey, you know, you were part of making them go offline for like nine days.

And while the lights were on, nobody was home. So while their websites was up and the automation was still working, there was nobody home and they're like, yeah, nobody, no people, right. That doesn't happen often. So, you know, if you could do it, like others can do it. Law enforcement can do it. Governments can do it.

So, so I do think eventually that the more of [00:39:00] these type of things happen, the more opportunity there is for, for mistakes and for interception to get in, and the more paranoid these groups are going to get. So, I do think that there's going to be windows for law enforcement to do things, and I do think that, There's a possibility that LockBit will, will, will go down over the next year, which is why I made the cover that I did.

We're definitely seeing cracks. It's whether or not they can fix them before things fall apart. And I, I'm not a fortune teller, so I can't say that. But what I do know is they've known about these problems for a while and they haven't been able to fix them. That's good for us. I just can't help but think that it's, you know, it sounds like a, like grasping for straws with the repackaging of Conti's code.

Like, that sounds like a desperate move, right? Bye. I don't know. Well, they're, Oh, that's the other thing I forgot to mention though. It's the other thing is at least as of January, February, they were trying to steal payloads from their competition, and they wanted to put it. Yeah, when they want them, they want their, their affiliate hackers to use multiple [00:40:00] ransomware variants to encrypt victim data.

So that way if the FBI gets one key, they, they, they're, they're stuck and have to pay a ransom. So that would be bad for us. Fortunately, it's bad for other ransomware gangs too, who have, who are not just gonna, you know, lay down and let that happen. But he's trying and LockBit is very capable. We should never underestimate that, that organization.

So he's trying, hopefully it doesn't happen, but But yeah, he, he doesn't have a developer. He doesn't have new ransomware that I'm aware of. Eventually I got to imagine that's going to change, but think about it. How many experienced ransomware developers are out there that are out there, you know, I don't think MIT or Stanford has a program for that.

But so, so what, so during the, like, I think your point, your, You're, it's almost one of those things, the closer you get to the target, the more blurry it is, right? Like, as you, as you're talking about them getting panicky and Mark pointed out them, you know [00:41:00] repackaging a competitor's code and, and, and all that.

It's, it's almost like during those moments of panic, they could burn the wrong bridge and cross the line like Reval did. Right? Potentially. Yeah. Definitely. It's definitely a possibility. And the reason that there's even a higher probability of that is because also something I realized during this round of research is LockBit made a statement, he's like, I watch my affiliates by watching the news.

He's like, why do I have to follow them when... So what that tells me is, you know, they're, there's not, even though he says in the rules on their page, don't have tech, they, they recently updated to, to, to be really specific, but not to attack, you know, X, Y, and Z type of industry or critical infrastructure.

The point is, is that there's not a means to prevent it. He has to see it after the fact. So all it takes is one, one, one of these guys being dumb enough to go in and attack critical infrastructure that, that makes, [00:42:00] you know, that sort of an impact, like we saw with Reval and, you know, critical infrastructure.

And, and I know that the lock bit platform will check languages and things. Right. But you don't, they don't know everywhere that Russia has interests. Right. And so they could go after and hit something that could be damaging. to the motherland and then get themselves in trouble. Interesting. Interesting.

So you first came about a huge splash years ago with the are evil you with your, with your investigation there. And people have asked me like what. Whatever happened to those gentlemen? Well, that's actually what one of the, one of the top contenders, what my next research might be, because I have a lot of insight information on that as well.

Yeah. I a little bit of it, but what's that? You got to share something. I'll give the end [00:43:00] result because the interesting part of that research is going to be showing the inside information that proves it. But the, the REvil the REvil that we saw in, in their heyday. The, the, the core leaders of, of, of REvil that made all those things happen are, are gone.

They're not arrested. They're just gone and they've gone off into the sunset. The, there are people that are part of the gang that were arrested, but they were not the court players. And so they have, they actually sold the reval ransomware to an affiliate crew who tried to repackage it for a while as though they were reval, but they, they didn't do a good job of it and they, they didn't.

They have the same tactics, the same TTPs, the same human behaviors, anything. And they just went about doing things differently. And again, I, I, I, I'm, I'm minimizing it because I've got some good stuff on that to, to blow that open. But the end result is that that's actually a different group. Those are affiliates.

And now the guys that were arrested... Those are the people that you see now that are, it's been in the news, that are working and [00:44:00] supporting Russia in the war against Ukraine. And that's why you see Revo Ransomware being used. That's what I was asking. Because, because they were brought to, you know, we saw those images of them in court, in the Russian court.

And I'm like, okay, well, you know, their court system isn't what our court system is. Now you work for Russia. Yeah. Right. Right, yeah, no, no, they do, those guys were part of that crew, it's just that they were not the, you know, it, it, I imagine the pay is a little different. Yes, probably a lot less. Yeah, the pay is you get to live.

Right, right. I would take that over being in prison. Absolutely, any day. Any day. So John, as always, thank you so much. Yeah, this is so good. You are welcome here anytime. And I vote for the follow up on. On, on re free for Yes, yes. Free for your next one. Unless I wasn't sure about the end. Oh [00:45:00] yeah, that's good to know.

You course, you know there's lock bit 4.0 that comes out , right? I feel like I gotta, I a little too close to the sun at this point, I think. Right? Maybe lock bit con, you know, clap and Conti. Join form like a. Oh, yeah. Yeah. That's good stuff. Yeah. Well, thank you so much. Everybody will have links to the Ransomware Diaries Volume 3 in, in the show notes.

And if you haven't got it and you can't, I just realized my background's blurred. But if you don't have John's book, it's the Art of Cyber Warfare. It was one of the best, like, it's so good, John, like, it's, part of it is technical, and then part of it is, like, if anybody's ever studied political science or international relations or anything like that, like, you lay it all out, all the players, you understand it, it's a great framework [00:46:00] when you hear the news, you're like, oh.

I know how the, I know what role these guys are playing in all of this, because so many of these things, there's a story behind the story. It's not just about the data that gets stolen, right? There's espionage or something else that is tied to this. There's a longer play. Yes, you know, and, and my, most of my career, I actually did espionage, not ransomware.

And so, you know, I wrote that book, you know, there's lots of things I was part of that I just can't talk about, but the knowledge and information that I, I was able to, to share, I could. And, and so I just wanted to tell good stories and, and sort of teach, you know, cool spy stories and get people wanting to, to, to get into the industry.

So yeah, I appreciate that. Yeah, absolutely. We will have links to the book, as always in our, in our show notes. And we will talk to you soon. We promise you we will be talking to you soon. I've been on your show more than any show I've done, and I do a lot for you. you're ready for your own co host [00:47:00] position.

Well, that's great. On the crawler below. Right, right. If somebody's sick, give me a shout, I'll fill in. If Mosher

doesn't show I'm just kidding, Mauro. You're always welcome. But no, that, absolutely. John, thank you so much. We're very humbled and grateful for you to be here, so. My friend, it was good to see you again. Thanks everybody. Reach out to John on LinkedIn and through Analyst One as well. So, oh yeah, oh yeah, no, I read all your stuff on Twitter.

It's always good stuff. That's usually where you go head to head and you make some of these bold claims. And then the Twitter feed becomes some content for later. So it's a great point. Yeah. So, all right, everybody. Thanks. Thanks for listening. Thanks for watching. We appreciate it. Thanks, John. Thanks.

Thanks for having me.

Well, that wraps this up. Thanks for joining everybody. [00:48:00] Hope you got value out of digging deeper behind the scenes of security and cyber crime today. Please don't forget to help keep this going by subscribing free to our YouTube channel at Cyber Crime Junkies podcast and download and enjoy all of our past episodes on Apple and Spotify podcasts so we can continue to bring you more of what matters.

This is Cyber Crime Junkies and we thank you for joining us.

People on this episode

David Mauro

Host

Cyber Crime Junkies