Crime Stories Exposing Cyber Criminals

Show Notes

Top security researcher, Jon DiMaggio of Analyst 1 joins us to discuss his recent findings in Ransomware Diaries Vol 4. 

https://analyst1.com/ransomware-diaries-volume-4/#Significant_Findings

Discussing how to expose cyber criminals how to expose cyber criminals and how he exposed RansomVC, how they caused a class action suit based on fake facts and updates on LOCKBIT.

 

Try KiteWorks today at www.KiteWorks.com

Don't Miss our Video on this Exciting KiteWorks Offer!

Try KiteWorks today at www.KiteWorks.com

Don't miss this Video on it!

The Most Secure Managed File Transfer System. 

• Watch Video Episodes! And Please...Subscribe to our YouTube Channel.
  • Want to help us out? Leave us a 5-Star review on Apple Podcast Reviews.
  • Submit Your Questions Direct and Find out more www.CyberCrimeJunkies.com
  • Stay up-to-date on Cybersecurity with VIGILANCE Newsletter.
• Want Gear? We love our Small Business Sponsor, BlushingIntrovert.com. has it all. Women’s clothing, cool accessories supporting Mental Health Research. https://blushingintrovert.com

Transcript

crime stories exposing cyber criminals

Top security researcher, Jon DiMaggio of Analyst 1 joins us to discuss his recent findings in Ransomware Diaries Vol 4.
https://analyst1.com/ransomware-diaries-volume-4/#Significant_Findings

Discussing how to expose cyber criminals how to expose cyber criminals and how he exposed RansomVC, how they caused a class action suit based on fake facts and updates on LOCKBIT.

Tops: crime stories exposing cyber criminals, what is cyber crime extortion, stories of extortion used by cyber crime, how extortion used by cyber crime, how cyber criminals cause lawsuits, cyber crime extortion as a service, how to expose cyber criminals, exposing cyber crime, when cyber crime gangs are caught, when cyber criminals turn on each other, how researchers expose cyber criminals, how law enforcement exposes cyber criminals, ways law enforcement fights cyber crime, undercover stories fighting cyber crime, undercover stories of cyber crime, how cyber crime causes lawsuits, cyber crime stories exposed, 


D Mauro (00:01.243)
All right, well, welcome everybody to Cyber Crime Junkies. I'm your host David Morrow. In the studio today is security researcher, it's like cybersecurity royalty in the house. Anne DiMaggio, who works with Analyst One and recently published Ransomware Diaries 4, that's also known as

Ransomware Diaries 4. Very cool. And, John, we're really excited. Welcome to the studio. Welcome back, my friend.

Jon DiMaggio (00:34.722)
it is.

Jon DiMaggio (00:39.842)
Thank you, thanks for having me again, man. It's always good to talk to you.

D Mauro (00:44.059)
So things have been going well at work. Things are good.

Jon DiMaggio (00:48.066)
Things have been going well. We've been so busy. It's been crazy. It's... Yeah.

D Mauro (00:51.131)
Cybercrime is up. Cybercrime is up. Things are like... cyber criminals are still out there.

Jon DiMaggio (00:56.61)
Yeah, I'm waiting for when we have a season so I can take a vacation.

D Mauro (00:58.715)
Yeah, it's really not a fad, is it?

Jon DiMaggio (01:03.298)
And unfortunately, it's not. It's been crazy, man. I barely took off any time during the holidays. It was nuts. I think I took off Christmas and New Year's Eve, Christmas Day and New Year's Eve. Besides that, I was working seven days a week since before Thanksgiving. So I'm glad to have that thing done and out so I can actually take a breath and relax for a minute. But until the next thing, right?

D Mauro (01:08.699)
I know.

D Mauro (01:27.675)
Yeah, so for listeners who don't know you, John, you worked in the government previously in the intelligence community. And that's all we're going to say. Otherwise, you'd have to kill me. And then, I mean, I didn't know what he did. I just stood across his house with a telescope and a box of donuts. All I could figure out is...

Jon DiMaggio (01:45.154)
That's right.

Jon DiMaggio (01:54.306)
That was you?

D Mauro (01:55.451)
is yeah, that was me until you gave me that little like, oh, you know, that cease and desist thing. Don't pull me, you know. No, I'm just teasing. And then and then you've been you've been in the private sector for for a while doing a lot of research. And his work has involved undercover work in the past as well. Actually going on the dark web or going through telegram channels, et cetera, and speaking with.

Jon DiMaggio (02:01.218)
I separate.

D Mauro (02:25.645)
cyber criminals and now he's developed professional elements of communication with them, which allows John exclusive access to certain aspects of the criminal element, which is fascinating to people like us. Because it you know, how can you defend against a foe you don't know, which I believe is a phrase we coined on the last episode. I believe it was oh, oh,

Jon DiMaggio (02:53.186)
copyrighted.

D Mauro (02:55.323)
Like, I think I need to get a t -shirt that says that. So, John's prior work was disclosing and investigating the Lockbit Ranceware gang to the point and to the amusement of the Lockbit gang where they on the dark web, you know, they all have their own website, their own channel, and they had John's avatar.

Jon DiMaggio (02:58.594)
you do your pen.

D Mauro (03:24.677)
on there as their as their avatar. So I wanted to ask you in our prior episodes, you can check those out on YouTube or on Apple Podcasts, Spotify podcasts. Just look under Lockbit or John DiMaggio. They're all in there. We could have links to it in the show notes here. But I recently saw that Lockbit in the

Maybe we set the context first, but LockBit was threatening to do harm to one of their former hackers who had a dispute over payment or something.

Jon DiMaggio (04:07.586)
Yeah, well, so with that they tried to to dox them and yeah, they didn't they didn't specifically say that they were going to harm them. They insinuated it, but they didn't actually say it. But yeah, it got pretty crazy. It got pretty crazy. Yeah.

D Mauro (04:19.323)
It could have just been tough talk, right? Yeah, it could have just been tough talk. But can you explain to the listeners, so cybercrime is such a big business that when, you know, you have the cyber criminal groups, like think of organized crime, you have Don Carleone, you have like the heads of the families, right? The heads of the groups, and then they have all these other actors working for them, and they're contractors, essentially. Is that a fair assessment?

Jon DiMaggio (04:47.298)
Yeah, that is a fair assessment. And so it's exactly that. They are not like employees. They work with them and share profits. Exactly.

D Mauro (04:56.155)
There's no pension fund off like PTO policies. Paternity leave, things like that. You want to be a digital mercenary, we don't give you a paternity leave or a 401. 1099, man. Okay. And then if there's a dispute about like, hey, I got this money. Oh, you got more. You didn't like, let me ask you this.

Jon DiMaggio (05:00.962)
No benefits, yeah. No paid vacation, yeah.

Jon DiMaggio (05:09.314)
Right. It's all 1099 work.

D Mauro (05:24.571)
What are some of the disputes over? Like, isn't there just one pot of money or like Lockbit does things differently. They let the attackers kind of fund, like hold on to some of that money. So are there, how do their disputes arise in the first place?

Jon DiMaggio (05:41.314)
Yeah, well, there's a great example which just happened last week, but essentially LockBit does let his affiliates control the money. However, there's other elements, access brokers and other elements that have resources that they provide where they do rely on getting paid. It was about a week, week and a half ago. An access broker provided access to a network that LockBit and their affiliates

utilized to extort a victim and they didn't agree upfront on payment and this person got upset. So what they can do and what they did do is on these forums, on the Russian hacking forums, they have basically you can go file a complaint and it goes into this arbitration process where both parties have to submit evidence, whether they're technical logs or chat logs or whatever it might be to support their claim. And then the administrator is supposed to be an on -pilot.

unbiased party that reviews it all and makes a judgment. Once that judgment's made, whoever he awards that to, the other party has to pay them whatever the dispute was about. They don't pay, they get banned for the forums, and that's what just happened to LockBit. So my picture's no longer there. They got canceled basically off of both the two top hacking forums. Something I didn't know, we just put a blog out today on this, me and Anastasia wrote it for Manos One.

We put it out today. But basically what happens, yes, they go through this arbitration process. You pay or you don't pay. If you refuse to pay and you've lost the arbitration, you get banned. If you get banned on one forum though, other Russian forums, hacking forums, take note and follow suit with that judgment. So LockBank got kicked off of multiple forums and is pretty upset about it.

D Mauro (07:30.203)
Wow. So let's unpack what you just said real quick. And then I want to get into Ransom and Diaries for what you just explained is there's basically a judicial system or an arbitration system, right? Like a independent arbitration where when there's financial disputes, they both agree that this third party will make a decision and they will be bound by that. Otherwise there will be consequences.

Jon DiMaggio (07:31.49)
and we'll see you next time.

Jon DiMaggio (07:58.978)
That is correct, yes. And in this instance, because LockBait didn't pay, they...

D Mauro (08:02.779)
So even criminals have this. It's very similar to organized crime, even that, right? Because they still, like even the organized crime families, when we think of the mafia and the... Yeah, they all have the cartel, they all have the actual council where the heads of all the families meet and they decide certain rules. So the same thing here.

Jon DiMaggio (08:14.562)
sit down.

Jon DiMaggio (08:25.634)
Yeah, it's a similar concept. Yeah, it's similar to that. And you would think, to me, I'm like, okay, who cares? You get kicked off the forum, go create another account or whatever it might be. But it takes a long time to build up these reputations and they have different ranks on the forums. And because LockBit didn't pay, they now have this big banner across his profile that just says Ripper, which is basically like...

saying they're a scammer, they cheat people out of money. It's a really low insult in the hacking community and that's why LockData is so upset.

D Mauro (09:00.091)
So Lockbit, where their former page was, they have a big banner over it that's, and I'll find an image of it. Hopefully I could throw this up by the time this airs. Yeah, and it says Ripper, R -I -P -P -E -R.

Jon DiMaggio (09:08.93)
Yeah, I can share it with you, but that's no problem.

Yeah, well, it's in Russian, but yeah.

D Mauro (09:16.251)
Well, yeah, AI and deep fake, we could just redo this whole episode in Russian. And then we're already redoing our episodes in various languages because we're apparently very big in Cambodia right now, as well as the Netherlands. So I may move, just be treated like royalty. I may just actually be like, oh, yeah, that's our podcast. So.

Jon DiMaggio (09:18.338)
I'm going to go ahead and close the video.

Jon DiMaggio (09:23.618)
Alright.

Jon DiMaggio (09:35.622)
Interesting. Right.

D Mauro (09:45.179)
Tell me, what was the impetus for Ransomware Diaries for? Like, this is about a ransomware as a service gang, or at least one that purported to be one, and you uncovered a whole bunch of stuff. Like, you kept unraveling this gang, and I kept reading it, and I'm like, oh, these guys are just getting hit left and right. So...

Jon DiMaggio (10:02.53)
Thanks.

D Mauro (10:12.443)
Tell us about the story. Who is it about? Where do these cyber criminals live? What's their name? Walk us through.

Jon DiMaggio (10:19.842)
Yeah, so when I finished the Ransomware Diaries 3, I was looking on the forums, just seeing what Blockbit and other parties were saying about it. And one of the posts was from an account that I hadn't seen before. It had just been created in their signature. It said, owner and creator of Ransom to VC, who at the time, in late August, I hadn't heard of them. And they just started a couple of weeks earlier. So as time went on, I kept hearing their name.

D Mauro (10:39.643)
Right. Yeah.

Jon DiMaggio (10:48.322)
and I kept reading about them and so I started looking into it. And yeah, it was interesting. So as I found stuff, I decided I would try to do an engagement. So since I already knew they were familiar with my work, I just reached out to them as myself and said, hey, let's talk. And we did.

D Mauro (11:08.187)
Well, that's great. And I want to I'm going to show an image here. Future me, put the image up like over here where I'm pointing, hopefully. Otherwise, I'll just look like an idiot pointing up in the air. I see people on YouTube do that all the time. We're like, hey, fine here and here. And then I don't see the images. I'm like, you didn't you didn't connect to future you when you did. You have an image there of the coolest like pop.

Jon DiMaggio (11:30.082)
Great.

D Mauro (11:36.379)
doll or something. Did you create that using AI or what?

Jon DiMaggio (11:40.8)
And Anastasia, the other analyst that I worked with, she created. I tried and I did a miserable job and then in like an hour she did it. But yeah, she made it.

D Mauro (11:48.731)
I mean, she really does have skills. And frankly, I can't believe we haven't had her on the show. We need to bring her on, if you'll permit. But man, that doll or that image is like, like people already want to like they want orders placed for it.

Jon DiMaggio (11:58.338)
Yeah, last.

Jon DiMaggio (12:07.394)
No, I've been asked if we're going to make a bobblehead version to sell.

D Mauro (12:10.329)
You need to. Yeah.

Jon DiMaggio (12:12.738)
It's really laugh merchandise. That's a whole new level, but I don't think we're going to do that. But yeah, I have had people request.

D Mauro (12:19.803)
Well, it is pretty creepy looking. So, Ransom and Exposed, the story of Ransomed VC. So, where is this, like, where is the gang located? I mean, are they...

Jon DiMaggio (12:21.642)
Yeah.

Jon DiMaggio (12:34.434)
Yeah, so when I reached out, one of the things that was different about this research is they spoke really good English. So instead of having just a few engagements, I talked to them regularly for several months. But going back to that, they do at least write in Russian. I've never spoke to them in Russian, so I don't know. But yeah, they're the main guys from Bulgaria, not Russia. And I actually didn't come across anybody.

in it that was Russian that I know of. Not that I talked to everybody, I only talked to four of them, but then none of them were Russian and they were in different parts. But the guy who runs it, yeah, he says he's in Bulgaria, I believe that he is in Bulgaria. There's been doxes on him, not by me, by other people. It looks like that's legit. And there was some other evidence of that.

D Mauro (13:06.425)
Okay.

D Mauro (13:24.699)
And so their system, yeah, and their system looks like it was taken down. Was it a law enforcement sting?

Jon DiMaggio (13:33.218)
No, it's actually, the site's actually back up, but what happened is they actually took their own site down because another group had gotten arrested that they had ties to. They didn't exactly explain it all up front, but I figured out my research, this other ransomware group, Ragnar Locker, had been taken down. But at the time, they just put, hey, six guys associated with us got arrested.

were shutting it down and they pretended to shut down, they just rebranded. But the point is that it wasn't an actual arrest of anybody in their group. And that's why everybody that looked for it was like, okay, well this guy's just making things up because there was no Ransom VC arrests, it wasn't. The guy who runs it, created it, used to have some association with Ragnar.

He didn't work for them, but he did some work with them and And yeah, so so they got arrested I guess it spooked him and yeah, he took off for a bit, but the site's back up now And he changes his name like every two weeks, so I don't even know what to call him anymore I call him ransom support because that's how I knew him and prior to that his name was impotent of all things Yes, yeah, I used to run a different program before ransom DC they were of he ran a forum that

D Mauro (14:52.283)
Really?

Jon DiMaggio (14:59.074)
called exposed VC. So yeah, it's a.

D Mauro (15:02.363)
Ah. And yeah, because, and you have, and I'll put some images up here where it, you have Ransomed VC is now Res, Resdofic, Resnetopic or something like that coming from Telegram. And so apparently he changes that quite a bit.

Jon DiMaggio (15:16.034)
Yes. Yeah, he just took...

Jon DiMaggio (15:22.178)
Yeah, lately he just told me he's about to change things up again. I don't know if that means he's going to change the name of the operation or what, but he told me to get my pen ready because he's getting ready to change things up. I'm like, man, my hand hurts too much from all this writing.

D Mauro (15:36.155)
Yeah. So what is the story with them? What were your findings? What did you find about it?

Jon DiMaggio (15:43.17)
Yeah, so basically they weren't a traditional ransomware gang like Lockbit or Black Cat or those types of operations where you have affiliates that share a percentage. Instead, what he did is he hired people that were younger with less experience that couldn't, his words, make the cut with some of the more known gangs. And he would just pay them a salary, which he claimed was between $2 ,500 and $5 ,000.

But based on the people that I talked to, they either got very little or they didn't get paid at all. So, yeah, so that's been an issue and that's one of the reasons, you know, the only people they screw over more than their victims are other criminals. There's a lot of criminals and they have a lot of enemies. But yeah, so they would actually have data. Sometimes they would do attacks. Often they would...

D Mauro (16:17.347)
Yeah.

Jon DiMaggio (16:37.25)
obtain the data by stealing data from other criminals and or buying it. But that goes back to their origin story where when they ran a forum before, think about it, running a forum is really smart if you're a cyber criminal because you have all these criminals that are doing business on there and you have access to the server that has all the logs, all the conversations, all the connections, everything else on it. So you get a lot of data on other criminals.

They can use it to blackmail them. They could do web injects. They can do a lot of things to get information and take advantage. And I think that was just part of their long -term scheme to make money. Like I said, it's just the thing where they don't care if you're a criminal, a legit company. It doesn't matter. If they can benefit from it, they will. And so that's, again, that's why they have a lot of enemies.

D Mauro (17:33.819)
So, okay. So.

Jon DiMaggio (17:34.26)
Thank you.

D Mauro (17:38.075)
So this group, were they affiliated with breach forums with the main forum or did they create a site that mimicked breach forums?

Jon DiMaggio (17:47.264)
Yes, that's -

Jon DiMaggio (17:52.066)
Yeah, so they were kind of in this massive war with Breach forums and some of the other prominent hacking forums. After Raid forums, which was sort of the original and what's now kind of a cookie cutter theme, they were the original. And when Raid went away, a number of sites came up to try to take its place. Breach was one of them. Xposed was one of them. There were three or four black forums. But...

The problem with it is that, just like with Raid, the FBI and Europol kept arresting the people who owned it and taking the site down, which is why it's so shocking that these guys kept standing stuff up. I would not want to be a forum owner after seeing multiple iterations of this happen where people are getting arrested, but they do.

D Mauro (18:42.491)
they but they kept doing it and and and so and then what is their affiliation with with LockBit you have it yeah because there's there's several of these forums are these some of the same forums that LockBit is banned from now?

Jon DiMaggio (18:44.258)
They kept doing it.

Jon DiMaggio (18:51.842)
Arts. Yeah.

Jon DiMaggio (19:00.45)
No. So where he had an account, the guy Ransom Support that owns Ransom VC, he had an account on one of the two main hacking for Russian underground hacking forums are XSS and XSplit. So XSS is the main one where these guys spend most of their time. And that is where Ransom Support create an account under a different name and make the comments on the lock bit thread on the Ransomware diaries.

But he was only on there for a few days because they banned him because he started talking all this ransomware stuff and writing in English and those are two... That's a quick way to get kicked off. You're an English speaking person and you're talking about ransomware. They have a ransomware ban, but it's very selectively enforced, which is one of the reasons that with the whole lock -bit thing he got so ticked. But anyway, they did enforce it with RansomBC. But again, that's probably because he was writing in English and that's kind of, you know, just a...

big red flag to look like your law enforcement or somebody else when you're on those forums. So, but those forums are Russian. The ones like Breach and Raid, they're, you know, most of those are predominantly English speaking. There are other languages spoken, but they're predominantly English speaking. And they're more hacking forums outside of the Russian culture. So that's the big difference between XSS, Exploit, versus the rest of them.

So when Raid went away, also the other forms are more clear net forms. You can get them to the internet from the internet or from the dark web, which is true with the Russian ones too, but breach and all that stuff has primarily been accessed on the regular internet. So breach has gone up and down several times. There's been seizures, there's been arrests and new owners. There's an iteration of it right now as we speak that exists and it's fairly popular.

Exposed went away, dark forums is still there, but they all look visually the same. They're literally built and designed off the same templates as raid forums. They look like raid forums. Some of them even have the same categories and subcategories and things of that nature. What's that? Sorry, try again.

D Mauro (21:10.587)
So what does that, so what is that? Like if they're all looking the same, does that, what's the significance of that to you?

Jon DiMaggio (21:18.178)
Yeah.

Well, because they wanted to capture the user base from raid forums, obviously one of the best ways to do that is make people feel like home, make it look exactly the same, and then hope that it is populated with similar content and you get some of the same people from it. That's exactly what they did, and that's why they all look the same. But even with some of the... With Ransom VC, when they stood that up after exposed VC went away,

the first four days, it was a forum too. And I guess they either changed their mind or they realized that people were going to figure out that they were associated with Exposed VC, so they changed it to a Ransomware -themed website after that. Later, they did stand up a separate forum outside of ransoms .vc that remained a data leak site, and they did stand up a ransom forum called Ransomed. And the main difference is with...

with those forms exposed and with ransom is that they have ransomware categories where you can talk, you can have threads, you can have those conversations, you can sell services and you don't get banned. So that's one of the big differences from the Russian forms.

D Mauro (22:33.147)
So let's set some context for some listeners and viewers that may not live in the dark web, right? These forums, they're accessible on the dark web, meaning you download the Tor browser, you use Tails, you use a separate computer, and you get on the dark web through the Onion router, right? And they are forums. In the forums, they're essentially almost like a...

Jon DiMaggio (22:57.154)
Yes.

D Mauro (23:03.835)
Facebook like for them, isn't it? Like where you can have, well, it's more, it's got more features than that, but you're able to, well, what would you compare it to that regular, normal people that don't go to the dark web could relate it to? What is a forum like?

Jon DiMaggio (23:22.786)
I think it would be a good example.

D Mauro (23:24.251)
Load documents to it, store documents, create a copy.

Jon DiMaggio (23:26.594)
Yeah, so it's not like Facebook, but it is, they are more like taking a step back in time, like historical, you know, forums with threads. I would say more like Reddit than Facebook, but I don't have a one -for -one comparison, but it's in Reddit in the aspect that you have, you know, like...

D Mauro (23:33.089)
Reddit?

D Mauro (23:40.667)
Yeah.

D Mauro (23:45.563)
Or maybe a MySpace almost.

Jon DiMaggio (23:48.354)
Yeah, well, but with those you can have pages and stuff. So that's kind of the difference is they have topics and you create threads under these topics. So yeah, I think probably Reddit would be a closer analogy. But yeah.

D Mauro (23:52.187)
Right.

D Mauro (23:59.035)
And on there a lot of cyber criminals gather and what do they exchange? What type of stuff do they exchange?

Jon DiMaggio (24:07.488)
Oh, man. So everything from selling or giving away leaked data, selling access, so you have access brokers there, malware developers can sell malware on there, exploits vulnerabilities are sold. You can do things like if you want to hire someone to DDoS a website, you can do those services. They have this service where you have a middle, it's called a middleman service. So let's say I wanted to...

to take down a DDoS on a site, there is a middleman that handles everything so that if somebody, so that the two parties that are involved aren't, they remain anonymous, they aren't easily exposed, only the middleman is, so you can take it.

D Mauro (24:50.651)
Should one of them be caught by law enforcement from some country, right? They wouldn't be able to rat on the other.

Jon DiMaggio (24:59.842)
Correct, yes. The two parties wouldn't know one another. That's correct.

D Mauro (25:04.091)
That's organized crime. Right? That's what it's all about.

Jon DiMaggio (25:05.6)
Right.

The problem is though, is with some of these administrators, like with Exposed BC, the criminals got upset because they claimed that he would take their money and not always do the service. So there's always that risk, you know.

D Mauro (25:22.267)
Well, yeah, and there's not necessarily honor among thieves. And then if they have an issue, then they go to these tribunals, these arbitraries, right? And try and get their money back. And these...

Jon DiMaggio (25:25.794)
Seriously.

Jon DiMaggio (25:35.426)
On the Russian forums, not on the English speaking non -Russian forums like that I just mentioned, so not raid, breached or exposed, those type of forums don't have arbitration. That's on the Russian forums, but they have that and it's very structured, organized. The other forums are not.

D Mauro (25:53.403)
Okay, and what is the significance of the Russian speaking forums and the English speaking forums?

Jon DiMaggio (25:59.016)
Russian speaking forums have been around for over 20 years now or around 20 years now. There's a co -culture and community there. It's very different. There is... Until I really got into this, I didn't really understand the Russian culture, not that I claimed to be an expert by any means, but I understand a lot more than I did back before I started getting into ransomware. It's just...

D Mauro (26:05.083)
Very well.

Jon DiMaggio (26:25.314)
It's hard to explain, it's just more of a camaraderie type of atmosphere where a lot of these people interact and know each other and have known each other because the forum's been around for so long that it's just relationships are built whereas these other, the English speaking forums that I've been referring to, they come and go, there's no camaraderie, everybody's stabbing each other in the back. Not that that can't happen on the Russian forums, but...

It's, it's, it's, you just have less of that camaraderie. There isn't that same structure and there's definitely not an authority at the top like there is in the Russian forums that sort of hold the balance of power to keep things in sync.

D Mauro (27:05.083)
And the Russian forums are the ones that have that system of justice, essentially, right? The people's court, okay. The cyber people, the cyber criminals' court.

Jon DiMaggio (27:12.386)
The People's Court, yep.

Jon DiMaggio (27:18.274)
I'm calling it that they don't call it that that's what I call it.

D Mauro (27:20.539)
No, I don't know what they call it. Are the Russian forums accessible through Telegram or is it all through the dark web?

Jon DiMaggio (27:31.074)
So it's mainly through the dark web. They do have some clear net access, but obviously if you're a criminal, you're not going to use the clear net access. So they do have clear net access, and I guess you could use that, but yeah, it is predominantly accessed. The difference, I guess, would be with the English speaking ones, their main access is the clear net version, so the traditional internet, and then as a mirror, as a backup, they have dark web.

The Russians are opposite. They have their dark web as the primary and sometimes they'll have a clear net that is like a secondary as a mirror. And that's the case.

D Mauro (28:05.243)
Interesting. And when you say clear net, you mean accessible through Telegram and other allegedly encrypted networks. Right.

Jon DiMaggio (28:08.482)
Internet. Yeah, regular browser. Yeah, you can access it. No encrypted tunnels or no link rate stuff.

D Mauro (28:21.115)
Yeah, we've had some interviews with people that have been talking about Telegram and how there's so much cybercrime just out in the open right there. I mean, how not taking I mean, most people are asking me, how is this not taken down? Like on the Telegram part, we understand on the dark web, there's anonymity and it's it's entrenched and it's over in Russia, but the

Jon DiMaggio (28:33.922)
There is the.

D Mauro (28:49.851)
telegram part where you have a lot of these cyber criminals located in North America sometimes. How are they not caught is what I keep getting asked.

Jon DiMaggio (28:59.17)
Well, that app is built for encryption and anonymity, and it's changed hands several times. It was developed by a guy in Russia. He then sold it, and yeah, it's changed hands. But because it's built on encryption and anonymity, well, it's not the dark web. It's not like it's the internet. I mean, you can get to it through the internet, but it's got these things built in that bring you anonymity when you use it. The biggest difference between Telegram and the forums,

D Mauro (29:09.307)
Okay.

Jon DiMaggio (29:28.13)
to sound old here, but with the forums, I like it because it's structured. You have to post something and wait for a reply. With Telegram, it's so much chatter and annoying -ass people on there, just putting up stickers and images of their cats and memes. And, you know, I have to do it as a researcher, but I would never spend my time there outside of that. I much prefer forums.

D Mauro (29:51.611)
It's almost it sounds almost like a yeah for for those i've been on it obviously but for those that haven't been on it It almost sounds almost like a discord server, you know

Jon DiMaggio (30:01.602)
Yeah, it's real -time chats versus posting, replying, posting, replying. The forums have moderators, so when you have some annoying person that's putting up synodies or posting, again, pictures of their cats and it's off -topic, they remove them. On Telegram, it's a free -for -all, so they're both good resources for information, just my personal opinion. I much prefer spending my time on forums.

D Mauro (30:15.291)
Thank you.

D Mauro (30:21.115)
Right.

Jon DiMaggio (30:30.722)
much more enjoy the community. If I'm going to have to be amongst criminals, I'd rather be on one where there's some basis of control and the conversations are on point versus pictures of your cat.

D Mauro (30:43.611)
Unbelievable. Yeah. So in Ransomware Diaries 4, you talk about two things that I have researched a ton out of. Like one was our very first episode on this podcast a year and a half ago, two years ago was on the original Sony breach. Right. Not the very first one, but the one that...

Jon DiMaggio (31:03.362)
Yep. Right. Not the North Korea one, but yes. Yeah.

D Mauro (31:08.251)
It was either tied to North Korea, but there were still a lot of open questions around it. And you talk about the Sony breach in Ransom Word Diaries 4. You also talk about the Move It breach, which we've done a deep dive on. And I mean, nobody has done a better job than Brett Callow over at Emisoft. He's one of my, like, he's so good. But I just keep...

Jon DiMaggio (31:23.65)
Yes.

Jon DiMaggio (31:30.402)
I know, bruh. Yeah.

Jon DiMaggio (31:37.25)
Let's not stack his ego too much. He's okay. All right, he's okay. The half -primes of bread. I'm just harassing.

D Mauro (31:37.339)
I do.

No, but it's still, I know it's, but it's, but like the way that they've been tracking move it is just amazing. So, so what is the significance? So you're like in ransomware diaries for you mentioned that on September 26, 2023, ransomed VC, which is ransomed support, as you call them, right? The guy also known as impotent.

Jon DiMaggio (31:49.92)
Yeah.

Jon DiMaggio (32:03.97)
Yes, so Ransom VCs the operation, Ransom support is who the guy is in moniker who runs it.

D Mauro (32:09.019)
Yeah, and he's he also went by impotent like does he not know what that means or he's

Jon DiMaggio (32:15.682)
He went by impotent, that's right. He made it up because the guy who got arrested from Raid, his name was Omnipotent and he made a variation of that that is making fun of him trolling him and he went by impotent. I have all his names, that's my favorite, but it's funny because when you read some of the chat, the engagement conversations in my report, you know, I'm asking,

you know, this other hacker, when did you find out that ransom support was impotent? And it's just like, I get so used to saying the names, I didn't realize what I was saying. It's just, then when I'm reading it, it just, you know, makes me get, the 13 year old in me has to giggle.

D Mauro (32:54.459)
That's hilarious. So they claimed this past September, just several months ago, about six months ago. Yeah, September 20. Yeah, they stole 260 gigs of data, quite a big haul. But what happened? Was it real? Did it not happen? Did they sell the data? Was it old data? What happened?

Jon DiMaggio (33:04.352)
Number 23.

Jon DiMaggio (33:20.994)
Yeah, so the amount, the size of the data stolen was less than what they claimed. The actual breach took... So I've gone through the data to try to validate if it was authentic. And it is authentic, however, it was a single computer from Sony. The breach took place on August 11th. The data start was first talked about amongst criminals on August 23rd, and on August 26th, it was leaked publicly, some of it was leaked publicly, by Ransom VC.

The problem is, on Breach forums, there was another hacker that used the alias at the time, Major Nelson, who claimed to have the same data, and he posted that. And I went through both of them, and they both had the same data within them. So they both were the same data set, they both came from the same source. It was legitimate, it did look like it was legitimate, authentic data from a Sony system out of Japan.

based on the language settings on that system. And it had a lot of development stuff on there. There wasn't a lot for Sony to take a loss for. By the data itself, it wasn't really that useful. But with all the media around it, it certainly hurt them from that exposure. And RansomVC's brilliant branding and marketing themselves, that's really where they excel in getting people hyped up about them and to believe that the story they're telling is true.

D Mauro (34:34.491)
Yes.

Jon DiMaggio (34:47.298)
because it's being reported, it's being talked about by researchers, whatever it might be, they use that as leverage to get people to believe that that's true. And Sony's bad, the State Farm thing was even worse. So I asked Ransom Support, how the hell this other guy got the data, who had it first? And there was a, basically there was somebody working for him named Intel Broker, and allegedly he got the data first. And...

whether Intel broker is also Major Nelson or vice versa, I can't keep up with all of it. That's what Ransomport says, he's the same guy. But who knows if that's true. But the point is that these two people had the data at the same time and only one of them could have stolen it originally. So the other one had to stole it from them. Or I guess people will say, oh, well, you could take it at the same time. That's not what happened. The criminal got it and then it was obtained by someone else.

who got it first, it's hard to say, because they both came on the same, around, leaking it around the same time.

D Mauro (35:50.747)
So, and what was the tie -in with the MoveIt breach and CLOP? We've talked about the MoveIt breach because MoveIt is an encrypted file transfer platform and they've been compromised and one of the largest compromises of the decade, it seems, that continues to mount and yet it's like the media doesn't really talk about it because I don't think they understand it.

Jon DiMaggio (35:57.184)
Yeah.

Jon DiMaggio (36:11.074)
For sure. Yeah.

D Mauro (36:19.003)
But the Klopp ransomware gang, they're not even launching ransomware. They're just leveraging the vulnerabilities that they have and stolen all the data, right? It's just a...

Jon DiMaggio (36:25.73)
taking data? Yeah. Yeah, they're not encrypting systems or any of that. They don't even have affiliates anymore. I mean, so it's a whole different operation. But to answer your question, so there's not a tie, but the CLOP stole a bunch of data from Sony. So as a researcher, the first thing I need to do is see, is this data from that breach? Because that's something else that I found that RansomVC would do is take previously stolen data.

alter, edit it, put in some other new fake data or add in publicly accessible documents or whatever it might be to try and make it refreshed and look real and then try and extort organizations for it. So I needed to make sure that wasn't happening and it wasn't. This was separate. That data was global. This, or a lot of it was in the, I'm sorry, that data from CLOP was mostly from the US and this data was not. The CLOP data had a lot of systems. This does not. It came from one system, so a little bit different.

D Mauro (37:23.291)
over in Japan or from what it looks like in over in Japan.

Jon DiMaggio (37:24.45)
Yeah.

Yes, yeah, yeah, correct.

D Mauro (37:30.203)
So one of the things that we've discussed, you and I, on this podcast is the software, the ransomware software, the malware that is developed by these organized cybercrime gangs is designed in a way that it will not attack or it should not attack certain speaking languages like CIS countries, like Russia, Iran, like whatever the...

Jon DiMaggio (37:54.954)
Correct.

D Mauro (37:58.427)
the Eastern Bloc countries that are done. And what is the reason for that?

Jon DiMaggio (38:05.474)
So the main reason is these guys are primarily based out of Russia, and Russia doesn't consider it a crime as long as you don't attack a Russian entity. So what a lot of these ransomware variants do is they just look for the language being used on their computer and that system. And if it matches one of the language that are spoken in those CIS countries, especially Russian, it will not execute and unleash the ransomware, if you will, to encrypt all the data.

on the system itself. So it's just a sort of a built -in precaution. Obviously, it's code. You can change that. But that's sort of... Until ransom VC, that is a rule that I have always seen followed. It's one of the few that's not been broken. And it's funny because I was on the... I used this service called eCrime, and I'm looking at their website at the data for breaches. And the darker the red, the more breaches there are. And Russia had the...

tiniest little hint of off -color and I go and I hover over it and it says one. There's been one report and incident that they have in all of their data and that's Ransom VC. And it was a hospital. So two no's, two things you're not supposed to do.

D Mauro (39:15.355)
No. So.

Exactly. So in Ransomar Diaries 4, you have a subsection that's called, Don't Make Putin Come to My House.

Jon DiMaggio (39:28.994)
Yeah, because he said that to me. So I thought it was funny. So I made it the title of that section.

D Mauro (39:33.723)
So like you just pointed out, there's one rule that's sacred among all these ransomware gangs, and that is you do not target Russia or other countries within the Commonwealth of Independent States, which is CIS that we talked about. And the rule, yeah, and the rule is, well, you've seen, you know, we saw our like, Reval, our evil get taken down in Russian style where they bashing the doors and they have these videos, these very dramatic videos.

Jon DiMaggio (39:46.466)
Yeah.

D Mauro (40:02.491)
They haul them through the Russian legal system and stuff, arguably because at some point, for some reason, we believe or we surmise that they fell out of favor with the Russian government. Is that fair?

Jon DiMaggio (40:14.594)
Yeah, or there's political motivations, but yes, that's fair. It doesn't happen often, but it has happened. It happens in the Ukraine more than Russia, but yeah, or it did happen in the Ukraine. These days they're busy, but yeah.

D Mauro (40:17.307)
Right.

Right. So, yes. Yes. Right. So, these geniuses at Rush at Ransomed VC on October 4th, 2023, they posted a victim notification. And where did they post this? On the dark web.

Jon DiMaggio (40:37.078)
on their data leak site. They posted it. So on Ransom.

D Mauro (40:40.475)
And do a lot of these gangs keep their data leak sites on both the clear net, like on Telegram as well as on the dark web, or is it mostly only on the dark web?

Jon DiMaggio (40:52.034)
So what they do is they'll usually it'll be on the dark web. Some of them have it on clear net on the regular internet. So Ransom VC had both again with Ransom VC though clear net was the primary the dark web was the backup and then they use telegram for their group chats in their in like their group channels to leak data and it's just another mechanism sort of in their infrastructure. So they leak the data on their website.

And then they also use Telegram to try to sell it, to market it, to leak it, you name it, they do it. To have conversations about it, it's just another mechanism to leak it and try to embarrass the victim and try to get money from other criminals.

D Mauro (41:36.411)
Got it. And on October 4th, 2023, Ransom VC posted this victim notification for a Russian medical center.

Jon DiMaggio (41:44.386)
Yes, that's not what ransom support says, but that's what it really is. He told me, when I asked him about it, I was like, why would you attack something in Russia, let alone a hospital? And he said to me that he must have been high when he did it and that he thought it was a plastic surgery center. But you just go to the website, it's clearly a hospital. You just look at the services and everything offered. It's clearly a hospital. But as I said, he's not in Russia. And that's why I believe him, is because of stuff like this. He just...

That's why he did it, because he just doesn't care.

D Mauro (42:16.539)
In your investigation of these guys, where was the evolution? First of all, where do you think they're based?

Jon DiMaggio (42:25.25)
So I think the people who work for them come from all over, but he's primarily in Bulgaria. He's got people who work for them that are somewhere in the UK, somewhere in South America. They're all over the place, but those are just some of the places where I was able to somewhat validate as much as you can that that's where some of the people that worked with him came from. I actually didn't find that there were many true Russian nationals working for him. So.

Different operate was all about perception and making you believe something, but that's not what the reality was That's why it was interesting to me

D Mauro (43:01.947)
Yeah, exactly. So what couple things I want to ask you. So where is where is Ransomed VC today? Like where did your investigation wind up? Like what?

Jon DiMaggio (43:13.058)
Yeah, I was talking to the ransom supporters, I was talking to him earlier today, because that's when he was trying to tell me he was starting something new. But yeah, no, he's still in Bulgaria. You know, he... I can't say this for a fact, but I believe he has ties to organized crime in that country. But regardless, he seems to be pretty connected. He's not afraid of the police. So I don't think anything's going to happen to him anytime soon. But, you know, he lives there, he's from there. He...

For some reason has a strong liking, he's very fond of Serbia. So I don't believe that he's Serbian, but I do believe somebody that he knows or is close to him must be because some of the aliases and names he's used in the past have been affiliated with Serbia. The newest program, the Raznovic, that's affiliated with the Serbian gangster. Their Telegram channel, TigrzBarkan, that's also affiliated with that same Serbian gangster.

So there is a nexus there, but I do believe that he is actually Bulgarian.

D Mauro (44:21.083)
Do you see a lot of cyber crime gangs or ransomware as a service gangs in Serbia or in Bulgaria generally? Or are they mostly?

Jon DiMaggio (44:29.57)
I've not seen, no, just this guy, just these guys. I haven't seen anybody else out of Bulgaria. I mean, I'm sure there's stuff out there like smaller pockets that I don't even look at, but no, I've not seen any of the, you know, the, whatever we'll call the big box ransomware gangs, you know, the name brands, if you will, that people hear about in the news all the time. I've not seen. Right.

D Mauro (44:49.947)
The Mercedes and BMWs of cybercrime are like Lockbit and Black Hat and things like that, right?

Jon DiMaggio (44:56.45)
Right. Right. Yeah. So yeah, I've not seen anybody, you know, I've definitely seen many affiliates, threat actors based out of that region. There very well could be, you know, some groups based out of Serbia, but Bulgaria, there is, I have not seen any prior to this.

D Mauro (45:15.963)
Based on your findings, do you think that he was involved with Ragnar Locker gang? Because Ragnar Locker was a legit... Yeah. And they had six people affiliated with them that had been arrested. He claimed that he posted... I found that six people affiliated with me have been arrested. Is there any validity to that?

Jon DiMaggio (45:23.65)
Yeah, they were real deals.

Jon DiMaggio (45:39.522)
Yeah, so let me just break it down real quick. So the Ransom VC operation started August 15th. On October 22nd, they launched a separate forum called Ransom Forum. By launching that, it still takes time, money, and resources that's showing they're expanding their operation, not closing it down. The very next day, on October 23rd, six men were detained.

got doors kicked in, brought in by Europol that were considered or believed to be members of Ragnar Lager. Seven days after that, on the 30th of October, Ransom VC announces it's shutting down. They put up a message saying six people associated with me have been arrested or may have been arrested, as we said. And like I said, nobody believed them. Once I got the information that he was associated with that gang and I looked at the dates and everything, it lined up perfectly.

he must have been concerned that because of those that are the arrest and the detainments that someone was going to leak his information and have them shut down. So if when I got the information, it sounded out there to me, but it fit like a glove, you know, I mean, everything lined up with it. And the person who gave me the information was one of his top affiliates, if you want to call him that, you know, a hacker who was well known.

long before Ransom VC and the hacking world. So I believe him. I believe that it's true. It makes sense. The circumstantial evidence completely fits. It's like I had this missing puzzle piece and he handed it to me and I put it and it just fit perfect.

D Mauro (47:20.139)
Excellent. So leaders in business and in like healthcare fields, they ask sometimes, you know, when our data gets stolen or if our data gets stolen and a cyber criminal gang posted on the dark web, our clients and our customers and our people don't go on the dark web.

So how does that really expose us? Like they're saying, well, we're going to publish it. And we're like, yeah, but you're publishing it on the dark web. Nobody that we know goes on the dark web. So who are you publishing it to anyway?

Jon DiMaggio (48:01.794)
Yeah, so there's two ways. One is researchers and reporters both monitor those sites, you know. So that information is going to be obtained. But two, other criminals do. And often, you know, it's to sell that data if the victim doesn't want to pay. So it has sort of a dual purpose. One is to notify basically, you know...

D Mauro (48:11.245)
Thank you.

Jon DiMaggio (48:28.994)
journalists and researchers that this has taken place and to To sell stolen data to make money in case the victim doesn't pay so they still get some sort of profit from their work or at least that's how they view it.

D Mauro (48:41.819)
And that data can be used in other attacks or to go after the actual people, and dox them or extort them.

Jon DiMaggio (48:45.216)
Yeah.

Jon DiMaggio (48:50.21)
Yeah, there's lots of things that can be used for everything from like, let's talk about when remember when Revo popped Apple or what a contractor is the contracted company that worked for Apple and got all their engineering diagrams, you know, that they then went after Apple, even though that wasn't who was compromised. So yeah, there's definitely you had Accenture, they got hit by LockBit. And according to LockBit, three targets he had in the following months after that, that were airlines came from that data.

I couldn't validate it, but that's what he told me. So it definitely happens when they use that data to then harm other organizations that either did business or were clients of them, things like that.

D Mauro (49:27.803)
And it's.

That's absolutely, this is a great story. So what like high level, what's your impression of the Ransom VC, this guy? Ransom VC is the organization, Ransom Support is the moniker for the gentlemen here.

Jon DiMaggio (49:43.906)
Um.

Jon DiMaggio (49:50.242)
Yeah, I'm laughing because it's been such a crazy ride. He's always been, to me personally, he's always been professional, respectful, makes jokes, water cooler talk. We got to know each other pretty well. He definitely, what's the right way to say this? I don't want to call him mentally ill, but he has issues he needs to work out. He...

He lies a lot, but he doesn't lie because he can't tell the truth. He lies, and this is the problem with assessing them, is a lot of people think he's a scammer and he just makes up these lies. But when he makes up lies, he is looking three steps out. There's a reason he's saying this lie and it's going to affect something down the road. And I found that out because I was looking back. And when I started to take the lies that he would tell me or other people and then look at where they originated and where things ended up,

There was always a motivation or a plan. So because of that, I would tell the researchers, I know that a lot of people aren't looking at these guys like a top level group, but they're causing a ton of damage and half the time they haven't even done what they've said and they've gotten us all to believe it. To me, that is a problem because you just don't know what the truth is and they very well may really have your data. They may have stolen it, they may have bought it, they may have made it up, but you don't.

know. So that is harder than when you have a group, you know, like Black Cat or Black Buster or any of these. And it's just that you don't have a way to know. So with those groups, they have a reputation. They're concerned about their reputation. They most likely have the data that they say they have. But that's just not the case with these guys.

D Mauro (51:42.139)
These guys seem like they are masters at marketing and manipulation.

Jon DiMaggio (51:46.69)
That is, I've told I've told my handsome support this so many times, like he doesn't need to be a criminal. He should go, should have spent his time opening a marketing company because he, that is what he is. I hate to keep giving him compliments, but that is the one thing that that guy is brilliant at. I mean, he is really good at making people know their name, know their brand, make them believe they're 10 times bigger than they are and they have.

all this data on organizations that half the time they don't have, half the time they do, getting his name in the news. He even willed a lawsuit into existence with State Farm. He basically...

D Mauro (52:23.771)
Walk us through the State Farm story. What happened there?

Jon DiMaggio (52:26.978)
Yeah, so basically, RansomBC posted State Farm as a victim. They claimed to have all of their data. They didn't have all their data, but they did have a database. That database, however, didn't actually contain any PII, and the person who actually did the breach shared that with me so I could validate that it did not have PII in it, fully admitted that he did the breach, and he knew way too many details that I...

And he never lied to me. The guy, USDOD, he might be a criminal, but I've talked to him for three months. Unlike ransom support, USDOD has never lied to me. He might say things I don't like, you know, as far as his actions, but they've always turned out to be true. So I looked at it. I was able to validate that there was no PII. The data is basically useless. However, because they posted the victim site and because they have tons of social media accounts, they're even on TikTok.

Ransom VCs, all these social media platforms. And they got all the spin and the buzz around it. All of us, journalists, researchers, security vendors, talked about the breach. It was made public. And everyone bought into it because they read the headlines. And State Farm customers did too. So even though they didn't actually have that, what's that?

D Mauro (53:47.067)
Please see the state far.

So then the customers who allegedly lost their PII went and sued State Farm?

Jon DiMaggio (53:56.002)
Yeah, the class action lawsuit, it's in federal court now and I know for a fact that it's not real. So it sucks because this is a victim. They didn't get, you know, they didn't pay the ransom so they didn't have to do an incident response. They didn't have to spend all these millions of dollars on that, but now they got to spend it in lawyer fees. And while I may not be a huge fan of insurance companies, this isn't right what's happening to them. This is terrible. So.

It's the first time I've seen something like this, but it really is a wake -up call that we as researchers and journalists really need to not just report when a bad guy says they've read something, but we need to report on it when there's either solid evidence or the person that the victim itself has made a notification.

D Mauro (54:44.795)
Unbelievable. Well, John, thank you so much. I mean, as we wrap up, I want to ask you, there's been so much high level discussion on it seems like a lot of these gangs, you saw what Klopp did with Move It, you see that a lot of these gangs are just almost evolving into a smash and grab. Like they want to just take the data, the customers, the victims can

keep a copy of their data, they just want to take it and then extort it. It's almost like becoming extortion as a service. Is that what you're seeing in the industry?

Jon DiMaggio (55:20.514)
Yeah. Yes.

Yeah, that's... Well, there definitely still is more traditional ransomware groups that encrypt and steal data, but we're seeing that model where it's simple extortion with just the data and no encryption more often. CLOP does it, Ransom VC, despite what they claim, I've never seen any evidence that they actually encrypted anybody's data. They're just stealing it. And I do think it's easier, it's faster.

It leaves less logs and things of that nature. And they still get the ransom. I honestly think we're going to see more of that. I had a conversation with Lockbit about this and he still felt like it's almost like when if you were to stab somebody on the ground bleeding, kicking them a few more times is still going to help. So why not do it? But we're seeing other groups that have a different mindset where they're not and they're simply stealing the data. So...

I don't think that we're going to see traditional ransomware go away, but I do think we're going to see more of this movement where it's just data that's being stored. We need to come up with a new term for that because people get confused when you hear that. You know, you hear ransomware, you think encryption, but that's not always the case.

D Mauro (56:37.051)
Yeah, it's almost like extortionware or extortion as a service. I've coined that here on cybercrime junkies, extortionware. Well, so are and having said that though, ransomware is up this year, right? Like it's like, depending on which vertical, some of it's up X percent, some of it's higher, lower, whatever. But so ransomware itself, the actual encryption of it is up.

Jon DiMaggio (56:42.786)
Yeah, exactly.

Jon DiMaggio (56:47.426)
Got all sorts of things being coined here.

Jon DiMaggio (56:55.138)
It is.

Jon DiMaggio (57:00.354)
Yeah.

D Mauro (57:05.595)
as well as now this extortion where extortion is a service.

Jon DiMaggio (57:09.826)
Yes, that's correct. The one thing that I want to say though about that is, again, this is based on my direct conversations with threat actors, is I've been told that the ransom amounts that are being paid have gone down, which is one of the reasons the bigger ransomware gangs are pushing for higher volumes of attacks, is because even though the numbers have been up, their income was less. So by having more attacks, they're hitting their numbers a few.

D Mauro (57:39.291)
Wow. And you had mentioned in our previous discussions that these ransomware gangs, whether they're deploying ransomware or just extortion of service, they get together almost like a sales force and chart out, like they have business meetings, don't they? Where they talk about the numbers and how this quarter is doing and what threats and what tactics are working and which ones are more profitable.

Jon DiMaggio (57:59.106)
Yeah, it's.

Jon DiMaggio (58:08.418)
Yeah, they do. Lockbit definitely does that. And you'll see that on some of the Russian forums, those type of conversations. But yeah, it definitely is something that takes place. For these bigger organizations, bigger threat actors that are making hundreds of millions of dollars a year, I mean, think about it. It's like a company. You've got all these resources. You've got to have employees. You've got people working for you. You've got to have an idea of what kind of money you want to make.

and things like that, and you want to make more than you did the previous year, it's literally like a business, except that you're committing crimes.

D Mauro (58:42.427)
Wow. Yeah, and only they're doing it from a part of the world where they're not going to get in trouble as long as they don't do it a certain way.

Jon DiMaggio (58:50.594)
Yeah, hopefully someday that changes, but that is the case now. But again, you've got these other groups, like, I don't know how this guy's in Bulgaria, how does his door not get kicked in? You know what I mean? That's why I I believe he might be tied to organized crime because how else how else does this guy's door not get kicked in? So.

D Mauro (59:01.243)
Yeah, exactly.

D Mauro (59:06.107)
how else could he not be looking down? Yeah, well, John DiMaggio, thank you so much, sir, for all your wisdom, your research. We will have links to Ransomware Diaries 4 in the show notes and below, as well as I saw that you guys did an audio reading of it, an audio. Yeah.

Jon DiMaggio (59:29.09)
Dude, they're so long. I gotta make it easy for people to listen to also.

D Mauro (59:34.651)
Well, you're doing the right thing and you're helping law enforcement, you're helping people understand it and that's the whole key, right? Because we can't understand, we can't defend against something we don't understand. So thanks for all the work and we will talk again soon. Very, very, very excited about this work. We will have images and pieces to it throughout this video as well. So...

Thank you everybody for listening and we will all talk again soon.

crime stories exposing cyber criminals

Top security researcher, Jon DiMaggio of Analyst 1 joins us to discuss his recent findings in Ransomware Diaries Vol 4. 
https://analyst1.com/ransomware-diaries-volume-4/#Significant_Findings


Discussing how to expose cyber criminals how to expose cyber criminals and how he exposed RansomVC, how they caused a class action suit based on fake facts and updates on LOCKBIT.

TAGS: crime stories exposing cyber criminals, what is cyber crime extortion, stories of extortion used by cyber crime, how extortion used by cyber crime, how cyber criminals cause lawsuits, cyber crime extortion as a service, how to expose cyber criminals, exposing cyber crime, when cyber crime gangs are caught, when cyber criminals turn on each other, how researchers expose cyber criminals, how law enforcement exposes cyber criminals, ways law enforcement fights cyber crime, undercover stories fighting cyber crime, undercover stories of cyber crime, how cyber crime causes lawsuits, cyber crime stories exposed, 


D Mauro (00:01.243)
All right, well, welcome everybody to Cyber Crime Junkies. I'm your host David Morrow. In the studio today is security researcher, it's like cybersecurity royalty in the house. Anne DiMaggio, who works with Analyst One and recently published Ransomware Diaries 4, that's also known as

Ransomware Diaries 4. Very cool. And, John, we're really excited. Welcome to the studio. Welcome back, my friend.

Jon DiMaggio (00:34.722)
it is.

Jon DiMaggio (00:39.842)
Thank you, thanks for having me again, man. It's always good to talk to you.

D Mauro (00:44.059)
So things have been going well at work. Things are good.

Jon DiMaggio (00:48.066)
Things have been going well. We've been so busy. It's been crazy. It's... Yeah.

D Mauro (00:51.131)
Cybercrime is up. Cybercrime is up. Things are like... cyber criminals are still out there.

Jon DiMaggio (00:56.61)
Yeah, I'm waiting for when we have a season so I can take a vacation.

D Mauro (00:58.715)
Yeah, it's really not a fad, is it?

Jon DiMaggio (01:03.298)
And unfortunately, it's not. It's been crazy, man. I barely took off any time during the holidays. It was nuts. I think I took off Christmas and New Year's Eve, Christmas Day and New Year's Eve. Besides that, I was working seven days a week since before Thanksgiving. So I'm glad to have that thing done and out so I can actually take a breath and relax for a minute. But until the next thing, right?

D Mauro (01:08.699)
I know.

D Mauro (01:27.675)
Yeah, so for listeners who don't know you, John, you worked in the government previously in the intelligence community. And that's all we're going to say. Otherwise, you'd have to kill me. And then, I mean, I didn't know what he did. I just stood across his house with a telescope and a box of donuts. All I could figure out is...

Jon DiMaggio (01:45.154)
That's right.

Jon DiMaggio (01:54.306)
That was you?

D Mauro (01:55.451)
is yeah, that was me until you gave me that little like, oh, you know, that cease and desist thing. Don't pull me, you know. No, I'm just teasing. And then and then you've been you've been in the private sector for for a while doing a lot of research. And his work has involved undercover work in the past as well. Actually going on the dark web or going through telegram channels, et cetera, and speaking with.

Jon DiMaggio (02:01.218)
I separate.

D Mauro (02:25.645)
cyber criminals and now he's developed professional elements of communication with them, which allows John exclusive access to certain aspects of the criminal element, which is fascinating to people like us. Because it you know, how can you defend against a foe you don't know, which I believe is a phrase we coined on the last episode. I believe it was oh, oh,

Jon DiMaggio (02:53.186)
copyrighted.

D Mauro (02:55.323)
Like, I think I need to get a t -shirt that says that. So, John's prior work was disclosing and investigating the Lockbit Ranceware gang to the point and to the amusement of the Lockbit gang where they on the dark web, you know, they all have their own website, their own channel, and they had John's avatar.

Jon DiMaggio (02:58.594)
you do your pen.

D Mauro (03:24.677)
on there as their as their avatar. So I wanted to ask you in our prior episodes, you can check those out on YouTube or on Apple Podcasts, Spotify podcasts. Just look under Lockbit or John DiMaggio. They're all in there. We could have links to it in the show notes here. But I recently saw that Lockbit in the

Maybe we set the context first, but LockBit was threatening to do harm to one of their former hackers who had a dispute over payment or something.

Jon DiMaggio (04:07.586)
Yeah, well, so with that they tried to to dox them and yeah, they didn't they didn't specifically say that they were going to harm them. They insinuated it, but they didn't actually say it. But yeah, it got pretty crazy. It got pretty crazy. Yeah.

D Mauro (04:19.323)
It could have just been tough talk, right? Yeah, it could have just been tough talk. But can you explain to the listeners, so cybercrime is such a big business that when, you know, you have the cyber criminal groups, like think of organized crime, you have Don Carleone, you have like the heads of the families, right? The heads of the groups, and then they have all these other actors working for them, and they're contractors, essentially. Is that a fair assessment?

Jon DiMaggio (04:47.298)
Yeah, that is a fair assessment. And so it's exactly that. They are not like employees. They work with them and share profits. Exactly.

D Mauro (04:56.155)
There's no pension fund off like PTO policies. Paternity leave, things like that. You want to be a digital mercenary, we don't give you a paternity leave or a 401. 1099, man. Okay. And then if there's a dispute about like, hey, I got this money. Oh, you got more. You didn't like, let me ask you this.

Jon DiMaggio (05:00.962)
No benefits, yeah. No paid vacation, yeah.

Jon DiMaggio (05:09.314)
Right. It's all 1099 work.

D Mauro (05:24.571)
What are some of the disputes over? Like, isn't there just one pot of money or like Lockbit does things differently. They let the attackers kind of fund, like hold on to some of that money. So are there, how do their disputes arise in the first place?

Jon DiMaggio (05:41.314)
Yeah, well, there's a great example which just happened last week, but essentially LockBit does let his affiliates control the money. However, there's other elements, access brokers and other elements that have resources that they provide where they do rely on getting paid. It was about a week, week and a half ago. An access broker provided access to a network that LockBit and their affiliates

utilized to extort a victim and they didn't agree upfront on payment and this person got upset. So what they can do and what they did do is on these forums, on the Russian hacking forums, they have basically you can go file a complaint and it goes into this arbitration process where both parties have to submit evidence, whether they're technical logs or chat logs or whatever it might be to support their claim. And then the administrator is supposed to be an on -pilot.

unbiased party that reviews it all and makes a judgment. Once that judgment's made, whoever he awards that to, the other party has to pay them whatever the dispute was about. They don't pay, they get banned for the forums, and that's what just happened to LockBit. So my picture's no longer there. They got canceled basically off of both the two top hacking forums. Something I didn't know, we just put a blog out today on this, me and Anastasia wrote it for Manos One.

We put it out today. But basically what happens, yes, they go through this arbitration process. You pay or you don't pay. If you refuse to pay and you've lost the arbitration, you get banned. If you get banned on one forum though, other Russian forums, hacking forums, take note and follow suit with that judgment. So LockBank got kicked off of multiple forums and is pretty upset about it.

D Mauro (07:30.203)
Wow. So let's unpack what you just said real quick. And then I want to get into Ransom and Diaries for what you just explained is there's basically a judicial system or an arbitration system, right? Like a independent arbitration where when there's financial disputes, they both agree that this third party will make a decision and they will be bound by that. Otherwise there will be consequences.

Jon DiMaggio (07:31.49)
and we'll see you next time.

Jon DiMaggio (07:58.978)
That is correct, yes. And in this instance, because LockBait didn't pay, they...

D Mauro (08:02.779)
So even criminals have this. It's very similar to organized crime, even that, right? Because they still, like even the organized crime families, when we think of the mafia and the... Yeah, they all have the cartel, they all have the actual council where the heads of all the families meet and they decide certain rules. So the same thing here.

Jon DiMaggio (08:14.562)
sit down.

Jon DiMaggio (08:25.634)
Yeah, it's a similar concept. Yeah, it's similar to that. And you would think, to me, I'm like, okay, who cares? You get kicked off the forum, go create another account or whatever it might be. But it takes a long time to build up these reputations and they have different ranks on the forums. And because LockBit didn't pay, they now have this big banner across his profile that just says Ripper, which is basically like...

saying they're a scammer, they cheat people out of money. It's a really low insult in the hacking community and that's why LockData is so upset.

D Mauro (09:00.091)
So Lockbit, where their former page was, they have a big banner over it that's, and I'll find an image of it. Hopefully I could throw this up by the time this airs. Yeah, and it says Ripper, R -I -P -P -E -R.

Jon DiMaggio (09:08.93)
Yeah, I can share it with you, but that's no problem.

Yeah, well, it's in Russian, but yeah.

D Mauro (09:16.251)
Well, yeah, AI and deep fake, we could just redo this whole episode in Russian. And then we're already redoing our episodes in various languages because we're apparently very big in Cambodia right now, as well as the Netherlands. So I may move, just be treated like royalty. I may just actually be like, oh, yeah, that's our podcast. So.

Jon DiMaggio (09:18.338)
I'm going to go ahead and close the video.

Jon DiMaggio (09:23.618)
Alright.

Jon DiMaggio (09:35.622)
Interesting. Right.

D Mauro (09:45.179)
Tell me, what was the impetus for Ransomware Diaries for? Like, this is about a ransomware as a service gang, or at least one that purported to be one, and you uncovered a whole bunch of stuff. Like, you kept unraveling this gang, and I kept reading it, and I'm like, oh, these guys are just getting hit left and right. So...

Jon DiMaggio (10:02.53)
Thanks.

D Mauro (10:12.443)
Tell us about the story. Who is it about? Where do these cyber criminals live? What's their name? Walk us through.

Jon DiMaggio (10:19.842)
Yeah, so when I finished the Ransomware Diaries 3, I was looking on the forums, just seeing what Blockbit and other parties were saying about it. And one of the posts was from an account that I hadn't seen before. It had just been created in their signature. It said, owner and creator of Ransom to VC, who at the time, in late August, I hadn't heard of them. And they just started a couple of weeks earlier. So as time went on, I kept hearing their name.

D Mauro (10:39.643)
Right. Yeah.

Jon DiMaggio (10:48.322)
and I kept reading about them and so I started looking into it. And yeah, it was interesting. So as I found stuff, I decided I would try to do an engagement. So since I already knew they were familiar with my work, I just reached out to them as myself and said, hey, let's talk. And we did.

D Mauro (11:08.187)
Well, that's great. And I want to I'm going to show an image here. Future me, put the image up like over here where I'm pointing, hopefully. Otherwise, I'll just look like an idiot pointing up in the air. I see people on YouTube do that all the time. We're like, hey, fine here and here. And then I don't see the images. I'm like, you didn't you didn't connect to future you when you did. You have an image there of the coolest like pop.

Jon DiMaggio (11:30.082)
Great.

D Mauro (11:36.379)
doll or something. Did you create that using AI or what?

Jon DiMaggio (11:40.8)
And Anastasia, the other analyst that I worked with, she created. I tried and I did a miserable job and then in like an hour she did it. But yeah, she made it.

D Mauro (11:48.731)
I mean, she really does have skills. And frankly, I can't believe we haven't had her on the show. We need to bring her on, if you'll permit. But man, that doll or that image is like, like people already want to like they want orders placed for it.

Jon DiMaggio (11:58.338)
Yeah, last.

Jon DiMaggio (12:07.394)
No, I've been asked if we're going to make a bobblehead version to sell.

D Mauro (12:10.329)
You need to. Yeah.

Jon DiMaggio (12:12.738)
It's really laugh merchandise. That's a whole new level, but I don't think we're going to do that. But yeah, I have had people request.

D Mauro (12:19.803)
Well, it is pretty creepy looking. So, Ransom and Exposed, the story of Ransomed VC. So, where is this, like, where is the gang located? I mean, are they...

Jon DiMaggio (12:21.642)
Yeah.

Jon DiMaggio (12:34.434)
Yeah, so when I reached out, one of the things that was different about this research is they spoke really good English. So instead of having just a few engagements, I talked to them regularly for several months. But going back to that, they do at least write in Russian. I've never spoke to them in Russian, so I don't know. But yeah, they're the main guys from Bulgaria, not Russia. And I actually didn't come across anybody.

in it that was Russian that I know of. Not that I talked to everybody, I only talked to four of them, but then none of them were Russian and they were in different parts. But the guy who runs it, yeah, he says he's in Bulgaria, I believe that he is in Bulgaria. There's been doxes on him, not by me, by other people. It looks like that's legit. And there was some other evidence of that.

D Mauro (13:06.425)
Okay.

D Mauro (13:24.699)
And so their system, yeah, and their system looks like it was taken down. Was it a law enforcement sting?

Jon DiMaggio (13:33.218)
No, it's actually, the site's actually back up, but what happened is they actually took their own site down because another group had gotten arrested that they had ties to. They didn't exactly explain it all up front, but I figured out my research, this other ransomware group, Ragnar Locker, had been taken down. But at the time, they just put, hey, six guys associated with us got arrested.

were shutting it down and they pretended to shut down, they just rebranded. But the point is that it wasn't an actual arrest of anybody in their group. And that's why everybody that looked for it was like, okay, well this guy's just making things up because there was no Ransom VC arrests, it wasn't. The guy who runs it, created it, used to have some association with Ragnar.

He didn't work for them, but he did some work with them and And yeah, so so they got arrested I guess it spooked him and yeah, he took off for a bit, but the site's back up now And he changes his name like every two weeks, so I don't even know what to call him anymore I call him ransom support because that's how I knew him and prior to that his name was impotent of all things Yes, yeah, I used to run a different program before ransom DC they were of he ran a forum that

D Mauro (14:52.283)
Really?

Jon DiMaggio (14:59.074)
called exposed VC. So yeah, it's a.

D Mauro (15:02.363)
Ah. And yeah, because, and you have, and I'll put some images up here where it, you have Ransomed VC is now Res, Resdofic, Resnetopic or something like that coming from Telegram. And so apparently he changes that quite a bit.

Jon DiMaggio (15:16.034)
Yes. Yeah, he just took...

Jon DiMaggio (15:22.178)
Yeah, lately he just told me he's about to change things up again. I don't know if that means he's going to change the name of the operation or what, but he told me to get my pen ready because he's getting ready to change things up. I'm like, man, my hand hurts too much from all this writing.

D Mauro (15:36.155)
Yeah. So what is the story with them? What were your findings? What did you find about it?

Jon DiMaggio (15:43.17)
Yeah, so basically they weren't a traditional ransomware gang like Lockbit or Black Cat or those types of operations where you have affiliates that share a percentage. Instead, what he did is he hired people that were younger with less experience that couldn't, his words, make the cut with some of the more known gangs. And he would just pay them a salary, which he claimed was between $2 ,500 and $5 ,000.

But based on the people that I talked to, they either got very little or they didn't get paid at all. So, yeah, so that's been an issue and that's one of the reasons, you know, the only people they screw over more than their victims are other criminals. There's a lot of criminals and they have a lot of enemies. But yeah, so they would actually have data. Sometimes they would do attacks. Often they would...

D Mauro (16:17.347)
Yeah.

Jon DiMaggio (16:37.25)
obtain the data by stealing data from other criminals and or buying it. But that goes back to their origin story where when they ran a forum before, think about it, running a forum is really smart if you're a cyber criminal because you have all these criminals that are doing business on there and you have access to the server that has all the logs, all the conversations, all the connections, everything else on it. So you get a lot of data on other criminals.

They can use it to blackmail them. They could do web injects. They can do a lot of things to get information and take advantage. And I think that was just part of their long -term scheme to make money. Like I said, it's just the thing where they don't care if you're a criminal, a legit company. It doesn't matter. If they can benefit from it, they will. And so that's, again, that's why they have a lot of enemies.

D Mauro (17:33.819)
So, okay. So.

Jon DiMaggio (17:34.26)
Thank you.

D Mauro (17:38.075)
So this group, were they affiliated with breach forums with the main forum or did they create a site that mimicked breach forums?

Jon DiMaggio (17:47.264)
Yes, that's -

Jon DiMaggio (17:52.066)
Yeah, so they were kind of in this massive war with Breach forums and some of the other prominent hacking forums. After Raid forums, which was sort of the original and what's now kind of a cookie cutter theme, they were the original. And when Raid went away, a number of sites came up to try to take its place. Breach was one of them. Xposed was one of them. There were three or four black forums. But...

The problem with it is that, just like with Raid, the FBI and Europol kept arresting the people who owned it and taking the site down, which is why it's so shocking that these guys kept standing stuff up. I would not want to be a forum owner after seeing multiple iterations of this happen where people are getting arrested, but they do.

D Mauro (18:42.491)
they but they kept doing it and and and so and then what is their affiliation with with LockBit you have it yeah because there's there's several of these forums are these some of the same forums that LockBit is banned from now?

Jon DiMaggio (18:44.258)
They kept doing it.

Jon DiMaggio (18:51.842)
Arts. Yeah.

Jon DiMaggio (19:00.45)
No. So where he had an account, the guy Ransom Support that owns Ransom VC, he had an account on one of the two main hacking for Russian underground hacking forums are XSS and XSplit. So XSS is the main one where these guys spend most of their time. And that is where Ransom Support create an account under a different name and make the comments on the lock bit thread on the Ransomware diaries.

But he was only on there for a few days because they banned him because he started talking all this ransomware stuff and writing in English and those are two... That's a quick way to get kicked off. You're an English speaking person and you're talking about ransomware. They have a ransomware ban, but it's very selectively enforced, which is one of the reasons that with the whole lock -bit thing he got so ticked. But anyway, they did enforce it with RansomBC. But again, that's probably because he was writing in English and that's kind of, you know, just a...

big red flag to look like your law enforcement or somebody else when you're on those forums. So, but those forums are Russian. The ones like Breach and Raid, they're, you know, most of those are predominantly English speaking. There are other languages spoken, but they're predominantly English speaking. And they're more hacking forums outside of the Russian culture. So that's the big difference between XSS, Exploit, versus the rest of them.

So when Raid went away, also the other forms are more clear net forms. You can get them to the internet from the internet or from the dark web, which is true with the Russian ones too, but breach and all that stuff has primarily been accessed on the regular internet. So breach has gone up and down several times. There's been seizures, there's been arrests and new owners. There's an iteration of it right now as we speak that exists and it's fairly popular.

Exposed went away, dark forums is still there, but they all look visually the same. They're literally built and designed off the same templates as raid forums. They look like raid forums. Some of them even have the same categories and subcategories and things of that nature. What's that? Sorry, try again.

D Mauro (21:10.587)
So what does that, so what is that? Like if they're all looking the same, does that, what's the significance of that to you?

Jon DiMaggio (21:18.178)
Yeah.

Well, because they wanted to capture the user base from raid forums, obviously one of the best ways to do that is make people feel like home, make it look exactly the same, and then hope that it is populated with similar content and you get some of the same people from it. That's exactly what they did, and that's why they all look the same. But even with some of the... With Ransom VC, when they stood that up after exposed VC went away,

the first four days, it was a forum too. And I guess they either changed their mind or they realized that people were going to figure out that they were associated with Exposed VC, so they changed it to a Ransomware -themed website after that. Later, they did stand up a separate forum outside of ransoms .vc that remained a data leak site, and they did stand up a ransom forum called Ransomed. And the main difference is with...

with those forms exposed and with ransom is that they have ransomware categories where you can talk, you can have threads, you can have those conversations, you can sell services and you don't get banned. So that's one of the big differences from the Russian forms.

D Mauro (22:33.147)
So let's set some context for some listeners and viewers that may not live in the dark web, right? These forums, they're accessible on the dark web, meaning you download the Tor browser, you use Tails, you use a separate computer, and you get on the dark web through the Onion router, right? And they are forums. In the forums, they're essentially almost like a...

Jon DiMaggio (22:57.154)
Yes.

D Mauro (23:03.835)
Facebook like for them, isn't it? Like where you can have, well, it's more, it's got more features than that, but you're able to, well, what would you compare it to that regular, normal people that don't go to the dark web could relate it to? What is a forum like?

Jon DiMaggio (23:22.786)
I think it would be a good example.

D Mauro (23:24.251)
Load documents to it, store documents, create a copy.

Jon DiMaggio (23:26.594)
Yeah, so it's not like Facebook, but it is, they are more like taking a step back in time, like historical, you know, forums with threads. I would say more like Reddit than Facebook, but I don't have a one -for -one comparison, but it's in Reddit in the aspect that you have, you know, like...

D Mauro (23:33.089)
Reddit?

D Mauro (23:40.667)
Yeah.

D Mauro (23:45.563)
Or maybe a MySpace almost.

Jon DiMaggio (23:48.354)
Yeah, well, but with those you can have pages and stuff. So that's kind of the difference is they have topics and you create threads under these topics. So yeah, I think probably Reddit would be a closer analogy. But yeah.

D Mauro (23:52.187)
Right.

D Mauro (23:59.035)
And on there a lot of cyber criminals gather and what do they exchange? What type of stuff do they exchange?

Jon DiMaggio (24:07.488)
Oh, man. So everything from selling or giving away leaked data, selling access, so you have access brokers there, malware developers can sell malware on there, exploits vulnerabilities are sold. You can do things like if you want to hire someone to DDoS a website, you can do those services. They have this service where you have a middle, it's called a middleman service. So let's say I wanted to...

to take down a DDoS on a site, there is a middleman that handles everything so that if somebody, so that the two parties that are involved aren't, they remain anonymous, they aren't easily exposed, only the middleman is, so you can take it.

D Mauro (24:50.651)
Should one of them be caught by law enforcement from some country, right? They wouldn't be able to rat on the other.

Jon DiMaggio (24:59.842)
Correct, yes. The two parties wouldn't know one another. That's correct.

D Mauro (25:04.091)
That's organized crime. Right? That's what it's all about.

Jon DiMaggio (25:05.6)
Right.

The problem is though, is with some of these administrators, like with Exposed BC, the criminals got upset because they claimed that he would take their money and not always do the service. So there's always that risk, you know.

D Mauro (25:22.267)
Well, yeah, and there's not necessarily honor among thieves. And then if they have an issue, then they go to these tribunals, these arbitraries, right? And try and get their money back. And these...

Jon DiMaggio (25:25.794)
Seriously.

Jon DiMaggio (25:35.426)
On the Russian forums, not on the English speaking non -Russian forums like that I just mentioned, so not raid, breached or exposed, those type of forums don't have arbitration. That's on the Russian forums, but they have that and it's very structured, organized. The other forums are not.

D Mauro (25:53.403)
Okay, and what is the significance of the Russian speaking forums and the English speaking forums?

Jon DiMaggio (25:59.016)
Russian speaking forums have been around for over 20 years now or around 20 years now. There's a co -culture and community there. It's very different. There is... Until I really got into this, I didn't really understand the Russian culture, not that I claimed to be an expert by any means, but I understand a lot more than I did back before I started getting into ransomware. It's just...

D Mauro (26:05.083)
Very well.

Jon DiMaggio (26:25.314)
It's hard to explain, it's just more of a camaraderie type of atmosphere where a lot of these people interact and know each other and have known each other because the forum's been around for so long that it's just relationships are built whereas these other, the English speaking forums that I've been referring to, they come and go, there's no camaraderie, everybody's stabbing each other in the back. Not that that can't happen on the Russian forums, but...

It's, it's, it's, you just have less of that camaraderie. There isn't that same structure and there's definitely not an authority at the top like there is in the Russian forums that sort of hold the balance of power to keep things in sync.

D Mauro (27:05.083)
And the Russian forums are the ones that have that system of justice, essentially, right? The people's court, okay. The cyber people, the cyber criminals' court.

Jon DiMaggio (27:12.386)
The People's Court, yep.

Jon DiMaggio (27:18.274)
I'm calling it that they don't call it that that's what I call it.

D Mauro (27:20.539)
No, I don't know what they call it. Are the Russian forums accessible through Telegram or is it all through the dark web?

Jon DiMaggio (27:31.074)
So it's mainly through the dark web. They do have some clear net access, but obviously if you're a criminal, you're not going to use the clear net access. So they do have clear net access, and I guess you could use that, but yeah, it is predominantly accessed. The difference, I guess, would be with the English speaking ones, their main access is the clear net version, so the traditional internet, and then as a mirror, as a backup, they have dark web.

The Russians are opposite. They have their dark web as the primary and sometimes they'll have a clear net that is like a secondary as a mirror. And that's the case.

D Mauro (28:05.243)
Interesting. And when you say clear net, you mean accessible through Telegram and other allegedly encrypted networks. Right.

Jon DiMaggio (28:08.482)
Internet. Yeah, regular browser. Yeah, you can access it. No encrypted tunnels or no link rate stuff.

D Mauro (28:21.115)
Yeah, we've had some interviews with people that have been talking about Telegram and how there's so much cybercrime just out in the open right there. I mean, how not taking I mean, most people are asking me, how is this not taken down? Like on the Telegram part, we understand on the dark web, there's anonymity and it's it's entrenched and it's over in Russia, but the

Jon DiMaggio (28:33.922)
There is the.

D Mauro (28:49.851)
telegram part where you have a lot of these cyber criminals located in North America sometimes. How are they not caught is what I keep getting asked.

Jon DiMaggio (28:59.17)
Well, that app is built for encryption and anonymity, and it's changed hands several times. It was developed by a guy in Russia. He then sold it, and yeah, it's changed hands. But because it's built on encryption and anonymity, well, it's not the dark web. It's not like it's the internet. I mean, you can get to it through the internet, but it's got these things built in that bring you anonymity when you use it. The biggest difference between Telegram and the forums,

D Mauro (29:09.307)
Okay.

Jon DiMaggio (29:28.13)
to sound old here, but with the forums, I like it because it's structured. You have to post something and wait for a reply. With Telegram, it's so much chatter and annoying -ass people on there, just putting up stickers and images of their cats and memes. And, you know, I have to do it as a researcher, but I would never spend my time there outside of that. I much prefer forums.

D Mauro (29:51.611)
It's almost it sounds almost like a yeah for for those i've been on it obviously but for those that haven't been on it It almost sounds almost like a discord server, you know

Jon DiMaggio (30:01.602)
Yeah, it's real -time chats versus posting, replying, posting, replying. The forums have moderators, so when you have some annoying person that's putting up synodies or posting, again, pictures of their cats and it's off -topic, they remove them. On Telegram, it's a free -for -all, so they're both good resources for information, just my personal opinion. I much prefer spending my time on forums.

D Mauro (30:15.291)
Thank you.

D Mauro (30:21.115)
Right.

Jon DiMaggio (30:30.722)
much more enjoy the community. If I'm going to have to be amongst criminals, I'd rather be on one where there's some basis of control and the conversations are on point versus pictures of your cat.

D Mauro (30:43.611)
Unbelievable. Yeah. So in Ransomware Diaries 4, you talk about two things that I have researched a ton out of. Like one was our very first episode on this podcast a year and a half ago, two years ago was on the original Sony breach. Right. Not the very first one, but the one that...

Jon DiMaggio (31:03.362)
Yep. Right. Not the North Korea one, but yes. Yeah.

D Mauro (31:08.251)
It was either tied to North Korea, but there were still a lot of open questions around it. And you talk about the Sony breach in Ransom Word Diaries 4. You also talk about the Move It breach, which we've done a deep dive on. And I mean, nobody has done a better job than Brett Callow over at Emisoft. He's one of my, like, he's so good. But I just keep...

Jon DiMaggio (31:23.65)
Yes.

Jon DiMaggio (31:30.402)
I know, bruh. Yeah.

Jon DiMaggio (31:37.25)
Let's not stack his ego too much. He's okay. All right, he's okay. The half -primes of bread. I'm just harassing.

D Mauro (31:37.339)
I do.

No, but it's still, I know it's, but it's, but like the way that they've been tracking move it is just amazing. So, so what is the significance? So you're like in ransomware diaries for you mentioned that on September 26, 2023, ransomed VC, which is ransomed support, as you call them, right? The guy also known as impotent.

Jon DiMaggio (31:49.92)
Yeah.

Jon DiMaggio (32:03.97)
Yes, so Ransom VCs the operation, Ransom support is who the guy is in moniker who runs it.

D Mauro (32:09.019)
Yeah, and he's he also went by impotent like does he not know what that means or he's

Jon DiMaggio (32:15.682)
He went by impotent, that's right. He made it up because the guy who got arrested from Raid, his name was Omnipotent and he made a variation of that that is making fun of him trolling him and he went by impotent. I have all his names, that's my favorite, but it's funny because when you read some of the chat, the engagement conversations in my report, you know, I'm asking,

you know, this other hacker, when did you find out that ransom support was impotent? And it's just like, I get so used to saying the names, I didn't realize what I was saying. It's just, then when I'm reading it, it just, you know, makes me get, the 13 year old in me has to giggle.

D Mauro (32:54.459)
That's hilarious. So they claimed this past September, just several months ago, about six months ago. Yeah, September 20. Yeah, they stole 260 gigs of data, quite a big haul. But what happened? Was it real? Did it not happen? Did they sell the data? Was it old data? What happened?

Jon DiMaggio (33:04.352)
Number 23.

Jon DiMaggio (33:20.994)
Yeah, so the amount, the size of the data stolen was less than what they claimed. The actual breach took... So I've gone through the data to try to validate if it was authentic. And it is authentic, however, it was a single computer from Sony. The breach took place on August 11th. The data start was first talked about amongst criminals on August 23rd, and on August 26th, it was leaked publicly, some of it was leaked publicly, by Ransom VC.

The problem is, on Breach forums, there was another hacker that used the alias at the time, Major Nelson, who claimed to have the same data, and he posted that. And I went through both of them, and they both had the same data within them. So they both were the same data set, they both came from the same source. It was legitimate, it did look like it was legitimate, authentic data from a Sony system out of Japan.

based on the language settings on that system. And it had a lot of development stuff on there. There wasn't a lot for Sony to take a loss for. By the data itself, it wasn't really that useful. But with all the media around it, it certainly hurt them from that exposure. And RansomVC's brilliant branding and marketing themselves, that's really where they excel in getting people hyped up about them and to believe that the story they're telling is true.

D Mauro (34:34.491)
Yes.

Jon DiMaggio (34:47.298)
because it's being reported, it's being talked about by researchers, whatever it might be, they use that as leverage to get people to believe that that's true. And Sony's bad, the State Farm thing was even worse. So I asked Ransom Support, how the hell this other guy got the data, who had it first? And there was a, basically there was somebody working for him named Intel Broker, and allegedly he got the data first. And...

whether Intel broker is also Major Nelson or vice versa, I can't keep up with all of it. That's what Ransomport says, he's the same guy. But who knows if that's true. But the point is that these two people had the data at the same time and only one of them could have stolen it originally. So the other one had to stole it from them. Or I guess people will say, oh, well, you could take it at the same time. That's not what happened. The criminal got it and then it was obtained by someone else.

who got it first, it's hard to say, because they both came on the same, around, leaking it around the same time.

D Mauro (35:50.747)
So, and what was the tie -in with the MoveIt breach and CLOP? We've talked about the MoveIt breach because MoveIt is an encrypted file transfer platform and they've been compromised and one of the largest compromises of the decade, it seems, that continues to mount and yet it's like the media doesn't really talk about it because I don't think they understand it.

Jon DiMaggio (35:57.184)
Yeah.

Jon DiMaggio (36:11.074)
For sure. Yeah.

D Mauro (36:19.003)
But the Klopp ransomware gang, they're not even launching ransomware. They're just leveraging the vulnerabilities that they have and stolen all the data, right? It's just a...

Jon DiMaggio (36:25.73)
taking data? Yeah. Yeah, they're not encrypting systems or any of that. They don't even have affiliates anymore. I mean, so it's a whole different operation. But to answer your question, so there's not a tie, but the CLOP stole a bunch of data from Sony. So as a researcher, the first thing I need to do is see, is this data from that breach? Because that's something else that I found that RansomVC would do is take previously stolen data.

alter, edit it, put in some other new fake data or add in publicly accessible documents or whatever it might be to try and make it refreshed and look real and then try and extort organizations for it. So I needed to make sure that wasn't happening and it wasn't. This was separate. That data was global. This, or a lot of it was in the, I'm sorry, that data from CLOP was mostly from the US and this data was not. The CLOP data had a lot of systems. This does not. It came from one system, so a little bit different.

D Mauro (37:23.291)
over in Japan or from what it looks like in over in Japan.

Jon DiMaggio (37:24.45)
Yeah.

Yes, yeah, yeah, correct.

D Mauro (37:30.203)
So one of the things that we've discussed, you and I, on this podcast is the software, the ransomware software, the malware that is developed by these organized cybercrime gangs is designed in a way that it will not attack or it should not attack certain speaking languages like CIS countries, like Russia, Iran, like whatever the...

Jon DiMaggio (37:54.954)
Correct.

D Mauro (37:58.427)
the Eastern Bloc countries that are done. And what is the reason for that?

Jon DiMaggio (38:05.474)
So the main reason is these guys are primarily based out of Russia, and Russia doesn't consider it a crime as long as you don't attack a Russian entity. So what a lot of these ransomware variants do is they just look for the language being used on their computer and that system. And if it matches one of the language that are spoken in those CIS countries, especially Russian, it will not execute and unleash the ransomware, if you will, to encrypt all the data.

on the system itself. So it's just a sort of a built -in precaution. Obviously, it's code. You can change that. But that's sort of... Until ransom VC, that is a rule that I have always seen followed. It's one of the few that's not been broken. And it's funny because I was on the... I used this service called eCrime, and I'm looking at their website at the data for breaches. And the darker the red, the more breaches there are. And Russia had the...

tiniest little hint of off -color and I go and I hover over it and it says one. There's been one report and incident that they have in all of their data and that's Ransom VC. And it was a hospital. So two no's, two things you're not supposed to do.

D Mauro (39:15.355)
No. So.

Exactly. So in Ransomar Diaries 4, you have a subsection that's called, Don't Make Putin Come to My House.

Jon DiMaggio (39:28.994)
Yeah, because he said that to me. So I thought it was funny. So I made it the title of that section.

D Mauro (39:33.723)
So like you just pointed out, there's one rule that's sacred among all these ransomware gangs, and that is you do not target Russia or other countries within the Commonwealth of Independent States, which is CIS that we talked about. And the rule, yeah, and the rule is, well, you've seen, you know, we saw our like, Reval, our evil get taken down in Russian style where they bashing the doors and they have these videos, these very dramatic videos.

Jon DiMaggio (39:46.466)
Yeah.

D Mauro (40:02.491)
They haul them through the Russian legal system and stuff, arguably because at some point, for some reason, we believe or we surmise that they fell out of favor with the Russian government. Is that fair?

Jon DiMaggio (40:14.594)
Yeah, or there's political motivations, but yes, that's fair. It doesn't happen often, but it has happened. It happens in the Ukraine more than Russia, but yeah, or it did happen in the Ukraine. These days they're busy, but yeah.

D Mauro (40:17.307)
Right.

Right. So, yes. Yes. Right. So, these geniuses at Rush at Ransomed VC on October 4th, 2023, they posted a victim notification. And where did they post this? On the dark web.

Jon DiMaggio (40:37.078)
on their data leak site. They posted it. So on Ransom.

D Mauro (40:40.475)
And do a lot of these gangs keep their data leak sites on both the clear net, like on Telegram as well as on the dark web, or is it mostly only on the dark web?

Jon DiMaggio (40:52.034)
So what they do is they'll usually it'll be on the dark web. Some of them have it on clear net on the regular internet. So Ransom VC had both again with Ransom VC though clear net was the primary the dark web was the backup and then they use telegram for their group chats in their in like their group channels to leak data and it's just another mechanism sort of in their infrastructure. So they leak the data on their website.

And then they also use Telegram to try to sell it, to market it, to leak it, you name it, they do it. To have conversations about it, it's just another mechanism to leak it and try to embarrass the victim and try to get money from other criminals.

D Mauro (41:36.411)
Got it. And on October 4th, 2023, Ransom VC posted this victim notification for a Russian medical center.

Jon DiMaggio (41:44.386)
Yes, that's not what ransom support says, but that's what it really is. He told me, when I asked him about it, I was like, why would you attack something in Russia, let alone a hospital? And he said to me that he must have been high when he did it and that he thought it was a plastic surgery center. But you just go to the website, it's clearly a hospital. You just look at the services and everything offered. It's clearly a hospital. But as I said, he's not in Russia. And that's why I believe him, is because of stuff like this. He just...

That's why he did it, because he just doesn't care.

D Mauro (42:16.539)
In your investigation of these guys, where was the evolution? First of all, where do you think they're based?

Jon DiMaggio (42:25.25)
So I think the people who work for them come from all over, but he's primarily in Bulgaria. He's got people who work for them that are somewhere in the UK, somewhere in South America. They're all over the place, but those are just some of the places where I was able to somewhat validate as much as you can that that's where some of the people that worked with him came from. I actually didn't find that there were many true Russian nationals working for him. So.

Different operate was all about perception and making you believe something, but that's not what the reality was That's why it was interesting to me

D Mauro (43:01.947)
Yeah, exactly. So what couple things I want to ask you. So where is where is Ransomed VC today? Like where did your investigation wind up? Like what?

Jon DiMaggio (43:13.058)
Yeah, I was talking to the ransom supporters, I was talking to him earlier today, because that's when he was trying to tell me he was starting something new. But yeah, no, he's still in Bulgaria. You know, he... I can't say this for a fact, but I believe he has ties to organized crime in that country. But regardless, he seems to be pretty connected. He's not afraid of the police. So I don't think anything's going to happen to him anytime soon. But, you know, he lives there, he's from there. He...

For some reason has a strong liking, he's very fond of Serbia. So I don't believe that he's Serbian, but I do believe somebody that he knows or is close to him must be because some of the aliases and names he's used in the past have been affiliated with Serbia. The newest program, the Raznovic, that's affiliated with the Serbian gangster. Their Telegram channel, TigrzBarkan, that's also affiliated with that same Serbian gangster.

So there is a nexus there, but I do believe that he is actually Bulgarian.

D Mauro (44:21.083)
Do you see a lot of cyber crime gangs or ransomware as a service gangs in Serbia or in Bulgaria generally? Or are they mostly?

Jon DiMaggio (44:29.57)
I've not seen, no, just this guy, just these guys. I haven't seen anybody else out of Bulgaria. I mean, I'm sure there's stuff out there like smaller pockets that I don't even look at, but no, I've not seen any of the, you know, the, whatever we'll call the big box ransomware gangs, you know, the name brands, if you will, that people hear about in the news all the time. I've not seen. Right.

D Mauro (44:49.947)
The Mercedes and BMWs of cybercrime are like Lockbit and Black Hat and things like that, right?

Jon DiMaggio (44:56.45)
Right. Right. Yeah. So yeah, I've not seen anybody, you know, I've definitely seen many affiliates, threat actors based out of that region. There very well could be, you know, some groups based out of Serbia, but Bulgaria, there is, I have not seen any prior to this.

D Mauro (45:15.963)
Based on your findings, do you think that he was involved with Ragnar Locker gang? Because Ragnar Locker was a legit... Yeah. And they had six people affiliated with them that had been arrested. He claimed that he posted... I found that six people affiliated with me have been arrested. Is there any validity to that?

Jon DiMaggio (45:23.65)
Yeah, they were real deals.

Jon DiMaggio (45:39.522)
Yeah, so let me just break it down real quick. So the Ransom VC operation started August 15th. On October 22nd, they launched a separate forum called Ransom Forum. By launching that, it still takes time, money, and resources that's showing they're expanding their operation, not closing it down. The very next day, on October 23rd, six men were detained.

got doors kicked in, brought in by Europol that were considered or believed to be members of Ragnar Lager. Seven days after that, on the 30th of October, Ransom VC announces it's shutting down. They put up a message saying six people associated with me have been arrested or may have been arrested, as we said. And like I said, nobody believed them. Once I got the information that he was associated with that gang and I looked at the dates and everything, it lined up perfectly.

he must have been concerned that because of those that are the arrest and the detainments that someone was going to leak his information and have them shut down. So if when I got the information, it sounded out there to me, but it fit like a glove, you know, I mean, everything lined up with it. And the person who gave me the information was one of his top affiliates, if you want to call him that, you know, a hacker who was well known.

long before Ransom VC and the hacking world. So I believe him. I believe that it's true. It makes sense. The circumstantial evidence completely fits. It's like I had this missing puzzle piece and he handed it to me and I put it and it just fit perfect.

D Mauro (47:20.139)
Excellent. So leaders in business and in like healthcare fields, they ask sometimes, you know, when our data gets stolen or if our data gets stolen and a cyber criminal gang posted on the dark web, our clients and our customers and our people don't go on the dark web.

So how does that really expose us? Like they're saying, well, we're going to publish it. And we're like, yeah, but you're publishing it on the dark web. Nobody that we know goes on the dark web. So who are you publishing it to anyway?

Jon DiMaggio (48:01.794)
Yeah, so there's two ways. One is researchers and reporters both monitor those sites, you know. So that information is going to be obtained. But two, other criminals do. And often, you know, it's to sell that data if the victim doesn't want to pay. So it has sort of a dual purpose. One is to notify basically, you know...

D Mauro (48:11.245)
Thank you.

Jon DiMaggio (48:28.994)
journalists and researchers that this has taken place and to To sell stolen data to make money in case the victim doesn't pay so they still get some sort of profit from their work or at least that's how they view it.

D Mauro (48:41.819)
And that data can be used in other attacks or to go after the actual people, and dox them or extort them.

Jon DiMaggio (48:45.216)
Yeah.

Jon DiMaggio (48:50.21)
Yeah, there's lots of things that can be used for everything from like, let's talk about when remember when Revo popped Apple or what a contractor is the contracted company that worked for Apple and got all their engineering diagrams, you know, that they then went after Apple, even though that wasn't who was compromised. So yeah, there's definitely you had Accenture, they got hit by LockBit. And according to LockBit, three targets he had in the following months after that, that were airlines came from that data.

I couldn't validate it, but that's what he told me. So it definitely happens when they use that data to then harm other organizations that either did business or were clients of them, things like that.

D Mauro (49:27.803)
And it's.

That's absolutely, this is a great story. So what like high level, what's your impression of the Ransom VC, this guy? Ransom VC is the organization, Ransom Support is the moniker for the gentlemen here.

Jon DiMaggio (49:43.906)
Um.

Jon DiMaggio (49:50.242)
Yeah, I'm laughing because it's been such a crazy ride. He's always been, to me personally, he's always been professional, respectful, makes jokes, water cooler talk. We got to know each other pretty well. He definitely, what's the right way to say this? I don't want to call him mentally ill, but he has issues he needs to work out. He...

He lies a lot, but he doesn't lie because he can't tell the truth. He lies, and this is the problem with assessing them, is a lot of people think he's a scammer and he just makes up these lies. But when he makes up lies, he is looking three steps out. There's a reason he's saying this lie and it's going to affect something down the road. And I found that out because I was looking back. And when I started to take the lies that he would tell me or other people and then look at where they originated and where things ended up,

There was always a motivation or a plan. So because of that, I would tell the researchers, I know that a lot of people aren't looking at these guys like a top level group, but they're causing a ton of damage and half the time they haven't even done what they've said and they've gotten us all to believe it. To me, that is a problem because you just don't know what the truth is and they very well may really have your data. They may have stolen it, they may have bought it, they may have made it up, but you don't.

know. So that is harder than when you have a group, you know, like Black Cat or Black Buster or any of these. And it's just that you don't have a way to know. So with those groups, they have a reputation. They're concerned about their reputation. They most likely have the data that they say they have. But that's just not the case with these guys.

D Mauro (51:42.139)
These guys seem like they are masters at marketing and manipulation.

Jon DiMaggio (51:46.69)
That is, I've told I've told my handsome support this so many times, like he doesn't need to be a criminal. He should go, should have spent his time opening a marketing company because he, that is what he is. I hate to keep giving him compliments, but that is the one thing that that guy is brilliant at. I mean, he is really good at making people know their name, know their brand, make them believe they're 10 times bigger than they are and they have.

all this data on organizations that half the time they don't have, half the time they do, getting his name in the news. He even willed a lawsuit into existence with State Farm. He basically...

D Mauro (52:23.771)
Walk us through the State Farm story. What happened there?

Jon DiMaggio (52:26.978)
Yeah, so basically, RansomBC posted State Farm as a victim. They claimed to have all of their data. They didn't have all their data, but they did have a database. That database, however, didn't actually contain any PII, and the person who actually did the breach shared that with me so I could validate that it did not have PII in it, fully admitted that he did the breach, and he knew way too many details that I...

And he never lied to me. The guy, USDOD, he might be a criminal, but I've talked to him for three months. Unlike ransom support, USDOD has never lied to me. He might say things I don't like, you know, as far as his actions, but they've always turned out to be true. So I looked at it. I was able to validate that there was no PII. The data is basically useless. However, because they posted the victim site and because they have tons of social media accounts, they're even on TikTok.

Ransom VCs, all these social media platforms. And they got all the spin and the buzz around it. All of us, journalists, researchers, security vendors, talked about the breach. It was made public. And everyone bought into it because they read the headlines. And State Farm customers did too. So even though they didn't actually have that, what's that?

D Mauro (53:47.067)
Please see the state far.

So then the customers who allegedly lost their PII went and sued State Farm?

Jon DiMaggio (53:56.002)
Yeah, the class action lawsuit, it's in federal court now and I know for a fact that it's not real. So it sucks because this is a victim. They didn't get, you know, they didn't pay the ransom so they didn't have to do an incident response. They didn't have to spend all these millions of dollars on that, but now they got to spend it in lawyer fees. And while I may not be a huge fan of insurance companies, this isn't right what's happening to them. This is terrible. So.

It's the first time I've seen something like this, but it really is a wake -up call that we as researchers and journalists really need to not just report when a bad guy says they've read something, but we need to report on it when there's either solid evidence or the person that the victim itself has made a notification.

D Mauro (54:44.795)
Unbelievable. Well, John, thank you so much. I mean, as we wrap up, I want to ask you, there's been so much high level discussion on it seems like a lot of these gangs, you saw what Klopp did with Move It, you see that a lot of these gangs are just almost evolving into a smash and grab. Like they want to just take the data, the customers, the victims can

keep a copy of their data, they just want to take it and then extort it. It's almost like becoming extortion as a service. Is that what you're seeing in the industry?

Jon DiMaggio (55:20.514)
Yeah. Yes.

Yeah, that's... Well, there definitely still is more traditional ransomware groups that encrypt and steal data, but we're seeing that model where it's simple extortion with just the data and no encryption more often. CLOP does it, Ransom VC, despite what they claim, I've never seen any evidence that they actually encrypted anybody's data. They're just stealing it. And I do think it's easier, it's faster.

It leaves less logs and things of that nature. And they still get the ransom. I honestly think we're going to see more of that. I had a conversation with Lockbit about this and he still felt like it's almost like when if you were to stab somebody on the ground bleeding, kicking them a few more times is still going to help. So why not do it? But we're seeing other groups that have a different mindset where they're not and they're simply stealing the data. So...

I don't think that we're going to see traditional ransomware go away, but I do think we're going to see more of this movement where it's just data that's being stored. We need to come up with a new term for that because people get confused when you hear that. You know, you hear ransomware, you think encryption, but that's not always the case.

D Mauro (56:37.051)
Yeah, it's almost like extortionware or extortion as a service. I've coined that here on cybercrime junkies, extortionware. Well, so are and having said that though, ransomware is up this year, right? Like it's like, depending on which vertical, some of it's up X percent, some of it's higher, lower, whatever. But so ransomware itself, the actual encryption of it is up.

Jon DiMaggio (56:42.786)
Yeah, exactly.

Jon DiMaggio (56:47.426)
Got all sorts of things being coined here.

Jon DiMaggio (56:55.138)
It is.

Jon DiMaggio (57:00.354)
Yeah.

D Mauro (57:05.595)
as well as now this extortion where extortion is a service.

Jon DiMaggio (57:09.826)
Yes, that's correct. The one thing that I want to say though about that is, again, this is based on my direct conversations with threat actors, is I've been told that the ransom amounts that are being paid have gone down, which is one of the reasons the bigger ransomware gangs are pushing for higher volumes of attacks, is because even though the numbers have been up, their income was less. So by having more attacks, they're hitting their numbers a few.

D Mauro (57:39.291)
Wow. And you had mentioned in our previous discussions that these ransomware gangs, whether they're deploying ransomware or just extortion of service, they get together almost like a sales force and chart out, like they have business meetings, don't they? Where they talk about the numbers and how this quarter is doing and what threats and what tactics are working and which ones are more profitable.

Jon DiMaggio (57:59.106)
Yeah, it's.

Jon DiMaggio (58:08.418)
Yeah, they do. Lockbit definitely does that. And you'll see that on some of the Russian forums, those type of conversations. But yeah, it definitely is something that takes place. For these bigger organizations, bigger threat actors that are making hundreds of millions of dollars a year, I mean, think about it. It's like a company. You've got all these resources. You've got to have employees. You've got people working for you. You've got to have an idea of what kind of money you want to make.

and things like that, and you want to make more than you did the previous year, it's literally like a business, except that you're committing crimes.

D Mauro (58:42.427)
Wow. Yeah, and only they're doing it from a part of the world where they're not going to get in trouble as long as they don't do it a certain way.

Jon DiMaggio (58:50.594)
Yeah, hopefully someday that changes, but that is the case now. But again, you've got these other groups, like, I don't know how this guy's in Bulgaria, how does his door not get kicked in? You know what I mean? That's why I I believe he might be tied to organized crime because how else how else does this guy's door not get kicked in? So.

D Mauro (59:01.243)
Yeah, exactly.

D Mauro (59:06.107)
how else could he not be looking down? Yeah, well, John DiMaggio, thank you so much, sir, for all your wisdom, your research. We will have links to Ransomware Diaries 4 in the show notes and below, as well as I saw that you guys did an audio reading of it, an audio. Yeah.

Jon DiMaggio (59:29.09)
Dude, they're so long. I gotta make it easy for people to listen to also.

D Mauro (59:34.651)
Well, you're doing the right thing and you're helping law enforcement, you're helping people understand it and that's the whole key, right? Because we can't understand, we can't defend against something we don't understand. So thanks for all the work and we will talk again soon. Very, very, very excited about this work. We will have images and pieces to it throughout this video as well. So...

Thank you everybody for listening and we will all talk again soon.