Cyber Crime Junkies

Cyber Crime Take Down Story. LOCKBIT.

May 07, 2024 Cyber Crime Junkies-David Mauro Season 4 Episode 58
Cyber Crime Take Down Story. LOCKBIT.
Cyber Crime Junkies
More Info
Cyber Crime Junkies
Cyber Crime Take Down Story. LOCKBIT.
May 07, 2024 Season 4 Episode 58
Cyber Crime Junkies-David Mauro

NEW! Text Us Direct Here!

Video Episode here!

Jon DiMaggio, Senior Security Strategist with https://analyst1.com and former NSA analyst, author of The Art of Cyber Warfare (https://a.co/d/72qKbc4) joins us for an exclusive discussion on the cyber crime take down story of LOCKBIT.

Chapters

  • 00:00 Introduction and Background
  • 08:10 Financial Aspects of Ransomware Operations
  • 24:33 Technical Skills and Criminal Intent
  • 39:46 The Self-Convening Justice System in the Criminal Underground
  • 48:31 The Importance of Effective Communication in Cybersecurity

 

Accelerate your CMMC 2.0 compliance and address federal zero-trust requirements with Kiteworks' universal, secure file sharing platform made for every organization, and helpful to defense contractors.

Visit kiteworks.com to get started. 

We're thrilled to introduce Season 5 Cyber Flash Points to show what latest tech news means to online safety with short stories helping spread security awareness and the importance of online privacy protection.

"Cyber Flash Points" – your go-to source for practical and concise summaries.

So, tune in and welcome to "Cyber Flash Points”

🎧 Subscribe now http://www.youtube.com/@cybercrimejunkiespodcast and never miss an episode!

Follow Us:
πŸ”— Website: https://cybercrimejunkies.com
πŸ“± X/Twitter: https://x.com/CybercrimeJunky
πŸ“Έ Instagram: https://www.instagram.com/cybercrimejunkies/

Want to help us out? Leave us a 5-Star review on Apple Podcast Reviews.
Listen to Our Podcast:
πŸŽ™οΈ Apple Podcasts: https://podcasts.apple.com/us/podcast/cyber-crime-junkies/id1633932941
πŸŽ™οΈ Spotify: https://open.spotify.com/show/5y4U2v51gztlenr8TJ2LJs?si=537680ec262545b3
πŸŽ™οΈ Google Podcasts: http://www.youtube.com/@cybercrimejunkiespodcast

Join the Conversation: πŸ’¬ Leave your comments and questions. TEXT THE LINK ABOVE . We'd love to hear your thoughts and suggestions for future episodes!

Show Notes Transcript Chapter Markers

NEW! Text Us Direct Here!

Video Episode here!

Jon DiMaggio, Senior Security Strategist with https://analyst1.com and former NSA analyst, author of The Art of Cyber Warfare (https://a.co/d/72qKbc4) joins us for an exclusive discussion on the cyber crime take down story of LOCKBIT.

Chapters

  • 00:00 Introduction and Background
  • 08:10 Financial Aspects of Ransomware Operations
  • 24:33 Technical Skills and Criminal Intent
  • 39:46 The Self-Convening Justice System in the Criminal Underground
  • 48:31 The Importance of Effective Communication in Cybersecurity

 

Accelerate your CMMC 2.0 compliance and address federal zero-trust requirements with Kiteworks' universal, secure file sharing platform made for every organization, and helpful to defense contractors.

Visit kiteworks.com to get started. 

We're thrilled to introduce Season 5 Cyber Flash Points to show what latest tech news means to online safety with short stories helping spread security awareness and the importance of online privacy protection.

"Cyber Flash Points" – your go-to source for practical and concise summaries.

So, tune in and welcome to "Cyber Flash Points”

🎧 Subscribe now http://www.youtube.com/@cybercrimejunkiespodcast and never miss an episode!

Follow Us:
πŸ”— Website: https://cybercrimejunkies.com
πŸ“± X/Twitter: https://x.com/CybercrimeJunky
πŸ“Έ Instagram: https://www.instagram.com/cybercrimejunkies/

Want to help us out? Leave us a 5-Star review on Apple Podcast Reviews.
Listen to Our Podcast:
πŸŽ™οΈ Apple Podcasts: https://podcasts.apple.com/us/podcast/cyber-crime-junkies/id1633932941
πŸŽ™οΈ Spotify: https://open.spotify.com/show/5y4U2v51gztlenr8TJ2LJs?si=537680ec262545b3
πŸŽ™οΈ Google Podcasts: http://www.youtube.com/@cybercrimejunkiespodcast

Join the Conversation: πŸ’¬ Leave your comments and questions. TEXT THE LINK ABOVE . We'd love to hear your thoughts and suggestions for future episodes!

Story of The Cyber Crime take down of LOCKBIT.

Find more at CyberCrimeJunkies.com

Jon DiMaggio, Senior Security Strategist with https://analyst1.com and former NSA analyst, author of The Art of Cyber Warfare (https://a.co/d/72qKbc4) joins us for an exclusive discussion on the cyber crime take down story of LOCKBIT.

Understanding the Cyber Criminal, How To Measure Success in Fighting Cyber Crime, cyber crime take down story, latest cyber crime news, rise and fall of cyber crime gang, importance of credibility in cyber crime, why reputation matters in cyber crime, why reputation matters to cyber crime, why reputation matters to cyber criminals,  rise and fall of a cyber criminal, cyber crime take down of lockbit, undercover inside a cyber crime gang, jon dimaggio undercover, lockbit, law enforcement seizes cyber crime gang, law enforcement seizer of cyber crime site, when fbi seizes cyber crime site, exposing cyber criminals, behind scenes cyber criminals, cyber crime gang under cover, cyber crime gangs get taken down like the mafia was, cyber crime gangs under cover, going inside cyber crime gangs, how cyber criminals are like mafia, latest insight on cyber crime gangs, new insight on cyber crime gangs, newest findings on cyber crime gangs, people behind cyber crime gangs, undercover in a cyber crime gang, what it means to profile a criminal



Chapters

00:00 Introduction and Background
08:10 Financial Aspects of Ransomware Operations
24:33 Technical Skills and Criminal Intent
39:46 The Self-Convening Justice System in the Criminal Underground
48:31 The Importance of Effective Communication in Cybersecurity

D. Mauro (00:01.196)
Welcome everybody. Welcome, welcome everybody to Cyber Crime Junkies. I am your host David Mauro and in the studio today is top security analyst, chief security strategist at Analyst 1 Jon DiMaggio. He's also the author of a SANS Difference Maker Award Book of the Year, the art of...

The Art of Cyberwarfare, and it has permanent residence up on my bookshelf. It's a phenomenal book. We'll have links to it in the show notes. A fantastic book and a fantastic guy who was also recently featured on 60 Minutes talking about ransomware as a service. Jon my friend, welcome to the studio.

Jon (00:51.214)
Thank you for having me again. I'm always happy to come talk to you guys. It's like family at this point.

D. Mauro (00:55.18)
Yeah, so Mark was going to, yeah, Mark Mosher was going to join us. He is sitting right now in another studio, which is a dental chair and he's, he's getting a drilled. So, uh, that is fine. No, it's not at all. So, um, you were recently on 60 minutes. Congratulations. It was a phenomenal segment. Um, and I'm sure as other times that I've seen you on the media, you probably recorded a lot of content and then you, they,

Jon (01:04.078)
Ah.

Jon (01:08.238)
That's not fun.

Jon (01:14.574)
Thank you.

D. Mauro (01:23.852)
give you like this little clip of it. But I want to take...

Jon (01:25.934)
Yeah, it was a lot. I mean, we spent a lot of time. It was like three months prior to that aired and we were in the studio and then there was all the fact checking and the meetings afterward. Yeah, it was a lot for sure.

D. Mauro (01:40.044)
How did they do fact checking?

Jon (01:43.47)
So, generally what they look for is, it depends on the topic. For something like the topic that we were doing where it's intelligence based, it's not like you can just go and look.

D. Mauro (01:54.892)
I mean, they can't call the lock bits up and be like, hey, Mr. Russian ransomware gang leader, have you been talking to Jon DiMaggio? He's like, yes, Johnny is my friend. Right?

Jon (01:57.806)
Right, right.

Jon (02:07.054)
Right, yeah, there isn't. And that was actually a problem that they had. So what they ended up doing is actually using me to fact check most of the rest of the show. And I'm assuming they used one of the other experts to fact check me. Some of my stuff is just obviously relationship driven, so there's nobody really that can fact check that. So what I did with that is...

D. Mauro (02:11.34)
Yeah.

D. Mauro (02:20.396)
Oh, excellent.

D. Mauro (02:32.46)
But a lot of it's been published. A lot of it's been published like you've published in Yeah.

Jon (02:35.534)
Yeah, that's exactly right. And that's what I said. A lot of that I directed them to some of the screenshots and conversations and stuff that are publicly available. But there's some trust there, obviously. And there was a couple of things where I wouldn't let them air it, but I showed them some of the screenshots from transcripts just so they could see that the conversations actually took place type of thing. But I wouldn't let them air that particular content. But I understood them wanting to make sure that somebody's not making things up.

D. Mauro (03:05.804)
Well, I think it's very good that they show that journalism integrity.

Jon (03:10.542)
Yeah, they were pretty hardcore in fact checking that it took took about two weeks every day, multiple calls going through stuff. So they were pretty thorough. And of course, they have a whole team of people. They had this guy, Will, who was really sharp guy. And yeah, he like looked at every little detail. He was extremely thorough. So I gave me an appreciation for things that I see. I mean, of course, anybody can get things wrong, but.

D. Mauro (03:20.364)
That's really good, actually. So, yeah.

Jon (03:38.222)
they definitely put a strong effort in to make sure that they're not missing something.

D. Mauro (03:43.276)
That's really good. Well, the segment was very good. And I'd like to take a deeper dive on that if that's OK, unless you're opposed to that. So they, you know, they're they highlighted in the 60 minute segment, the infamous MGM breach and how it compares to the Caesars breach. But more importantly than those two organizations is ransomware as a service overall.

Jon (03:51.374)
Yeah, sure, of course.

D. Mauro (04:11.5)
and extortion as a service and what the state of cyber crime is today because organizations want to know how to protect themselves. So can you just for the listeners, let's just define some terms. So can you explain ransomware as a service?

Jon (04:32.078)
Yeah, ransomware as a service is, think of it as a model or a framework for business. You have two, well actually three pieces to it, two major pieces, which is a service provider and then the partners who they provide the services to. And then there is sort of the back end support and infrastructure that goes into it, but that's sort of behind the scenes and part of the service provider's role.

So with the service provider, what they do is they provide the infrastructure. Sometimes they provide negotiation help, they provide the ransomware, malware, they provide the panel that you actually log into through a browser, it's on tour. It's a web panel where you manage your attacks and can see the amounts of money that have come in. And that's also where you perform the negotiations.

So all of that is something that the service provider has to maintain, make available, and provide to its partner affiliate, which is the other piece of the model. Those partners are kind of like the customers to that service provider. And what their job is is to take those tools and resources and go and do the dirty work. They're the ones that do the hacking. They're the ones that actually, with the tools provided, steal the data.

And then they use those tools, that infrastructure part of it is a leak site. And once they have the data stolen, they go and they, it's all point and click, but they start what's called a countdown timer that publishes the name of the victim and it grabs a little bit of text from there about me, about what, telling about the company and that countdown timer starts. They can also upload data for leaking that can be provided in the leak site to help pressure victims.

So when it's all said and done, they share profits and that's how they make money doing this. They take the extortion amount from the company and then that's shared amongst the service provider and the partner affiliate. And the service provider puts some of that money back into what they do in order to continue to update and provide new services and things like that. LockBit takes that on a new level where he actually gets feedback from the people.

Jon (06:48.494)
the criminals who work for them, what they like, what they don't like, what services they'd like to see or improved upon, and frequently tries to incorporate that into this model. He treats it, as I've said this before, he treats it like a business, and that's the reason that people like to work for him.

D. Mauro (07:04.332)
So it is very much it's a like a software as a service It is like a sass platform like a sales force almost where people can point and click and manage You know this type of threat made us this amount of money this type of threat didn't do so well Maybe we don't use that one anymore, and they can plan things accordingly

Jon (07:09.87)
It is.

Jon (07:13.998)
That's right.

Jon (07:22.67)
Yeah, except the clients in the Salesforce platform aren't being extorted. But if you were to look at it as that model, you would see the company name, the dates, the times, the button to go to the chat panel. And if the negotiation was paid, it'll show the amount. If it's not, it'll have a timer. And if it's expired, it'll just show that it's expired and the data's been leaked. But yeah, it's very similar like that, but for criminals.

D. Mauro (07:29.612)
Exactly.

D. Mauro (07:50.828)
Wow. And there's clearly a lot of illicit money changing hands here, right? When victim organizations pay the ransom, all that money is kind of filtered and allocated right there in the platform, right? So, oh, okay.

Jon (08:10.094)
Yes. Well, yes and no. No. So the affiliate, so with a lot of ransomware groups, that's the case where the provider has all the money and controls the money. What Lockbit did, it sort of gained trust of affiliates that he wouldn't rip them off as he lets them control the money. And then they have to pay him their percentage at the end. And if they don't, he boots them out and there's so many people.

criminals that want to work for LockBit, it's very easy for him to just fill that gap with the next person. And generally, if you're on your own doing this, you're not going to make the same type of money when you have the name of a big criminal brand, if you will, behind you. And most victims don't understand that ecosystem, but they can Google LockBit and they'll know it. But if someone goes off and does this on their own, then...

They're not going to, it's not for you to go Google or to see that, you know, this, this is really bad type of thing and they're less likely to pay. So he knows that and the leader knows that and he uses that as a leverage to not get ripped off. But it does happen sometimes where people don't pay and they do get booted, banned from the platform and, and he moves on, but he's making so much money or he was making so much money. He's still making money, but not as much, but anyway, he's not worried about it is the point.

D. Mauro (09:32.108)
So let me ask you this. One of the questions that we get asked often is, how are they allowed to do this? Meaning, how is an organization, and when you say LockBit, that's kind of the brand name of this, of the particular ransomware gang platform. It's the name of the ransomware code, right? And they kind of brand it, they create a logo, just like what Black Cat and Akira and...

Jon (09:53.678)
Okay.

D. Mauro (09:59.948)
before them and a lot of these different ones, right?

Jon (09:59.982)
Yes.

So, yes, so the payload itself is named Lockbit and then the group is named Lockbit. Now, it's funny because long before I started really getting heavy into ransomware, I even wrote a whole chapter about this in my book with attribution. It used to be as researchers, at least with nation states, we would name the malware and we would name the groups. And one of the hard rules is you never name the group the same name as their payload, their malicious payload, because it makes it very confusing.

D. Mauro (10:21.26)
Mm -hmm.

Jon (10:32.718)
But the ransomware bad guys named themselves and for that reason, their ransomware payload is almost always named the same as what their group is. And yes, LockBit's got branding, their own logo, all that stuff. We've talked about this, the tattoo contest, they did a year or so ago.

D. Mauro (10:51.116)
So they ran a tattoo contest to build like a community, right? And there was even some talk about them offering some scholarships or something for affiliates to bolster their skill sets.

Jon (11:04.238)
Yeah, they did. They participated on one of the Russian forums and they sponsored a hacking competition. It was an article contest though, not literally hacking, where you would write about new novel ways to exploit things and to hack things. And LockBit donated the $5 ,000 that the winner would get and sponsored it and helped review things and stuff like that. That was, I think, I don't remember if that was 2020 or 2021, but yeah, they did that. And, uh,

They have a lot of out of the box stuff they do, which is why I think they've been around as long as they have and have gotten sort of infamous in the criminal world.

D. Mauro (11:42.892)
So when these in Lock Bay was one of the top in on the planet, one of the top gang cybercrime gangs leading the charge, along with some of the others that have been in the media like Black Hat and Scattered Spider. What I want to ask you is the groups like Scattered Spider, those are more decentralized groups of hundreds or thousands of

individuals that perform in concert with some of these ransom workings.

Jon (12:18.382)
Not hundreds of thousands, but Scattered Spider is not as organized. Yeah, yeah, it's nowhere near as organized. So, Scattered Spider has a large US presence. It's younger people that are into, you know, like sim -swapping attacks, social engineering, things like that, and they provide a support element for a fee to ransomware groups. Mainly, they're known for helping and supporting Black Cat.

D. Mauro (12:22.284)
I'm sorry, I meant thousands. Yeah, just thousands.

Jon (12:47.662)
I don't, to my knowledge, they've not worked with LockBit, but anything's possible, but I'm not aware of that. But yeah, they're more of like a support element. Almost like if you're a defense contractor and you hire a sub, that's what Scattered Spider would be, was like a partner company to come and work with you on this project. That's basically what they do, if you look at it from that view.

D. Mauro (13:10.444)
And their claim to fame or their skill set is social engineering, meaning the research, the making of the phone calls, the understanding or giving insight on the Western civilization, the culture, the nuances.

Jon (13:22.798)
See you.

Jon (13:26.478)
So, I would say that their primary service is sim swapping actually, but they're most known for their social engineering because they did, I don't know what other way to put it, such a stellar job with MGM, they were so good at it that I think that sort of is what they're known for. But traditionally, like historically for the time they've been operating.

I think they've definitely done a lot more of, you know, sim swapping schemes and hacks than they have social engineering. But because they did it such a good job with it, with Black Cat, you know, I wouldn't be surprised if they really expand on that. But yeah, they're definitely, you know, talented at what they do. They're scary in a different way, but yeah, they're definitely talented at what they do.

D. Mauro (14:18.156)
And when you say SIM swapping, can you explain that a little bit for those that may not know?

Jon (14:23.342)
Yeah, so basically, you know, your phone has a SIM card. You use your phone for two -factor authentication amongst many other things. And so, very much to make this pretty high level and not get technical, but it would be, it's basically like, you know, the phone company controls your device through the ID that's on your SIM. So just think of it as somebody almost in the old school like phone.

phone movies where the operator had to plug in the terminal, it would be like that and somebody putting a box in between so that they can get that traffic or reroute that traffic to their own device. That is absolutely not how it's actually done, but just to make it very easy, high level for understanding, it allows them basically to get those two factor codes and other things that would be necessary to get into your accounts.

and get information off of your phone that they otherwise wouldn't be able to get. And that's why we always tell people to try and use an authentication app instead of text messaging. And it drives me crazy that there are so many important financial related institutions that only have text -based dual authentication because it is really, I don't want to say easy, but it is, it's easy. It happens every day. It's easy to achieve if you know what you're doing.

And a lot of these financial organizations actually don't make two -factor auths that you can log into or even let you use third -party ones. And that is a big problem, and these guys know that, they rely on it, and that's why they're making a lot of money.

D. Mauro (15:55.276)
And the danger is once they take control over your phone, right, you're on your end, your phone will just die or it won't have service. Right. And then meaning the battery still works. You could still do see your pictures, things like that. But your your phone service, your connection from your device to Verizon or AT &T or T -Mobile or whatever goes off. Right. And then they're able to receive messages coming in like.

Jon (16:15.822)
Yeah, they take over your service essentially. Yeah.

right.

D. Mauro (16:24.044)
give me your code for your bank, they're able to get that message. You won't get it. And then they're able to log on and impersonate.

Jon (16:30.862)
Yeah, that's right. And just to be clear, since I don't dive into the expertise of phones too often, so there may be, just like with the types of attacks that I specialize in, there may be different ways to accomplish that or different levels. But the primary way, yes, is you have, essentially you have the services turned over to another device. And then you gotta call the company and tell them that this happened. And I can tell you from experience, from when people tried to do this to me,

like T -Mobile is the absolute worst. They act like I was the scammer calling them. They weren't even my provider and they were trying to turn my phone over. To tip to everybody out there, get yourself an eSIM based phone like an iPhone 14. It makes it much harder for them to actually do that attack and achieve that. But you know.

D. Mauro (17:06.796)
Ugh.

Jon (17:23.214)
A lot of these companies don't know how to handle the calls. They don't understand it. They're getting better, but it's very frustrating, especially when you're talking to somebody who may not be in the same local culture understanding as where you are, and you're trying, you're going through this very stressful moment, and you're having trouble communicating. That was my experience. It was pretty frustrating, but it's a whole nother topic. But the point being,

You don't want to be that person that becomes that victim and unfortunately this happens every day and now it's associated with ransomware attacks, you know.

D. Mauro (17:57.484)
Yeah. Yeah. And so we recently saw a major ransomware attack that you were talking about on 60 minutes and that was the MGM and Caesar's breach and how this social engineering group and sim swapping group, Scattered Spider was working with another ransomware gang beside Lockbit, but they were working with Black Hat. The question that we get asked a lot and the thing that shocks a lot of people is how is this legal?

How are they not arrested? I know the answer, but I would like to hear from you.

Jon (18:31.726)
Yeah, so they're actually just give credit there was one arrest in that in the case. But yeah, for the most part, most of these guys have not been arrested.

D. Mauro (18:35.98)
Yes.

D. Mauro (18:40.94)
Well, one guy happened to travel like like they actually left left the.

Jon (18:43.438)
Right. Well, a lot of the scattered spider folks are actually in the United States or let me rephrase that compared to other other.

D. Mauro (18:48.716)
Correct. Oh, oh, the guy, this scattered spider arrest, the guy down in Florida. Correct. Yes.

Jon (18:55.95)
Yes. So, Scattered Spider has a larger presence in the United States and compared to most ransomware gangs, which are other places of the world, you know, rest of the CIS countries, well, all over the world, but less in the United States than other places. But Scattered Spider, yeah, it has a lot of people that are in the United States, which is different. It's not what we're used to seeing. But the reason that I don't have a good answer for why they're not getting arrested, because if they're in the US, I would expect...

D. Mauro (19:03.596)
Mm -hmm.

Jon (19:26.03)
that it would be a lot easier with those resources to find and arrest them. So I actually don't know why there hasn't been more arrests on that front.

D. Mauro (19:33.676)
No, but what about the what about the ransomware gangs, the ones that are in the news causing most of these breaches? Why are they not arrested?

Jon (19:39.086)
Yeah. Yeah. Yeah. They're not arrested because they're usually in either Russia or the former Russian countries, which is called the CIS. That state, those countries sort of look the other way. Yeah, exactly. That's exactly right. Yeah. They look the other way as long as you're not targeting entities, you know, within those countries, not a conservative crime. Certainly the United States and Russia.

D. Mauro (19:54.38)
The former USSR basically. The countries that made up... Yeah.

D. Mauro (20:03.468)
Hmm.

Jon (20:09.166)
allies. So there's no goodwill to help with this or to stop it. I would say it's almost encouraged. There's a level of protection there. And we're probably never going to get around that until the political climate changes. And that doesn't look like it's going to happen anytime soon. So I think people have to accept there's probably not going to be arrests.

those one -offs where people travel or their affiliates who work for the group that are outside of that area. But that's like getting a low -level associate from, if you want to talk like the Sopranos or something like that or the Godfather, those are like the lower -level guys. Those aren't the guys that are running the organization and making the big decisions. Those guys are going to be protected.

D. Mauro (20:48.268)
All right.

D. Mauro (20:54.188)
Well, they're not going to be able to flip and bring them down because they don't know them. They don't know the heads. They don't know who the heads are. Right.

Jon (20:58.798)
That's correct. Yeah, they don't know who they actually are. That is correct. It's something that is... Anonymity is something that these guys live on in OPSEC. Everybody makes mistakes with that stuff every now and then, but for the most part, they're unknown. I mean, the FBI in that last takedown claim that they know who Lockbit is, I guess someday we'll find out because I would imagine if that's true that eventually it would be...

They often do indictments whether they can arrest them or not. So I read that every day. I'm hoping we'll see something like that. But maybe not. Maybe they don't know who he is. It's hard to say. Because those guys, they make it very difficult and they live and breathe by OPSEC. Operational security is what keeps them alive and safe. So that's one of their most important dynamic elements of their operations is not just having it for themselves.

but trying to provide it for those who work for them while they're using their services.

D. Mauro (21:56.716)
So it's not...

illegal or it's not something that they're going to have any legal ramifications for, for targeting a US -based financial institution or manufacturing organization or commercial company.

Jon (22:13.326)
No, there's no legal ramification. And if you look at, you know, like the Conti leaks, you know, they were meeting with FSB officers at the FSB office in their vicinity. I don't know what those...

D. Mauro (22:25.516)
So the Russian ransomware gangs were actually meeting with the Soviet government, the Russian government and their spy agency and their version of the FBI. Yeah.

Jon (22:33.102)
Yes. Yeah, that's correct. Well, yes, that's correct. You know, we don't know for sure what they were talking about, but I imagine that, you know, it was related to the attacks that they're doing, the money, any intelligence they can gather, maybe access, you know, I'm guessing here, but what else does an intelligence agency going to want from a group that hacks people and steals their data for a living? That's a wealth of information and that access could be used by government.

D. Mauro (22:58.348)
Right.

Jon (23:02.286)
And I personally, though I don't have proof, believe that there's been enough circumstantial, lower level evidence to support now that the FSB and government intelligence sort of hand pick top people within these groups once they identify who they are and they leverage them and their connections to use for intelligence purposes. So I think that's honestly one of the benefits of indictments so these guys get known.

and then they end up with some FSB handler. And the reason I say that that is a benefit is while yes, they might be helping the FSB do something at that point, their lives are miserable. The ransomware bad guys are not afraid of the FBI. They are afraid of the FSB. They don't want to be forced to work with them. They don't want to be forced to share their profit. They don't want to have a handler above them. They don't want essentially a boss, you know, someone telling them what to do. And that's not quite the dynamic, but those are the fears that...

folks over there in that community have. So yeah, but it's a real thing.

D. Mauro (24:04.012)
Absolutely. So let me ask you this, that it's unbelievable that this is because I, you know, US businesses, US organizations, whether they're local governments, whatever, they don't really understand this. And they don't understand because if they did, they would take their own cybersecurity layers and the effort that they make, they would take it much more seriously. So how technical do some of these affiliates have to be?

Because if the systems and the platforms operate like a SaaS program, it almost seems like there's more people that are criminal intended than are technically savvy.

Jon (24:46.638)
Uh, you know, here's the thing. A lot of the people, there's a reason that I have, you know, relationships with a lot of ransomware criminals. A lot of these guys probably, well, no, let me hear me out. A lot of these guys, you know, if they were in a different place prior to getting involved in this, you know, are technical savvy, they probably work for tech companies or insider security.

D. Mauro (24:59.116)
Do we want to ask about that? Or do we want to ask why you have these relationships?

D. Mauro (25:15.052)
Right.

Jon (25:16.494)
if they were in a different environment. There's not a lot of jobs that do that and there's even less that pay well there. So that's why they turn to crime. Now, that doesn't mean that I think it's okay. I'm just telling you why it happens. But, yeah.

D. Mauro (25:29.996)
Yeah, because through your interviews with them, they've explained, look, I was working 100 hours a week for basically $100. And now I'm making $10 ,000 a day or a week doing this. Why like and my family has health bills and everything else. How else am I supposed to support my family? Plus, it's I'm not going to get in trouble here. So why would I not do it?

Jon (25:36.782)
Right.

Right.

Right. Yes, that's correct. Yes.

Jon (25:49.966)
That's right. That's right. And it's one of those things where, don't get me wrong, there's a lot of them that are just scumbag criminals, but there is a percentage of them that are, I always get beat up when I say this, that are decent personalities where if you didn't know they were committing crimes, like they're regular people, they're not all mentally ill criminal psychopaths, a lot of them, but not all of them. So.

D. Mauro (25:58.956)
Of course, yeah.

D. Mauro (26:17.74)
Right.

Jon (26:18.286)
When I meet those ones that are not psychotic, crazy criminals and are just regular criminals that seem to be, you know,

D. Mauro (26:27.02)
Well, but for their circumstance, they probably would be law abiding citizens. Yeah. Which is tragic, which is really tragic. And it's bad for cybersecurity and for legitimate businesses in the US because now they're faced against pretty decent people that, because of their circumstance, are driving things that they're not going to get in trouble for. And so there's lack of empathy there.

Jon (26:31.438)
Correct, yeah, yeah. So.

Jon (26:51.054)
Yeah, and there's the war going on, there's all the sanctions. I mean, it's a whole different, you know, having been in the military and traveled all over the world and been to different places, like I know what it's like in other places. And so I always say when people complain about here, they need to get sent somewhere else to see how life is when you have malicious governments that really do bad things to people. But my point being is that I don't agree with what they do. I don't condone what they do.

D. Mauro (26:54.636)
Yeah.

Jon (27:20.91)
but I can understand how they got there at least, regardless of whether I can donate. And you have to have that approach when you actually get close and talk to people and do those things. Because if you go into it with judgment and looking at it just from your views, no one would talk to you, you'd get no information. Yeah, exactly. So I've really learned to go into this and trying to be unbiased, try to be open to things. Obviously I have my opinions, but there's a certain mental state that you have to go in when you're going to

D. Mauro (27:35.692)
Well, you're not going to develop a relation. You're not going to get intel from them, right?

Jon (27:50.862)
to try and talk to ransomware criminals if you're gonna get any sort of results from it. And going in with just sort of the ideology that we have here, it doesn't work. So you just have to kind of wipe the slate clean, go into it without having anything in your head of how they should or shouldn't be, and just kind of let them talk and listen and see what they have to say. And then the good thing about that is...

then you can try and build that relationship and then you can try and extract intelligence, get information about attacks, find out what's happening on the inside, and use that to stop attacks. And that's kind of the name of the game.

D. Mauro (28:26.443)
Absolutely. So in these ransomware gang platforms that operate like a SaaS program, like a software program, are they able to, I mean, the end result is they are getting inside US organizations undetected, and they're there for a while before they actually launch. When they do that, are they buying access or does the platform themselves identify a vulnerability and then go in undetected?

Or are they buying access like from a market or from a initial access broker, these IABs?

Jon (29:02.798)
Uh, the answer is yes, it's both. Yeah, yeah, yeah. So, so, you know, buying access is, is, is very easy because then you don't have to do any of the legwork to get in at the same time.

D. Mauro (29:03.596)
Or is it a little bit of both? Okay, yeah, it's both. Okay. All right.

D. Mauro (29:14.668)
Well, they sell it like it's like an Amazon store. You're like you want access to this company, you can buy it. It's ridiculous.

Jon (29:20.462)
Yeah, I would call it more like eBay because with Amazon you're not bidding. But yeah, I would call it more like eBay. But yeah, you just pay for that access. So that way if you're a bad guy, but you're really good once you're inside a network, enumerating it, elevating your privileges and that sort of stuff, but you suck at the actual initial breach at the entry point, you're not good at that.

D. Mauro (29:23.34)
Yeah. Correct.

Jon (29:45.646)
Well, you can go and buy that and someone will provide it for you and then you do your thing and you make more than enough money to cover those expenses. And it feeds into the ecosystem, the criminal ecosystem. And it just keeps going round and round and that's why it's growing and that's why there's more and more criminals that we see every day being involved and that's why we see more headlines and it's just a nasty cycle. We need to get past...

I started to say this, but I want to finish the point. We need to get past thinking we're going to arrest these people because for the most part, we're not. That doesn't mean we stop trying, but we need to stop looking at arrests as the win. What the win is, is disrupting them, slowing them down, making their lives harder, exposing who they are so their name and face is everywhere. So they have to look over their back. The people who are working for them might turn them in for these, you know, $10 million rewards that the US government's putting out on them. That's right.

D. Mauro (30:25.1)
Correct.

D. Mauro (30:40.844)
Well, it's all based on anonymity, right? And when you think of organized crime in the United States, how it was taken down, it was because everybody, like every police department, federal, like prosecuting office, like they have the pictures and the names and they had org charts up on their walls. They saw it every day. These guys weren't anonymous anymore, right? They operated for a while until that anonymity was gone. And so your point about once we exposed...

get rid of the anonymity, the risk will go down for US organizations.

Jon (31:18.702)
Yeah, I just like I said, I really think that we need to measure the ransomware war, if you will, in our success in it in smaller steps. Right now, what's actually realistic that we can do for wins are disrupting them. And unfortunately, the population is looking at it is, well, and the media looks at it is the win is if we can arrest and stop them.

That is not realistic. That is not a realistic goal because they have detection. We cannot do that. What we can do and we are getting a lot better at is disrupting them. And the NCA and the, you know, the FBI's part of that had been getting better and better at that. The most recent one that I think we talked about it last time, you know, they implemented some psychological tactics that were intended to tarnish the brand and reputation of LockBit. And it was very successful.

D. Mauro (31:49.388)
It's not happening anytime soon. Right.

Jon (32:15.374)
and it did have an impact. And I love that I'm seeing them learn and grow and come up with these new out of the box tactics that old school FBI and law enforcement would never in a million years do. And they're getting on board.

D. Mauro (32:27.628)
Well, it's kind of ironic, right, because Lockbit was taken from the pinnacle. I mean, Lockbit is still around, of course, and they're still very powerful. But they were at the episode, they were the Taylor Swift of Ransomware gangs, right? Like they were like.

Jon (32:41.262)
I don't think I've ever heard anybody compare Lockbit to Taylor Swift. I'm going to have to remember.

D. Mauro (32:45.196)
You heard it here first, right? But they were, they were the Taylor Swift of ransomware gangs. And then the approach taken was, well, you guys are destroying reputations here in the United States. They're going to turn that right around on them. And they kind of undermine their own credibility among the forums and where they were in their world. Right. It was quite brilliant, quite strategic.

Jon (33:09.678)
Yeah, that's right.

It was, and they also took their leak site and they made the F, the NCA made their own version of the leak site and they made the bad guys the victims and they even took some of the top affiliates and they named them and they made them on the leak site as then the victim, here's their real name, here's an indictment and they had all these different victim posts with this information and it was even on the panel for each bad guy who logged in. So each affiliate hacker who logged in,

D. Mauro (33:29.804)
Wow.

Jon (33:42.734)
had their own personal tailored message from law enforcement when they logged into the panel that conducted an attack that day. So just think about it from a psychological aspect. You're a criminal, you don't want anyone to know you, and you've got this message from law enforcement on something that's supposed to be very secret.

D. Mauro (33:57.132)
Saying your real name. Saying your real name. Right.

Jon (33:59.95)
Well, for the ones that they knew, but for other ones, they didn't know their real names. So the point is they did know the names they were given. They had all the IP addresses. They had all their conversations, internal conversations amongst one another, as well as conversations with victims, the amounts, the crypto wallets they used, everything. So, you know, when you're someone who doesn't want to know, anyone to know anything about you, and now you know basically everything but your name.

D. Mauro (34:06.956)
Yep.

Jon (34:24.654)
You have access to their money now, everything else, all the wallets, everything. That's kind of an oh crap moment for a criminal. So psychologically though, that works because it makes them second guess. Okay, so yeah, LockBit stood, the media got this wrong. LockBit stood up a new infrastructure five days after the takedown and it was all these articles about it. It wasn't effective, it was business as usual and they're wrong. It was extremely effective. People didn't want to work for him.

D. Mauro (34:30.764)
Absolutely. Absolutely.

Jon (34:52.174)
for the first several weeks, all the posts that LockBit was putting up were former victims or victims that were acquired prior to the takedown that hadn't been posted, but only people that were really on the inside knew this. My point is is that they lost a lot of the top people who worked for them when that happened. Now, they're slowly rebuilding. They're now doing new attacks. People are working for them. I don't know what the numbers are off the top of my head. You know.

They're coming out with a brand new ransomware payload allegedly they're using now. Point is, he's trying to come back with a vengeance. We'll see what happens. But it slowed him down. It cost him time, resources, money. It affected their reputation. It affected the trust of the people who work for them. That is a huge win. And it got me upset when I started to see all these media articles like the, you know, what's not effective and all this other stuff. Because it is effective. You just don't understand how to measure it.

D. Mauro (35:43.98)
Right. Great point. That's a great point. And as we sit here today, there's a what a 15 million dollar bounty on identifying who lock bits up is the head of that ransomware guy.

Jon (35:55.79)
Yeah, I don't remember if it's 10, 15, whatever it is. A lot of money. A lot of money. Yeah. Yeah. Yeah. And there's other people like Bastar Lord, they named him, it's Ivan something and you know, there's a reward, you know, for him, I don't know, five or 10 million.

D. Mauro (35:57.836)
Yeah, it was something like that. Yeah. Yeah. It's a lot of money to turn somebody over if you know who they are.

D. Mauro (36:08.556)
Yeah.

D. Mauro (36:13.26)
I saw that when they did that. I mean, you and I had met and talked about that right after you came out. Was that Ransomore Diaries 2 on Bastard Lord? Yeah. And I remember, I felt like I knew the guy and I saw that. I was like, oh man, they got him or they're going after him. I couldn't believe it. So, because he's one of those guys that had a contextual justification for at least beginning in it. Yeah. Tell me what's going on with him.

Jon (36:21.358)
Right. Yep.

Jon (36:30.19)
Well.

Jon (36:37.038)
You got time for a quick story on him? That's not okay. So about a week and a half ago, he posted on one of the forums, he posted that the FBI got it wrong. He's not the person that they say that he is and that he built these fake personas to lead them to someone else and that he had fed me all this false information in my research. Now, let's come back to reality here.

D. Mauro (36:53.644)
Interesting.

D. Mauro (37:06.732)
Yeah, that's not real.

Jon (37:06.734)
You're named in an indictment, all of a sudden now you're the criminal. Oh, that wasn't me. That's some other guy, you know? So, you know, I get it. He's the younger person. The reality is he's probably scared with everything going on. Yeah. Yeah. So, it irritated me that he brought me into it because, you know...

D. Mauro (37:11.852)
That wasn't me, it was this other guy.

D. Mauro (37:22.028)
I was going to say is probably that sounds like that's textbook fear.

D. Mauro (37:33.74)
Well, Johnny, your picture was on the Lockbit forum, like their actual software. Your picture was there as Lockbit. So you're going to be mentioned, man. Like you're knee deep in it.

Jon (37:39.438)
Right, right, right, right.

No, but yeah, but when he was saying that he fed me false information, that just pissed me off. And it makes me want to go give him some more love for doing that.

D. Mauro (37:50.732)
Oh, that's a... that's... yeah, that's a bunch of crap.

D. Mauro (37:59.084)
Yeah, exactly. So before I let you go, let me let me ask you about this. So a lot of people don't understand, you know, the lock bit, there's the platform that they use, the ransomware gang platform, and they run it like a business, as you've explained, right. And in fact, sometimes they don't even launch the ransomware. Sometimes they're just plainly extorting, correct? Because just straight extortion, threatening to release the data.

Right? That is making them a significant amount of money.

Jon (38:31.054)
Lockbit usually does both, but yes, there are groups that just extort. Maybe there's been an occasion where Lockbit just steals data, but usually they do both because their tools and resources are so easy to use that you might as well is the way they look at it.

D. Mauro (38:33.324)
Got it.

D. Mauro (38:43.404)
Yep. It's so advanced. Yeah. And so they hire these affiliates who don't necessarily know who they are, et cetera. It's like organized crime. But my question to you is this is what happens when Lockbit trusts the affiliates to collect the money and then pay him, pay the core gang leaders? What happens when there's a dispute there? You've talked about, is there a tribunal and system? Like there's a whole like...

system of justice within these criminal enterprises, correct? Can you explain that to us?

Jon (39:17.422)
Yeah, yes. The Russian culture is so different than American culture. And the criminals have this sort of clustering on these forums where they all sort of hang out and there's levels of respect and there's different rankings and everything else. And they have basically their own self -convening justice system where if I'm a criminal and you're a criminal and you steal, I buy something from you and you don't pay me,

I don't pay you you go and actually file a claim in this criminal court on the forums They have what's supposed to be an unbiased moderator and as often it is And then they you submit logs evidence of the attack chat logs between the two of you Whatever it might be they go through it all they get both sides of the story and they make a judgment If they judge it they rule that you like with they ruled against lock bit when he didn't pay an access broker

and they said either you pay him, you know, whatever it was, $4 million or we're going to ban you from the forum. He didn't pay, he was banned from the forum. Here in the US we're like, here's if you're banned from a forum. There it's a big deal and the other forums follow suit. And this is all about like honor. Yeah.

D. Mauro (40:30.348)
And that's where they do business. So what you have to understand is this is hundreds of millions of dollars in a very short period of time trading hands. This is their market. This is their marketplace, right?

Jon (40:40.27)
Yes, and they put a lot of weight on their reputation on these forums, so if you get banned, they basically, they write Ripper across your profile, which like, Scammer, but it really bothers them when this happens and they get really upset, like it's a big deal. And other forums, if it happens on one forum, the other Russian underground hacking forums follow suit, so you get banned across the board.

D. Mauro (41:02.028)
And that's what happened with LockBit.

Jon (41:03.982)
That's what happens in the lock bit. That's right. All he had to do was pay this guy the four million. I actually agree. They didn't agree prior to doing the attack. There was no agreement prior to. I don't think that you should be able to come in after the fact and demand a certain amount. Clearly should have been paid.

I don't think, and I'm not in one degree with Lock that I don't think he should have been banned though, based on this. I feel like that's a lesson learned. If I'm going to buy a car from you and you give me the keys and the title and we don't agree on a price. And then after the fact you say, Oh, I want a million dollars and the car is worth 10 ,000. Like, come on. And that's kind of what the situation was. But anyway, it wasn't, I wasn't the judge, so it wasn't up to me, but this is one of those rare times where I do think.

D. Mauro (41:36.94)
Right.

Jon (41:45.422)
He got the bad ends of the deal, but I mean he's a criminal. If karma exists that guy's got a lot of bad things coming towards him. So this will be the first of many.

D. Mauro (41:54.412)
Unbelievable. Well, Jon DiMaggio, thank you so much. What is next on your agenda? I understand you have something new going to be coming out relatively soon.

Jon (42:06.19)
So honestly, there's a couple of things that I'm working on, but things like 60 minutes, the Lock -Bit Takedown, things have been so busy with a lot of the media stuff that's been going on. I really haven't had time to dive into the research because it takes a lot of time. And then there's the RSA conference coming up. So what I'm going to do is after I think RSA, I'm going to basically shut down a lot of the outside noise so I can focus. I haven't decided if I'm going to...

if I'm gonna dig in more, unlock it, or if I'm gonna branch out to a different group. And I've even looked at doing some more lighter type of stuff, like go through some of the biggest dramatic soap opera fights these bad guys have had with each other on the inside on these forums and talk about what was going on at the world at the time and how the drama affected the real world attacks. That's one idea. I might address some of the things the bastard word says about, you know,

D. Mauro (42:57.164)
That would be really interesting. Yeah.

Jon (43:01.486)
not being who he says he is, things like that. I haven't decided exactly. I've got a couple of ideas, but still trying to figure that out. But I've just been so busy since the indictment and everything happened. Sorry, take down everything happened, talking to folks, doing conferences and all that's also part of my job. But I love the research, so I'm looking forward to it.

forward to getting back to it. That's my, that's, that's what I'm a researcher and a writer at heart. I don't know which I like more. I think writing more, but I love the research. I love the writing. I don't like having to risk my butt as much as I do, but sometimes that just goes with the job, but I would, I would like to. Right. Right.

D. Mauro (43:28.652)
Yep.

D. Mauro (43:36.3)
Yeah. Well, the things we do for content, man, right? You've got to get your content. So you have to go under undercover to a cyber crime, ransomware gangs. I mean, it's.

Jon (43:49.582)
But there's days where I just wish, why couldn't I just have a regular job? Like I could have just been like an IT administrator. You know how much less stress I would have? I know, I know. And I need that. I'm an adrenaline -thrower. As much as I say that now, if I was actually to go do something else, I don't know what I would be. I would be. I would be.

D. Mauro (43:54.604)
Yeah, I know. I know. I know. But it'd be so much less exciting. So, yeah, I know.

D. Mauro (44:09.42)
You'd be bored out of your mind. And we would have a really, really boring podcast. We'd be like, did you see those logs? Mrs. Buttermaker logged in from Idaho yesterday. I know, that's really a great story. Let's wrap that up. So, well, Johnny, thanks for all you do. I mean, not just for us here, but I mean, your book is fantastic. It taught me so much. It taught so many of our listeners a lot. The...

Jon (44:15.374)
Ha ha ha ha!

Jon (44:20.622)
Right. Right.

Right. Right.

D. Mauro (44:37.804)
the work that you do, the ransomware diaries are fantastic. I mean, you're doing good stuff for the country. So, and not just for the US, but for all of Western civilization. So, you gotta feel good about that, man. Like, you know?

Jon (44:45.102)
Thanks, man.

Jon (44:49.934)
Thank you.

That's the reason that when I do get stressed out and I am risking my tail and I am having anxiety or whatever I've got going on, that is what keeps me going. I feel like I'm making a difference and as my boss says, you know you don't have to save the world, you can just let this one go, but I feel like I can't. I don't think I'm saving the world. My point is that I feel like I'm making a difference and I can't just let things go.

D. Mauro (45:00.94)
Someone's gotta do it. And at least if you're doing it, you know you're doing it right. Right? Yeah.

D. Mauro (45:17.292)
No. Yeah, you're not just going in and working on a PowerPoint when you go to work. Like you are actually getting in there and making a difference. And so.

Jon (45:24.014)
That's great.

Jon (45:27.79)
But literally before we were talking, I was talking to a wanted criminal. So.

D. Mauro (45:33.004)
Ah, yeah, so was I, but nothing related to cybercrime. No, I'm just kidding. So, well, that's awesome. So thank you so much. This is really good insight. So, yeah, I'm, you know, we do these public service initiatives where we go and we train organizations on cybersecurity awareness because they really don't, they don't even understand part of the, part of the issue is the internal IT team just says,

Jon (45:35.854)
Ha ha ha ha.

Jon (45:53.102)
Thank you.

D. Mauro (45:56.396)
Hey, we have this security platform. We want this layer. And the decision makers don't even understand why they need it because they don't do a good job of frankly just communicating. So part of what we do is we go in and we just educate not just leadership, but all users about what is really going on objectively. We don't do it, you know, in any sales way. We just kind of do it. We've run them alongside local field agents to the FBI in the past. But we do this in...

So now we've added in segments from your 60 minutes episode. Yeah, I'll show you it sometime when we have more time. Because it's one thing for me to say, this is the thing out there, like the reason you didn't see data breaches before is because they hadn't been organized, they didn't productize things. It is now an industry, there's this thing called ransomware as a service. They have these organizations, here's how it kind of works.

Jon (46:29.326)
Oh, that's awesome.

Jon (46:34.318)
Yeah, I think.

D. Mauro (46:53.804)
and just setting the stage for them. And your segment on 60 minutes does it in like a minute and a half. So I'm like, let me, if you don't believe me, here's something that was just on 60 minutes. So you're right there. So it's pretty cool. Yeah.

Jon (47:08.302)
I appreciate that and you know honestly one of the biggest threats to security is communication because that is a common problem where technical people and decision makers cannot communicate effectively understand what they need and what's happening and that is

D. Mauro (47:14.348)
It is.

D. Mauro (47:20.268)
Exactly right.

Well, in the industry and the vendors too, the vendors don't do anybody any good by saying, buy this box, you will be secure. Because a business owner, right, or a decision maker hears that and they're like, look, I don't know this technical jargon that you're telling me, but these guys have a solution. We could just buy this. And, you know, every B sides. Yeah, every B sides is like, let's bring that box up on stage. Let's blow this thing up. Right. I mean,

Jon (47:44.526)
Don't get me started in vendors.

D. Mauro (47:53.772)
It doesn't come on. It's not a pro. It's one of the things we start with or security.

Jon (47:57.646)
With the exception of Analyst One, that's a vendor, that's my company that I work for. They're good, but the rest of them.

D. Mauro (48:01.868)
Well, yeah. Well, and they and you guys, but I've actually evaluated your your your platform and stuff. And it's it is a very, very valuable layer, man. Like and you guys don't claim like ransomware like ransomware will be cured if you buy that. So what is you're saying? This is great Intel. You can use this and leverage this across platforms and everything else, which is exactly what it does. So that's not over promising anything. That's like a really useful thing.

Jon (48:14.382)
Let's be made by people like me. So like, yeah.

Right.

D. Mauro (48:31.052)
What I'm talking about are the vendors that are like, this solves all. Yeah. Ransomware is gone because of that. I'm like, don't say it like that. Nobody, you lose all credibility. Oh, I get them all the time. And I'm like, stop. Just stop. You know what I mean? Just, there's just something about credibility. And then when you have credibility, then we'll, then we'll buy your stuff.

Jon (48:34.606)
This defeats ransom. Yes. Right. Right. I've literally gotten those emails from vendors.

Yeah, stop. Yeah.

Jon (48:57.07)
Just remember, birds aren't real. And ransomware can be stopped for $300 ,000 by buying this box.

D. Mauro (48:59.116)
Exactly.

D. Mauro (49:05.004)
Absolutely. It is a shiny box with our logo on it. So, all right, Johnny, have a great one. Thank you. As always, I will let you know when this comes up. Thanks, buddy. See you. Bye.

Jon (49:12.206)
All right. All right. Thanks. Bye bye.


60 Minutes Segment
Financial Aspects of Ransomware Operations
Technical Skills and Criminal Intent
The Self-Convening Justice System in the Criminal Underground