Cyber Crime Junkies
Translating Cyber into Plain Terms. Newest AI, Social Engineering, and Ransomware Attack Insight to Protect Businesses and Reduce Risk. Latest Cyber News from the Dark web, research, and insider info. Interviews of Global Technology Leaders, sharing True Cyber Crime stories and advice on how to manage cyber risk.
Find all content at www.CyberCrimeJunkies.com and videos on YouTube @CyberCrimeJunkiesPodcast
Cyber Crime Junkies
Is Ransomware Dead? What Cyber Criminals Are Saying.
Is Ransomware Dead?
Jon DiMaggio, Author of The Art of Cyber Warfare and Chief Security Researcher at Analyst 1, joins us, in this second of a two-part discussion. Here we discuss:
- how cyber crime is shifting gears
- exclusive look inside their shocking new tactics
- insight from the mouths of top cyber crime gang leaders.
- We bring you Inside the Corporate-Style Operations of Cyber Criminals.
· Don't miss the Video episodes!
· Our YouTube Channel @Cybercrimejunkiespodcast
· Contact us direct! Find the Podcast, extra content, extras and more at https://cybercrimejunkies.com.
· Don't Miss VIGILANCE. The Newsletter. Translating cyber into understandable business language.
Grow without Interruption. Stop Breaches. Leverage Advances in Technology with NetGain. Contact NetGain today at 844-777-6278 or reach out online at www.NETGAINIT.com
🎧 Subscribe now http://www.youtube.com/@cybercrimejunkiespodcast and never miss a video episode!
Follow Us:
🔗 Website: https://cybercrimejunkies.com
📱 X/Twitter: https://x.com/CybercrimeJunky
📸 Instagram: https://www.instagram.com/cybercrimejunkies/
Want to help us out? Leave us a 5-Star review on Apple Podcast Reviews.
Listen to Our Podcast:
🎙️ Apple Podcasts: https://podcasts.apple.com/us/podcast/cyber-crime-junkies/id1633932941
🎙️ Spotify: https://open.spotify.com/show/5y4U2v51gztlenr8TJ2LJs?si=537680ec262545b3
🎙️ Youtube (FKA Google) Podcasts: http://www.youtube.com/@cybercrimejunkiespodcast
Join the Conversation: 💬 Leave your comments and questions. TEXT THE LINK ABOVE . We'd love to hear your thoughts and suggestions for future episodes!
Is Ransomware Dead? New Insight into New Ruthless model.
Jon DiMaggio, Author of The Art of Cyber Warfare and Chief Security Researcher at Analyst 1, joins us, in this two-part discussion.
Topics:
· Undercover Dark Web Investigations,
· Is Ransomware Dead?
· Dark Web Secrets,
· face to face with cyber criminals,
· effects from real-life cyber crime attacks ,
· emotional toll from cyber crime,
· face to face with ransomware,
· emotional effects real life cyber crime ,
· emotional effects from cyber attacks,
· shocking human toll of cyber attacks,
Thank you listening!
Don't miss the Video episodes!
Our YouTube Channel @Cybercrimejunkiespodcast
Contact us direct! Find the Podcast, extra content, extras and more at https://cybercrimejunkies.com.
Don't Miss VIGILANCE. The Newsletter. Translating cyber into understandable business language.
https://www.linkedin.com/build-relation/newsletter-follow?entityUrn=6941459114879311872
David Mauro: [00:00:00] Come join us as we dive
deeper behind the scenes of security and cybercrime today. Interviewing top technology leaders from around the world and sharing true cybercrime stories to raise awareness. From the creators of Vigilance. The newest global technology newsletter translating cyber news into business language we all understand.
So please help us keep this going by subscribing for free to our YouTube channel, and downloading our podcast episodes on Apple and Spotify so we can continue to bring you more of what matters. This is Cyber Crime Junkies and now the show.
Welcome everybody to Cyber Crime Junkies. I'm your host David Mauro. Hopefully I'm not frozen on the screen. I've had several technical problems, this afternoon. We are joined in the studio today by the none other [00:01:00] but the top security researcher on the planet. John DiMaggio. John, welcome, sir. We're very excited about having you.
No, you're always welcome here, sir. And always what's the seat in the motorcycle right next to it? The little guy, the side, the sidecar right in the sidecar of my chopper is Mark Mosher with a little helmet on. Oh,
Mark Mosher: absolutely. Dave, this is gonna be such a good episode. If you guys have not listened to the past episode with John on here, I encourage you to go onto YouTube.
Go download our podcast from Spotify, , iTunes, wherever you get 'em. These. segments are priceless. This is such good stuff. You will not believe it. Buckle up, lace up them Nikes. We're about to move
Jon DiMaggio: fast and move quick.
First and foremost, for those that might have not, seen your work, they may not have your book up on their bookshelf like I do, [00:02:00] John.
And you're welcome. I take check, I am one of your biggest fans. so just explain to everybody kind of what your role is there over at AnalystOne. Yeah, so my official title is, I am the Chief, I had to think for a second there, Chief Security Strategist.
And the reason I had to think about it is because at the end of the day, I consider myself to be a researcher, bad guy chaser, analyst, writer. Sort of combined. But yeah, my job is basically to do research, and to write about it. So, I do a lot of, direct engagements, I use fake personas, I try and get close to these days ransomware criminals, and I write about it.
The first, I'd say, you know, 14 years of my career were all spent on espionage and the, the past five or six have, have all been ransomware. So it's it's funny, I think the change. So that's phenomenal. And that is the, being an advocate against cyber crime is something [00:03:00] that. People don't always talk about when they think of cyber security, they think of cyber security.
I gotta
Mark Mosher: step in for a second, I gotta step in. Ladies and gentlemen, he's selling himself short on this. Short of the cape and a big S on his chest, there are very few other people that are making a mark for the good guys in the betterment of our civilization when it comes to the internet and cyber security than John DiMaggio.
So, sorry, had to get that plug in there for you.
Jon DiMaggio: You guys are too good to me, but thank you. I really do appreciate that. But honestly, I mean, that is, you know, one of the most rewarding parts of this job is I do feel like I make a difference with the work that I do and the results. You know, it motivates me and the long nights, you know, last night I'm in my writing phase right now.
Last night I was up, it was like one in the morning and I was still going. And it's just, you know, these are one of the things that motivate me as I do. I feel like it makes a difference for the work when I see the
Mark Mosher: results. It does. Hey! [00:04:00] When the bad guys use your picture as their avatar, they know
Jon DiMaggio: your name and know your name.
They do. They definitely do.
David Mauro: That's exactly right. And what Mark is referencing for the listeners and the viewers who may not know Jon or know the history. You know, first of all, for context, right? Like 30, 40 years ago, Johnny, when we were growing up, there were two different worlds. Like even 20 years ago, there were two different worlds.
Jon DiMaggio: There was our regular world, the physical world, right? And then There were people using computers for stuff. It was like an electronic, almost copy of what, what was going on. But if that broke down, we could still do everything, right? It really never interrupted daily operations. And that's really changed like our whole lives in one way or another is hosted.
It's connected online somewhere. And so, you know, in, in the real world, in the physical world, right? We have police. We've [00:05:00] got the FBI, we've got police, we have some, somebody causes trouble, somebody rips you off, somebody steals from you, somebody breaks into your home, all those things we have places in our society in place, right?
Here we are. People working remotely, people working from everywhere, from an airport, restaurant, cafe, and we all get online and there are no police, right? When we get online, we actually enter, like, their world. We enter the, the, the same world that cyber criminals live on. And it's it's, it's, it's a daunting daunting task and to have people like you as an advocate against cybercrime going undercover and doing this It's really needed now.
I'm not to say that and you know, this better than we do but the you know, the US [00:06:00] federal and even state law enforcement There are elements that get online and how then you know in flush out cyber criminals and things like that But for the mass public, right? We aren't protected And so we really look to a lot of people like you to kind of shine a light and on the dark web and Well, thanks.
I appreciate that. It's, it's funny when you talk about, you know, law enforcement doing it, what a lot of people don't get is, you know, I work for a small company. I don't I mean, I have my laptop. I mean, I don't, I don't have fancy tools. I don't have a crazy security budget. You know, I use open source tools, my laptop and I try to get creative.
So yeah. But it makes you work harder for it, you know? We make it look good. And that's what, that's our goal in this podcast because we don't have Jack either and we just make it look really, really shiny. You know, that's the whole point. You guys are doing a good job. That's kind of the whole point. [00:07:00] So when you said, you mentioned you worked for about 14 years in espionage.
And your book The Art of Cyber Warfare, which I do have on my shelf and which I read, which I proved to you when we first did this podcast. I had read it and it was really good because part of it was kind of technical. Some of it was over my head, especially at that time. It was newer. And and the, the other part was really interesting.
It was all about like the story behind some of these breaches and the aspen. That's the part I like the most writing it. It's so interesting. What, in what capacity did you used to work for the federal government? Did you work for in private sector? What did you generally do? If you can't disclose it, just indicate some, which is.
No, no, it's, yeah, I worked for I was a SIGINT analyst, I worked for one of the intelligence agencies, so yeah, I did I did Secret Squirrel stuff honestly, my favorite part about doing that, though, was writing the reports I've always enjoyed writing the negative to that was like, Five people would get to read them but [00:08:00] I got to do cool things that I, that I don't get to talk about, but, but it was a fun job I enjoyed it, you know, it got to a point where I was just ready for, for something else to change things up, which is why I joined the private sector and I went to Symantec for seven years and I worked on their, their attack investigation team, which we, most of, most of the work we did was espionage related and that's, that's mainly what, what I did while I was there.
Interesting. And, and, and the espionage aspect to cybersecurity always fascinates me. When we, we, we did a segment, yeah, we did a segment on those, the series of breaches several years ago, the Anthem breach, the Office of Personnel Management, the Equifax breach, the Marriott, Starwood Hotels breaches. And those would have been, I wanted to ask you about those because we, I just never have.
And those were all major breaches. With vast amounts of data taken and they had financial information They had health care [00:09:00] information. They had Credit information as well as like travel and everything If that were to be sold like all these other breaches that we read about every day in the news on the dark web It would have been worth a lot of money, wouldn't it?
It would, but it's actually a lot worse than that, so the first public report I ever wrote was for Symantec, and it was called the Black Vine Espionage Group, and it covered two of the breaches you just talked about and that was Anthem and OPM, and at high level, what happened with that is that was a China based nation state, you know, sponsored attacker, and they popped Anthem and they popped OPM.
Let's think about this. Anthem, at the time anyway, provided a lot of the health care coverage for federal employees. OPM stores all the records and does all of the investigations and background work to get top secret and secret clearances. [00:10:00] So when you combine those two together, you have a hell of a lot of great information on And should be everybody in America that works with classified information.
So you can make lists for entry in the country. You can make target lists for further espionage. You can make blackmail to use data for blackmailing purposes. There's a lot of things. So in, in looking at that versus bad guys selling it, I think we would have been better off with bad guys selling it.
Not that either of them would have been a a good ending to that story. But, but for that one, I think a lot of people. didn't know the big picture of what was actually happening with it from from a public aspect. Yeah, this, this happened, what was it, Mark, eight, eight, nine years ago or so, I think. Yeah, 2014, 2015.
So even then we weren't seeing data breaches and cybercrime gangs in the news like we are today. Right, not like today.
Mark Mosher: Yeah, and
Jon DiMaggio: it was. We're going to get to a point where there is no [00:11:00] PII because everybody's information is going to be out there in one dump, data dump, or another. Yeah. Yeah. Well, and, and, yeah, and that, that leads to another topic that I wanted to ask you about.
But let's, let's stay on the, on, on the espionage piece. So, what boggles my mind about these, these breaches is these are breaches that Normally when LockBit or BlackHat or one of these gangs go and, BlackHat, I meant to say, sorry. Yeah when they go and they exfiltrate, fancy word for steal, when they steal a bunch of data, right?
The first thing they do is they extort, they blackmail them, they say, pay X amount. You know, millions of dollars by this date. Otherwise we're going to leak your data. And and then they do, or they go to sell the data online. So that data has a value either. First of all, it seems like, correct me if I'm wrong, but.
The cybercrime gangs [00:12:00] are first and foremost proud of their, like, hit, are they not? Like, they are the first ones to be like, we did this, like a big bombing, this terrorist group says, yes, we did it, we, we, we, we take responsibility. These guys are the first ones to do this. And what I found in those When I was just researching, I started researching them raw, like, without other people's filters, and I was like, how come no cybercrime gangs are, like, my insight was no different than what you found, what others found, but I was finding it on my own.
I'm like, why are no cybercrime gangs? Bragging about this. This is a massive hit. Yeah, these are massive breaches. How is nobody taking claim to this? And then, how come nobody sold it? Or, or demanded a ransom for it? Like, there was none of that. And still haven't. Right, and it would be worth, from some of the reports I saw, you mentioned things, and[00:13:00] there were some other reports even I, I saw some indictments later came down against like four or five Chinese nationals that were part of the Chinese military.
And the It's always nice to see that you were right years later when it's not. Yeah, exactly, right? And they're, and, and they're, they're like, we just discovered this and we're like, Oh, they've been saying this for like five, for like four or five years. But it's, but it's interesting how politics work. But the but, but they say that would have been worth billions of dollars, like hundreds of millions, several hundreds of millions of dollars and nobody wanted it.
So it shows you the value of that data was even beyond financial, right? Yes. Yeah, it was absolutely what they could do with it, how they could repurpose it to better suit the government of China's, you know, stance in, in different aspects in the, in the world, but also for, from intelligence value, just to get a sort of step up on us.
I mean even I would never visit there [00:14:00] just because of that breach alone, knowing that my information was in there and think, But I had a, had a clearance and who I worked for and everything else I just wouldn't risk it. And I, I think that there's a lot of people out there that might be in that situation and don't even know it.
Cause let's think about it. The U S government's pretty big these days and everybody gets a clearance nowadays. So maybe not to a certain level, but my point is, is that there's a lot of people that don't necessarily realize that. I think when they, when they travel that the data that they think was protected, if they were, you know, in the, in the government Military with Clearance back at that time that it's, it's all out the window.
Somebody else has access to it.
Mark Mosher: Well, yeah, and that sets him up to be, you know, a target or compromise, right? Like that's, that's a scary thought.
Jon DiMaggio: Agree. I mean, yeah, it's tough, man, because in anywhere you travel nowadays, you have to, if you're in this line of work, you have to, you know, worry about somebody in my hotel room is, is, am I going to connect to the network?
You know, people think I'm crazy because I bring a firewall [00:15:00] with me when I go on travel, and I directly VPN back into my network. Which is another firewall so that all my traffic is going from a point to point connection through my own network and I do things like that and you know, we, but you have to, you have to be paranoid because, you know, people do crazy things.
The governments do crazy things. And when you see it every day, you can't just, you know, be like, ah, that'll never happen. You know, they'll think of something you're not even thinking of. And you just, you just don't want to end up. Yeah. And there, there was a lot of speculation about what the government.
What the Chinese government, the Chinese military could do with that data. And it's, it's, they could do a lot of things. I mean, if you know this person in the federal government is at this level, they have access to this, they see this data that you want. right? Or they have this access and you know their wife has cancer, their house is being foreclosed, they are traveling here, you could meet them, you could take care of [00:16:00] all of their problems, or a lot of their problems, financially and turn them against, against the U.
S. I mean that was one aspect. Yeah, I mean. And let's think about it. That's healthcare data. Let's say, you know, it's something embarrassing. Let's say somebody had an STD or something. They don't want that public and you got some guy show up, you know, at a restaurant or bar that you're at. With a full file of all your stuff.
Yeah, if you don't want this being made available to all your friends and family. People think that only happens in the movies. People think that only happens in the movies. It doesn't happen. But it doesn't. It doesn't only happen. There's a reason that when you have a clearance you get polygraphed and background checked and that's because the word you're going to get blackmailed.
And it's because things like this happen. Right. Which is why Mark, which why Mark is not polygraphed cleared. Yeah, I, I, you know,
Mark Mosher: I don't mind being compromised. My credit score is like a seven. Yeah. And he's so, I dunno, what do with that?
David Mauro: He's got clearance to hit the bourbon trail down in Kentucky.
he's got clearance.
Jon DiMaggio: Well, I mean, I [00:17:00] haven't been in that world now for a while, but yeah, I remember those days and I'm happy to not have to deal with the headaches of polygraphs and all that other stuff. I mean, even you don't have something to hide. They're just a pain in the ass to have somebody asking you all questions about your personal life.
Mark Mosher: Absolutely. Yeah. No doubt. Yep.
David Mauro: So you brought up a really good point and this is something I've, I've been talking to a lot of people about, and that is there's so many data breaches, right? It's like every, like, you know, I used to go onto the site, like, have I been pwned, right? And And like, maybe there was one, right?
Now I go on the site, there's like 17 and I don't even know any of the apps. So my data has been sold to this guy, to this guy, to this guy. And then they get breached. I'm like, holy, so much of our stuff is out there to me. When selecting a company to work with or selecting a lawyer to work with or selecting a healthcare group, right?
Because it's still all commoditized, right? We can select who we do business with. And [00:18:00] when doing it, it's, it used to be, or it still is to a degree, but here's my question. At what point are we going to get to, we're not judging organizations by whether they've been breached, but we're judging them by how often they've been breached or how they handled the breach.
Like, are we getting to that next evolution, do you think? I
Jon DiMaggio: Definitely think the, how we handled, or how they handled the breach even inadvertently is something that's being looked at because You know, there are, there are companies that there's some, I won't recall them out, but like in the volume one of the Ransomware Diaries, there's a big company that I called out because they sat there and lied and they said that they weren't breached and they, for like three months, they said it despite their, their name and data being posted on a data leak site by a threat actor.
Mark Mosher: And then some of the, some of their customers were allegedly compromised because of that data being repurposed. And it's just my, you know, like I think that when, when [00:19:00] the general public gets aware of those type of things happening in other companies, at least I would hope that would make a difference in if you want to work with them.
At the end of the day, Dollars do the talking. So maybe it doesn't, but I know from a consumer aspect, I definitely look at those things and and I, and I won't give my business to, to those organizations just, even if they, they, I wouldn't say handled it right, but something as small as like the sunglass hub.
I'm still upset that those bastards couldn't keep my, my information safe. And it's just my address, but you know what? I, my company spends a lot of money to have my address removed from all those databases that are out there. And then I have somebody like that who from years ago that I give my address to, they couldn't keep it.
And now that data is out on the dark web. And fortunately it's not my current address, but it's just the point. It makes you want to buy sunglasses elsewhere. Right? It does. It does. Yes. Just yesterday, last night I have a family member that called me and they'd gotten a notification from their healthcare provider, and it was part of the lop you know, move it breach Yep.[00:20:00]
Activity. Yeah. And and, and the provider was not even, you know, offering them or offering credit. Yeah, credit, nothing, nothing. And I'm just like, how, how is that? Okay. I get that, that everybody, that things happen, but how is it you're not in, I told, told her to call them and, and she did. And then I said, no, we're not going to do that.
There was 9 million people involved or we just can't, you know, do something to that scope. Well, you know what they sure. They sure wouldn't have my business moving forward. I just think it's, it's, we need to, we need to hold these companies to a higher level of integrity. And, and I just think that I get it, breaches happen and anybody can be hacked, but like you just said, how you handle it makes a difference in your path forward and whether I give you my business.
David Mauro: Well, and I almost think it's going to get to like, some people are talking about like a rating scale to some degree or some metric because. Like, when a breach happens, there's a difference between, okay, it's [00:21:00] compromised, it's limited, yes, this data was taken, but we were able to contain it after a certain part, and they were doing good things.
They had certain measures in place, like, they have an affirmative defense. They were doing things right, but, like, they have to be right a thousand times, the criminals. It's an intervening criminal act. If you think about the law and tort law, right? This is an intervening criminal act coming in to people that are doing best practices.
You really, you can blame the company to a degree, but not that much because they were doing everything. So they handle it, they offer credit monitoring and it goes away. Okay, that's fine. So, I personally would still do business with that vendor, with them, like, it's about risk. And so we still have to go with people that are taking risks seriously.
But then there's breaches that are in the news that you're like, holy cow, they weren't doing anything. Like, like a business that has a ton of confidential information. Where they lied about it. Yeah. They, they, [00:22:00] they didn't have like regular money. They didn't, they didn't have any SOC or any like. Sim, like they weren't looking at all for any anomalies.
They didn't care. So they weren't investing whatsoever in the beginning. And then how do they handle it afterward? They lie about it. They don't disclose it. They wait till the last minute. Like it's that to me is a sign that needs to be like that. A light needs to be shined on that because that to me is we don't want to do business with them.
Like. Well, and there's another angle here that you're also not, not thinking of. And again, I won't name the companies, but this is all out in the public right now. Cause this just happened.
There was a threat actor who who, who had stolen data from Company A. Company A was doing business with Company B. Well, Company C came in and bought that stolen data so that they could go to Company B and say, Hey I might have messed up my letters here, but the company you're doing [00:23:00] business with that's supposed to be, you know, assisting you and protecting you isn't doing that.
I have this data that you were breached, and I have this data that was stolen from you. You should give us our business. And the reason that I have such an issue with that is, you know, you're I get why people pay ransom payments, companies pay ransom payments, you know, that's sort of a necessity, like, having to lose jobs, your customers data, your livelihood.
But when you're doing it for a business advantage, and you're feeding that criminal ecosystem, I think there should be laws against that, and there's not. But I think that that is extremely unethical, and, you know, there's a case where it's been recently talked about, but the fact is, it happens a lot more than people realize.
So a. A company that wants to gain a competitive advantage will go and buy, they'll pay the ransom essentially, or they'll buy the data. They'll buy the stolen data. Yeah, they'll buy the stolen data. Whoa, that is not something we have covered. That's really interesting. [00:24:00] Well, after the fact, I'll pass you the info and you guys can do it as you like.
Yeah, that's a rabbit hole. That's an ugly side of it. Wow. So, so that raises a question. Ransom, there's talk now in the news and in government about outlawing ransom payments.
What are, what are your thoughts about that? Do you think that could ever happen? Do you, I don't know that it'll ever happen. Like they're talking about it in the next couple years implementing something like that.
I mean, first of all, you can't pay ransom to like a like a company or a cybercrime gang that would violate OFAC. Like they can't be on a like terrorist watch list or a, or a country that is, you know, you can't make payments to North Korea, right? Like you're not allowed to in the US. Yeah. This is what will happen if they do that.
It'll at face value be extremely painful. There's companies that will probably [00:25:00] go out of business. There's a lot of people that will lose jobs. There'll be an initial drop in a lot of that activity and we'll start to pat ourselves on the back and then threat actors are going to start to say, Oh, you don't want to pay.
Let's start targeting high profile targets and critical, critical infrastructure because we have nothing to lose anymore. And you're going to start having much more significant, larger scale problems. Maybe not at the same volume, but you're going to give them basically a reason to, to target it. Right now they don't, they're not doing that because of what happened the first time that happened like with Colonial Pipeline.
And they backed off because there's so many other targets they can make money on. But when you take those targets away, they're not going to have anything to lose. So I'm not saying that there isn't pros and cons of that scenario. I do agree that if ransoms weren't paid, eventually ransomware would go away.
Something else would come up. It would be, wouldn't something else come up? Well, that's just it. Whether it's something else or whether they start to do things that are far more [00:26:00] severe to where you'll want to pay the ransom and the government will be kind of forced to have their hand forced. But yeah, of course, there's always something new that comes up in the threat landscape.
When you're talking about defending against threats and everything else, there's always creative attackers that have some new thing we never thought of. But specific to ransomware, yeah, I don't think that that will just solve the problem. I just think it would change the situation. Yeah, I, to, to me, I would find it, you know, well, it leads into the other thing I wanted to talk to you about, and that is the Black Hat made new, made a new level of, of of street cred, it seems, when they breached a company, Meridian Link, they issued ransomware, they demanded a ransom, they weren't Negotiating with them, apparently they weren't paying the ransom, so they were threatening to leak the data, but then they went a step further.
This is the first time that we've seen where they [00:27:00] actually notified the SEC that the victim company did not notify within the four day new requirement. It's, it's why I love this job. Because every time you think seen everything, you've gotta love it in a sense. Holy cow, . Right? What, what do you do with that?
I, I mean, they, they didn't do anything. That part of it wa wasn't illegal. It bettered their agenda. You know, it's crazy to me that they actually filed a, whatever it was, a complaint or a notification with the SEC that this company wasn't being compliant. It, it's just, it's one of those things where you, you just.
Don't expect that to happen. Like, a bad guy is gonna create an account and go here and log in and notify, see the analyst or the agent for the SEC when they got that? They like, saw that, they're like Right. This is from like, Black Cat. Like, this is Alpha V who filed this? Like, it's not like they give their name and they're social and they're Oh, [00:28:00] I'm sure either way, I'm sure that when it was first received, it was taken, you know, they didn't realize that it was taken.
Oh, well, they looked into it and, oh, we might have something here. And then once that came out, it was probably like, I know. Well, so it raises the question of if they're going to that level, I can only imagine what's next like FTC, like any regulatory agency that enforces a regulation on a business.
Notifying that regulatory agency can now be, I mean, I guess it could have always been a leveraged tactic, but it really wasn't anything used that often. It wasn't. I mean, it's really tough because, yeah, you want these companies to be compliant because they weren't reporting these things and then it's affecting the consumer.
And then, at the same time, you don't want that same mechanism to be used to get companies to pay a ransom or bad guys so that the Don't have to let people know. [00:29:00] So again, that's why I go back to I can understand that any company can be breached But it's how you handle it. If you fully disclose, I get it's embarrassing, I get that it's gonna hurt, but it's gonna hurt a lot more when you lie And you don't tell people and you end up screwing over your customer base And so somewhere in between there needs to be an answer.
Yeah, we don't want to make it We don't want to make them be crazy regulations for notifications, but because companies don't always do the right thing, they do need to be held accountable. And on that, you know, I don't know about, I know nothing about that particular company. I don't know how they handled the attack, so I won't comment on that.
But what I will say is for the companies that do lie about it, that do tell their customers nothing happened they should be, they should be held accountable. that situation I just told you with that family member in the notification letter they got, it said, we have no re your, your data was stolen, but we have no reason to believe that it's being used as being used for fraudulent purposes.
Well, what do you think it's going to be used for? Maybe because it was just a bunch of crap. No one's gonna, it's, it's, it's [00:30:00] like, you know, 5, 000 is missing from your safe at home, but we have no reason to believe that it's ever going to be spent. Like, no, they just take the cash to keep it in their house.
Of course they're going to spread it. I mean, come on. Like, of course they're going to use this data. They're going to sell the data. They're going to use it as a data point in a further breach. Like, it's used repeatedly, oftentimes by several different groups. Right. Agree. And, and I also think that there should be, you know, in beyond even just forced to report when a breach happened, I think that just like this situation, there should be a bare minimum that if you lose people's PII, you have to give them, you know, X amount of, of, of a year or three years, whatever it might be, of some sort of identity protection.
So they can at least be, have a chance to be notified when these things start to happen, as opposed to having, you know, these massive problems can't get credited, affects them buying things, affects their businesses. Things like that. And, and so these companies are just like, Oh, sorry, we're not going to do anything like [00:31:00] that's unacceptable.
Absolutely. And we you know, we, see this a lot. In education too, when schools get breached and schools have been in the news a lot this year. And when schools get breached, it's really bad because most parents don't. monitor their kid's credit. And so cyber criminals can take over that identity, use it.
For years and then later on find out, right? I mean, that's just it's it's just I mean, it's it's it's ridiculous. So yeah that that's really bad way to start out You know, your life is going from a teenager to you know, to a young adult to find out you have a foreclosed condo And you're like, what? I'm like, I'm in a, I'm in you owe, you know, a hundred grand.
I'm graduating from high school in New Hampshire. Like, what are you talking about? Like, what, why is that? So, yeah, that's really tough. What you [00:32:00] know, almost gets to, to a question of what should an organization have to. Report on when there's a breach like to me, I, I look to find out, like I'll read through or find out somehow through zoom info or other OSINT measures.
Like I want to find out what were they doing beforehand? What preventative levels? Like to me, there's organizations that are trying some things and they're at least they're, they're trying. Nobody's really doing all the security layers. They should most often unless they're like an enterprise. Level, but even small businesses, right?
They, they need to be doing some things. And there's some of them you, you read about and you're like, they were doing nothing, like no user training. They were like doing it once a year, right? There was like no endpoint detection. There was no visibility into the, into the network. Like they weren't really doing anything right.
And so, and so they, they should be fined or should be [00:33:00] hit. Like harder, like you, you know, like the, you know, spending and prevention should like, you know, there was a lot of pushback and a lot of people were like, well, we can't afford it. Here you can, you couldn't afford IT support, you couldn't afford servers originally, you couldn't afford the cloud originally, but you eventually did it because it actually gives you a competitive advantage, allows you to make more money, allows you to scale.
There's ways to find a way. To support it, you just have to make it important. Yeah, the problem though is there is no mechanism there to hold them accountable for it. So yeah, if they're not protecting, there's so many different levels of standards. Not even standards, so many different levels of security posture that we see that companies have today or lack of it.
You know, once these breaches happen, again, it's, it's the, the consumer that, that ends up being harmed. It's the people whose data that they were supposed to be protecting that ends [00:34:00] up being, being harmed. So when you continue on with business as, business as usual, and there is not a penalty or there is no one to hold them accountable, there's, there's no motivation for them to fix it outside of their public reputation being damaged.
And clearly, like in this case with this medical organization I was talking about yesterday, sometimes they just don't care. So, you know, what do you do? I don't have an answer, but it's why I'm surprised that happened from a medical organization too. Yeah. Well, they said, cause it's not, it was 9 million people and they said it was just too many that, you know, it's just like they were treating them almost like it was an act of God type of thing.
Like this just happened. It's inevitable. Nothing we can do about it. And maybe, maybe there'll be more, you know, that'll come out with that cause that, you know, just hit the news a few days ago. I believe that the specifics on the company, so, you know, maybe they're just giving their money up. They deserve it.
They have no place being when that's how they respond to these sort of things. Especially when it's healthcare data because that's not just [00:35:00] your, you know, financial aspect. I mean, the financial aspect is in it as well, but you know, those are your private personal records. I mean, We need to go back to using paper for, for medical records, I think, because nobody seems to be able to protect our data anymore.
I wish I was in charge of protecting my own data. I would feel much safer about that than all these other organizations having it out there. It's, it's just, I have no control. Yeah, we've actually talked to some people that are developing things like that. It's just that they're all in the startup phase, right?
But they have like components in ways. Mark, do you remember the one? One company, I forgot his name, but it's, it's in a prior episode. Please watch, please pay attention to our prior episodes because clearly I didn't, but it was really interesting because he was talking about how being able to encapsulate your own.
financial information, your own medical information. And you just provide people with, it's almost like a link if you think about it to it, but you are in control of it. And I'm [00:36:00] like, that needs to be the norm. Like that is brilliant. And then, you know, there's people that are going to say, Oh, well, I don't know how to do that, but you know what, then that's why you need to learn how to do it.
But don't worry, the companies that were already guarding your data don't know how to do it either. So you'll be okay. But I would much rather be able to be in control of my data that is out there. And I'm not. And that sucks. Because I know I would do a better job of it. And then at least then if something happens, that's on me.
Well, and it's almost less complicated. Like when, you know, security sometimes they, I think it's driven by so many vendors. We tend to overcomplicate things, lots of acronyms, lots of, lots of bold claims, like social engineering solved. You know what I mean? Like you are always secure and you buy this. Box.
And you're going to have it. And I'm like, what? Like, like, are you kidding me? Like it's, it is not the way [00:37:00] that it works. It's not a product. Like security is not a product. It's not going to happen that way, but there are, but in so many ways it's, it can be simple. Like when you think about. If you reverse some of it, right, and you keep a lot of it in a central location that you can control and you block that from outside, there's, there's a whole bunch of different ways for different segments of different types of data that you can really keep it protected.
Tell me about what what have you been focused on? What is your research? You, you, you and your team, you have a, you have a partner in crime there now and she's been, she's been publishing some really good work too. Yeah. Yeah. So, so I've been, I worked with Anastasia on her last report, which you put out a couple of weeks ago where basically we Just doing some analysis on the trends with with ransomware payments.
I reached out and had a conversation with, with LockBit and they gave us a bunch of information on how [00:38:00] business was going and some of the, the struggles they were having with with, with their, what they'll call their partners where you had a lot of really young, talented hackers that were committing ransomware crimes, but they weren't so experienced with negotiating and therefore they had a lot of.
Low paying ransom payments because they didn't know how to sell a car or they didn't know how to buy a car. Right? Correct. So in true LockBit fashion, I always say that they run that their operation like a business in true LockBit fashion. He got everybody together, presented the problem. Took a poll on some possible solutions and they came up with a tiered structure on how to assess targets and what percentage of their revenue you are allowed to negotiate with.
So, okay. So hang on, so hang on a minute. So for, for the listeners, let's, let's evaluate what we just heard from John. There's a lot to unpack here. So, so [00:39:00] you, Jon DiMaggio. Private citizen in the U. S. wearing a cape, you went undercover or you went to the dark web and you spoke to some of the most prolific people Successful, powerful cybercrime gangs.
Hey, how's your model going? How's business? How are your vendors? How's your team morale? How are sales? And they were like, well, Johnny, Johnny, let me tell you. And they like opened up to you and they shared this with you. That is freaking ridiculous. So I don't, I don't bother, I don't, I don't do the fake persona anymore.
No, because they know who you are. They're using my face, yeah, as their avatar. So I just talk to them, but yeah. He does call me Johnny. Yeah. We do have conversations very similar. They are usually friendly and professional because at this point It's not personal. They're not going after you. You're not even going after them.
You just, like, you kind of exposed who they were. They respected you for doing it. [00:40:00] And there's a mutual, like, you're not going to rush anytime soon. You're not going to bump into them. Like, they're not, we know they're not coming out. They're not coming here. Right? Because as soon as they do, they'll be arrested.
So it's more like, it's okay from afar, you can have a Professional working relationship. There's, there's, there's mutual respect there. Yeah, so so that but that is that's what I did I reached out and I told him I so prior to that I had met or we Anastasia and I had met with Some ransom ransom negotiators good guys, not bad ones And talked about some of the problems and things that they were seeing and so I thought it might be beneficial to have a conversation with LockBit and say hey These are some of the struggles that we're seeing on our side.
I'm pretty sure that if we're seeing this, there has to be something that's either causing that or struggles. You're seeing there's gotta be somewhere in the middle that we could meet and you know, there's people out there will be like, Oh, you're helping support the ransomware ecosystem like that.
Well, no, when companies are getting decimated, what I want to [00:41:00] do is try and to help facilitate the best possible solution that I can. So when I have multiple negotiators telling me the same thing the same problems are happening, I thought it would be worthwhile. So Anastasia has a good background in tracking cryptocurrency and things of that nature.
I've got a background to doing direct engagements. So between the two of us, it made for a good pair. In addition to reaching out, talking, like I said, with these negotiators. So. Getting that information and LockBitch shared a lot more with us back than I expected, to be honest with you. Well, that's good though.
I think it's good, you know, I mean. Right, it's good to know if you're a negotiator, what you're going in with, if there's rules in place already to what they're going to be allowed to negotiate. If you come in way below that, the chances of the negotiation ending prematurely and that company just being basically out of luck in their data getting exposed.
I think it's better to go in knowing that from the same thing from an adversary side, if, if they're going in and they know they [00:42:00] can only ask for a certain amount and you have negotiators that don't know that again, it, no one wins, not that I want them to win, but no one wins in those situations. So the best case scenario is obviously to pay as little as possible to get your data back, but you also don't want to go in.
with the wrong approach and just have everything ripped out from under you and all your data is leaked on the internet. Like we saw with not saying that they did this, but they're like with Boeing, like, you know, that, that negotiation ended their data got exposed. And you know, that, that wasn't one of the ones who I talked to, but there was some other big ones where I talked to negotiators and they were the scenario where they were coming in.
Way down low and the other guys were way up here and they weren't even close to meeting in the middle. So by the time, the thing is, is you only have so much time that timer's going. And once that timer ends unless someone does something to intervene, it automatically will publish that data. So the point being is if you don't know that and you're playing, you know, that, you know, Negotiation game going back and forth.
You'll need so much time to do that. And if, [00:43:00] if when you're getting down to 24 hours and you're still so far off, it's not helping anyone. So again, just trying to arm people with the information going in upfront to understand, well, the rules have changed on the other side. So you should be aware that this is what's happening, whether you agree with it or not, that knowledge is power and going into that.
Absolutely. And, and I mean, two, two factors there. One, We've, we've interviewed several of the actual negotiators and they explain it is a really emotional, difficult time for business owners, for leaders and organizations in charge of that. Is it not, Jonny? I mean, it's tough. They've reported guys passing out.
They reported one guy had a heart attack. They were, because especially small businesses and, you know, I mean, even midsize, you know, 50 million, 70 million companies. This is their livelihood. The partners, the investors, like everything is tied to this and it all goes away. If [00:44:00] this goes south and it's not planned, they weren't planning on it.
It's not on the forecast. It's not budgeted for insurance. And insurance either declines, insurance either declines coverage, or they only limit what they'll do. They don't. They don't do everything that you would think they would do it's a really trying time. And then, you know, and then the issue is, you know, if you're going to pay and if you're going to do this, again, if you're not doing the preventative measures like we talked about earlier, right?
Then you have to pay because if you don't have separate backups that they didn't already encrypt and copy and lock you out of, right? Or, or, or adequate backups, things that were tested, like you're, you have to pay, otherwise you're out of business. So interesting story, just what you just said. So I don't know, maybe it was three weeks ago, there was a [00:45:00] conversation with LockBit and another guy who's.
Pretty well known in the criminal community and they were in a conversation about this and it surprised me to hear a lock bit say Ransomware is dead. Now. He was referring to ransomware as your payload and that you know that encrypts all your data And he didn't mean that the ransomware as a whole is dead but what he was saying is in just going in and encrypting companies data is no longer worth the time and the effort and And the other guy was arguing back or making his point that it's still worth doing because well, they both agreed stealing data and using that to extort a company is the most effective.
The other, the other criminal was, was arguing that, well, crippling them when they're already, you know, wounded and they're in this situation only is going to entice them to pay further by hurting them when they're weak. So he was advocating that. You keep going and you keep doing it this way and they aren't doing it this way.
It was just a conversation, but the fact, again, just that, that, that actual correspondence back and forth, [00:46:00] I just find it interesting to see what, you know, these, you know, we know what we think, but what do these guys think? And you know, they have the same conversations. You know, we talk about, we see it in the public all the time, like predictions for ransomware.
And you talk about, Oh, well, we're going to see a move more towards data theft as opposed to just encryption. And well, they're having similar conversations just with, with different. Well, I'm interested to see, are they going to start telling everybody's high school teacher that they cheated in class? Are they going to start notifying every single regulatory agency, hey, they didn't do this.
Oh, by the way, there was another HIPAA violation. We had somebody stop by there and there was medical records sitting in the printer tray that we saw. So we want to report them for that too. Are they going to be telling the teacher about everything? You didn't lock your screen when you walked away. Yeah, oh yeah, they also don't lock their screens when they walk away, by the way.
Right? Like But you know what that shows?
That I think sometimes, I don't know that we lose sight of, but I think other people fail to see or recognize that this is a [00:47:00] true criminal element. I mean, these guys are
Jon DiMaggio: criminals. They're doing nothing differently than them. They're just trying to extort money.
They're just trying to find a new way to extort. Can you not see Gotti's group, like, or somebody from the 80s and 90s doing, going to certain levels like this? Like, of course they did. They would go like this. Of course. Well, they ran it like a business. They ran it like a business. Yeah, you just take, yeah, you take the emotional element out and they're not gonna, they're gonna try not to involve people that aren't involved, but the people, like the target and them, they're gonna stay focused on them and they're just gonna do that.
It's like a, it's like a mob hit where you don't kill the bystanders, unlike gangs, unlike gangland shootings, right, where they just shoot everybody. Like, this is just mob hit, you just kill the person you have the beef with, and that's it. So Well, and you know, I think that's also one of the reasons why you don't see You know, as much of [00:48:00] like violence as a service type of stuff being used, because once you get to that level, well, well now we're talking a whole different game.
Like it's one thing for a company to pay because there's data getting stolen, but once you start talking about violence and adding other aspects to it, it changes everything. So I, I think that's a good thing that it hasn't gone there for the most part, with the exception of a, a few groups, but, well, some of the, there's some of the younger groups, you, you see some of the criminal enterprises that are doing a lot of the.
Fraud scams and the, the identity theft, the credit card theft. They're, they're doing the swatting and the SIM swapping and that, but I think there's a lot, I mean, I don't know, maybe I'm wrong, but it seems like there's a lot less money in that and there's more, there's more crime and guess what? That's going to get the heat the most.
That's going to be something that, because that segments, that segues, blurs the line between the digital and the physical world. And you still have all that might and all that power of the physical police [00:49:00] that know how to solve those problems. Right. I agree. Well, and I think that, you know, when you see, like, again, ransomware attacks today, you know, they're going after these companies that can pay big payouts, so, you know, they work for a few weeks to get their, to get this, their access, to get the data stolen, to get things encrypted, and then they get this huge payout, so for them You know, it just, it just kills me that we can't figure out how to do better.
I, I, I always say this, but it literally, it reminds me of the like 1980s. We're on drugs where we talk a big game game, but we're not actually, you know, doing anything to, to win it, you know? And, and, and I just, I can't, I obviously not just me, but I can't figure out how to how to change that, how to get her.
Better grasp on that. But I do know that the way we're doing it right now things aren't going well in that conversation, though, that I was talking about [00:50:00] before between those two criminals, one of the things that they did note is that since like the 2020 2021 timeframe, they've also noticed that companies are much better now with storing offline backups.
And that is why encryption alone also It doesn't work as well for ransom, so, so I guess I, as much as I'm, as I'm saying, you know, we do things poorly, I guess, hearing that conversation between two of the, you know, one of the top ransomware gangs in the world and a very high ranking criminal, that have that conversation and to say that at least we're, we're getting better at something you know, but, Salesforce, like, it's almost like they're charting all of this, right?
And they, and they're seeing the trends and they're, and they're deciding what, what tactics. Well, I think that's why, you know,
Mark Mosher: Is that maybe why we're seeing more of this extortion level to release data or sell, you know, it's no longer, we're just going to, we're going to lock up your system and you've got to pay us to unlock it.
It's, Hey, we've got all your data. We know you can get your data back, but we're also going to give it to [00:51:00] all your
Jon DiMaggio: competitors. Yeah. Well, that brings up the whole MGM thing. You know, they, you know, they got popped or whatever, and all that data got stolen, and you know, there's somebody, I don't know if they're actually related, but they claim to be selling data that was stolen from that breach.
I saw that. I saw that last night. You know, so, so you just don't know where it's going to end up is my point. And, and then you have guys that, and probably girls too, that pretend to sell that data. And there's been so many leaks now, they'll literally go take something that's leaked. Yeah, they're scraping the data and then sell it.
That
Mark Mosher: was one of the responses last night that I saw when they gave a sample of the data. And somebody quickly chimed in and said, no, that's from the 2020 breach. Like, no, that's old. But that's my point.
Jon DiMaggio: There's so much out there, though, you don't even know, and now you've got bad guys scamming bad guys.
You know, it's crazy. It's a mess. [00:52:00] Well, the MGM breach is so interesting simply because you, first of all, In no other industry do you have, when you're suffering from a data breach and your systems are down, do you have thousands of people Making TikToks of your stuff being down, like what other industry suffers like that, right?
Like that was just brutal. Like they, like they could say whatever they wanted to headquarters. Everybody saw what was really going on, right? And the online, everything online was down. Like it was, it was absolutely brutal for them. However. Did they not do the right thing? Like, they didn't pay, they evaluated, the CEO came out, and I'm talking about MGM.
MGM came out and said, look, we evaluated, we realized it's going to take this amount of time to restore. If we paid, we'd get it back around this amount of time. We chose to follow the law enforcement advice, not to pay, we didn't [00:53:00] pay. There's a lot of people saying, well, they're likely not going to get targeted again, necessarily as much as Caesars, who paid right away.
Once you pay right away, statistically, don't the odds go up for you? Like, they're kind of a soft target. Like, we can hit them again. They'll pay. YES you make a good point with that. But, since we're pointing out all the negatives, let's also point out the positives with Caesars. They weren't even in the news until the MGM happened.
Nobody even knew about it, and none of their, you know They handled it so, like I know. Data is going, is going to be going out the door, you know? So, and I'm not, I'm not saying to pay, I'm just pointing it out because we're pointing out all the other side of it. Right. So, and, and I don't have that answer, but that, that is, that's the hard part.
Well, that's what makes those two breaches so interesting to discuss because on the one you followed the best practice rule, right? And look at how they suffered and how long they were down. [00:54:00] And everybody talks about it. When they talk about it, they always talk about the MGM breach. They barely remember the other casino, right?
And Caesars wasn't even gonna like, nobody knew about it and they had already resolved it. It was already resolved by the time MGM got hit. Unbelievable. And they didn't follow what you're supposed to do. They immediately paid. They didn't go down and everybody was happy and they were profitable. It wasn't a blip on their that, but bad guys made whatever it was, $15 million, you know?
And it wasn't even a That's gonna go into support future. Yeah. And the amount that they paid wasn't even a percentage where they even had to disclose it technically on their SEC form. I read, I could be wrong, that's what I read. But then, because the MGM got hit, everybody heard about 'em. So they're like, well we better disclose it on the SEC form then you might as well tell the investors 'cause they hear about it now.
But, like, they only paid 15 million, they make X amount per day, it wasn't that big of a blip. [00:55:00] Right. Well, and that's why I think the answer to should you pay or not pay a ransom really is case by case. I don't know how you can out, like, that was my concern is, I see the intent behind it. Don't pay the bad guys.
They'll go away. Like, it's a very widespread, naive view, though, because that's not the way it is. It's not going to apply. It literally could make things ten times worse. Before I worked ransomware, back when I did just espionage, that was my take, is you just, companies shouldn't be allowed to pay. It'd be so simple.
Just do it, right? See Congress passing it. 'cause they're like, oh well we're paying bad guys. Well let's just outlaw. I'm like, right, hang on. Like you don't think, oh, so, 'cause the lawyer in me goes, okay, then how do we define the term "ransomware payment"? That issue, that term will be litigated a thousand times because we [00:56:00] can't pay a ransomware payment.
We could pay a "blackmail" payment. We could play a, some other term payment. We just can't pay a ransomware payment. They're not using, they're not encrypting using ransomware, so therefore it's not a ransomware payment. Like, you can see the, the floodgates of litigation open. Yes. Well, yeah, it's. People, again, I used to feel that way until I started working on it, but the first time you were inside looking at it from the victim's eyes, it makes a lot more sense when you're seeing like this company is going to be decimated.
They're going to lose 700 people are going to lose their jobs. And 50, 000 people's PHI is going to go out the door. And business is hard enough. Like, the economy is tough enough. Like, these guys get in the mix and they throw this at you and you have to decide, like, if they take that option away from you, you're like, then I'm just out of business.
How are you going to insure that company? Think about if you're insuring that company. Don't get me started on insurance. Like, how are you, like, [00:57:00] think about that. Like, this company is going to go to, go, go to get insurance for things, and they're going to be like, why would we insure you? Like, you can't even pay the ransom if you got hit, right?
Like, you'll be out of business. The, they're going to start assessing that. I mean, it's, It's really that there's a negotiation company that, that I, I know several negotiators at. And, and I talked to them on this topic and I asked them, I was asking about the insurance, and they told me that out of 49 cases last year that 48 of the 49 that these are the ones that were just, were insured, didn't pay out the insurance, that they literally just will find a way to not pay.
And now. You know, they just recommend that people don't even bother because the insurance companies are taking your money and they're not actually paying in that game. I know it's a whole other conversation, but the insurance companies, they make mistakes. It is a really good one, and we've tried to have different people on to address that.
It all kind of depends. If they're coming from the insurance [00:58:00] They, they have a, they have a propensity to say, well, of course they'll pay if it's a valid claim, but then you get into litigate, you get into the terms of art. Well, if it says this in the policy, that means this, and then it falls in place. No coverage.
Here, it falls in place. Coverage. And it's like, okay, that's, that's a, that's a That's a dry discussion, and it's also something that most business owners don't care about. They're like, if there's a data breach, will I be covered? And they're not, they're told yes, but the answer's really no. Yeah. Well, then you've got
Mark Mosher: the business owner, David.
Remember the one guest we had? Is he sat there and
Jon DiMaggio: literally watched the icons
Mark Mosher: on his desktop turn to white squares as everything was being locked up from him, and he had no way to stop it. Instead he was actually physically ill to the point that he had to run to the restroom. Cause he knew exactly what was happening and he had
Jon DiMaggio: no control.
Yeah. And he didn't know how to [00:59:00] go home and tell his wife because Oh yeah, that was another part. His retirement is tied up in that. His house is tied up in that. Like, how do you, how do you do that? How do you explain? Because we bought this software and that Manufacturer had a vulnerability, we lost our house, honey, like what, like, how do you explain that to people that aren't even in technology?
I don't even, I don't know how to have that. And you shouldn't have, shouldn't have to have that conversation, right? That's why this is such a tough topic. But then you're gonna tell him, oh by the way you can't get yourself out of it. You can't pay the ransom. No, because the law says no. Well, guess what?
The other side of the law, the other side of the lawyers there are going to say, yeah, but here's the safe, here's the safe harbor for that law. Right? Here's the, here's the exception to that. For every rule, there's a thousand exceptions. So, [01:00:00] so, you want to pass that law to look good, pass that law, but then you're going to be able to do it.
It's interesting. You know, I'm not necessarily a proponent of paying, but in the right circumstance, you've got to at least have the right to do it. Like, you can't take away the people's rights. I don't think banning it is the solution. No, I don't think you can. You can't take that away. What about limiting it?
What if there was a cap? Ooh, like tort reform. It's interesting. It's like TORT REFORM it's like the states that like banned. Oh, yeah. Remember like the vaccines used to Be an issue and then Reagan came in and had the vaccine acts and and and now the in certain states there's Tort Reform So even if you have a runaway jury, you only get like a hundred grand So people like wallet even litigated do I not pray still a valid claim?
That's an interesting topic. Yeah, because then ransomware attackers are going to know what they can and can't make, and a lot of them are going to find other things. Well, well, well, isn't that interesting? Isn't that interesting? I think that might [01:01:00] be, yeah, that might be one way to approach it. That is really interesting.
That's a great point. That is interesting. I like it. I'm gonna, I'll announce my, my Senate run. Limiting ransom like tort reform. I'm gonna be the
Mark Mosher: campaign manager. I'm gonna grab the limousine,
Jon DiMaggio: buddy. You know, the problem is, is like tort reform and things like that can work because you're regulating companies under your jurisdiction.
Here we're trying to put a cap on the value of what criminal, of what you can pay criminals. When they threaten to do something to you, it's a little different. Right. It is a little different, but I think it's still closer to a solution than just putting a cap on it is. Yeah. Yeah. Yeah. But then, like, and then I can see the dark web.
I can see the dark web forums. So, here's this package of data. You can get this, which is the maximum amount allowable under the law, right? But then you can also use this data to create fake credit cards, do this, use identity theft, and you know, it's still really valuable. You can [01:02:00] see how they'll shine up the package of the data to sell it on, on one of the
Yeah, I mean, a lot of the stolen data, there's so much of it out there now, a lot of time, a lot of it hasn't even been used yet. It's literally just sitting, because it takes so long to be processed for other criminal activity. I mean, that's the only, you know, benefit of that there's been such a high volume is that, I think it's going to happen eventually, but You know, it takes a while to get through and to do what you just said, to, to use that to further you know, criminal endeavors and with, with that information.
Well, absolutely. And Jonny thank you again. This is, we're, we're not done talking to you, but we're gonna, we're done for today, but I'll tell you that for this episode, there's going to be another one. Well, yeah, well, I'll, I'll tell you that gets to the point of everybody should be freezing their credit they're like absolutely under no.
I think it's free? And have identity protection because it's worth the 300 dollars. But I mean freezing your [01:03:00] credit is free and you, they can't go create new debt on your behalf. You're not liable for anything. They can't do it unless you literally Approve it at the moment. Well, one thing to say is a lot of people watching this one know this, but I literally had this conversation last night with that family member, and they said to me, but then I can't use my credit cards or my debit cards.
And I'm like, you can use all of your credit cards. Your FICO score can still go up when you pay on time. Marks can still go down when he pays late. Like it all works out. This goes like this. I'm just glad I'm not a vendor of yours but it's, but I'm just teasing, but it's, you know, but the thing is, is like it, everything still works.
It's just no new credit can be taken out on your unit. How often do you need that? Maybe a couple of times a year at most, and it takes about 20 minutes. I literally did it, like one of the times I forgot which store we were in some store and we bought clothes for the kids or [01:04:00] something and like the bill was kind of up there and they're like.
Do you want to store credit cards? You can actually get like 20 percent off or 10 percent off. And I'm like, we bought so much that it actually made sense to do it. And then we were never going to use the card, but we can keep our credit frozen. So I literally got on the app, unlocked it. They ran it. They did it.
Locked it back right there in line. It was that easy. So I'm telling you it's a good way of doing it. Or, or you can have a seven credits. Yeah, you can always just do that. Well think of the fun, think of the fun you can have going from like a 750 credit score to a 7. Think of all the stuff you can get and just not pay.
How else? Like, how better to get back at these bad guys. Go ahead and steal my data. Take my data.
Mark Mosher: Never seen a 7. You've set them,
Jon DiMaggio: you've set a new level of wellness. I dare you to take over my identity. I got a 7 credit score. That's hilarious. [01:05:00] Now who's the victim? Oh, not a bed. That's not a disclaimer. That is not a best practice for anyone to do.
This is only used for, for television purposes only. Yes. We do not condone nor approve of any single digit credit scores. So Jonny before we go though, what is, what's up next? What are you working on writing? I know you can't disclose it, but Yeah, you said you were writing, yeahRANSOWARE DIARIES 4 Yeah, that's probably Different.
It's not LOCKBIT it's gonna be different. So LOCKBIT not going to be on the next one. What's funny, though, is LockBit they, he, the, the leader of LockBit did tell me that he did vote for The Ransomware Diaries, because it was on, it was on Twitter that it got nominated for re article of the research of the year.
Yeah, and so he told me, and he voted for it. That is awesome. That is, wouldn't it be funny if he was really in Congress? Like his [01:06:00] real identity. He's actually, I live in New Hampshire. I'm a congressman. Right, right. You're like, how are you voting on the SANS thing? Are you able, were you there when I accepted the last reward?
How
Mark Mosher: do you have a
Jon DiMaggio: 200 million dollar net? I should invite him as my plus one and see what he feels. FB like. Oh my God. So, okay. So you're doing a little ransomware for, what's it about generally? So I'm doing it. I don't want to say the group that I'm doing on just yet, but I'm doing it on on a group, but it's, it's it's expanded.
Into some crazy things. So, the original idea, obviously, is around a ransomware group, but it has crossed paths into a lot of other criminal activities that are taking place on the dark web and it unfortunately keeps intersecting with child porn rings. So, While I'm doing all of this, I have been also pushing a lot of that information over to law enforcement, but, but the, the, [01:07:00] the so what of this is, is, is sort of that I think I've stumbled onto something we really haven't seen before is where not that this ransomware group is involved in kiddie porn, but a lot of the supporting elements that provide resources to ransomware groups are involved in some really bad things.
So that money in that ecosystem does a lot more than just It's a Take, you know, ransom extortion from, from companies. It feeds a lot of bad things and that's really what I thought was going to come out in this research. But, but I picked a really good, a good topic because there's so much drama and crazy shit that, that, that's happening with it, with it.
So it's, it's, it's fun to write. It was a little crazy to research and follow and not get myself confused, but I'm having fun writing it. So that'll be interesting because that really goes into the. That's what we were talking about earlier.
Mark Mosher: It's criminal. Criminals are gonna criminal, right?
That's
Jon DiMaggio: exactly what that is. Wow. Any kind of ETA on that, Johnny? Yeah, I'll be done with it [01:08:00] soon, but I don't think they're gonna put it out until after the holidays. Two of the things I'm also looking at down the road is eventually black, BLACK CAT or Alpha V, but I'm, I'm waiting to, I like to wait till things, you know, , they're really interesting the way they're approaching things like, yeah.
Like, I would have thought LOCKBIT would have done something like that, and when I saw Black Hat, Alpha V did it, and I'm like, wow, pretty interesting. Well, that's their arch nemesis as They really are. They're, they're, they're, they're frenemies, basically, right? And Well, no, they don't, get along at all. They have a historic bad history together.
LockBit stole their developer and things like that. Yeah, yeah, yeah. That kind of thing. Yeah. So not saying that they don't, you know, have conversations. I just meant they're frenemies, meaning like if there was a convention of Mafia guys over in Russia, like they might be there, like they might be at different tables, but they'll be there.
They're in the same associations, maybe. So [01:09:00] really interesting, JONNY well, yeah, let's plan on please keep us posted on that. You'll definitely be back . We started doing a biweekly newsletter through LinkedIn and other channels, just summarizing, because in our company and the people that we deal with, we deal in four verticals, finance, healthcare, legal, and sled, basically education.
And so what we're doing is there's so much news all over the place. People don't. know what to pay attention to and whatnot. So we're kind of segmenting the most recent breaches or new regulations from CISA or whatever it is. That's interesting within those four verticals. And then we're putting that out.
It's called VIGILANCE it's more like a digest with a little bit of insight. It's more just kind of translating it into English, into like, people that don't understand cyber security, but want to know about it because they're in the healthcare space, or they're in this, that's where we're like, here's a breach, here's why it's important.
Here's [01:10:00] this, here's why this might matter. Like that type of thing. So. Right. That sounds good.
Well that wraps this up. Thanks for joining everybody. Hope you got value out of digging deeper behind the scenes of security and cybercrime today. Please don't forget to help keep this going by subscribing free to our YouTube channel at Cyber Crime Junkies Podcast and download and enjoy all of our past episodes on Apple, and Spotify podcasts so we can continue to bring you more of what matters.
This is Cyber Crime Junkies, and we thank you for joining us.
