Ransomware Gang TAKE DOWN: Secrets from the Dark Web.

Show Notes

Expert Security Researcher, Jon DiMaggio, former National Security Agency (NSA) analyst, takes us under cover on the Dark Web, providing us insight in plain terms on: 

• ransomware explained for small business and ransomware risks for small business, 
• how cyber attacks stay undetected, 
• how intelligence gathering is critical to security, 
• secrets of cyber crime gangs, 
• how stolen data is sold by cyber criminals, and
• understanding the hacker mind.

Don’t miss Jon’s book, The Art of Cyber Warfare: https://a.co/d/a2r7C5G

 

Grow without Interruption. Stop Breaches. Leverage Advances in Technology with NetGain. Contact NetGain today at 844-777-6278 or reach out online at www.NETGAINIT.com  
 

Have a Guest idea or Story for us to Cover? You can now text our Podcast Studio direct. Text direct (904) 867-4466

🎧 Subscribe now http://www.youtube.com/@cybercrimejunkiespodcast and never miss a video episode!

Follow Us:
🔗 Website: https://cybercrimejunkies.com
📱 X/Twitter: https://x.com/CybercrimeJunky
📸 Instagram: https://www.instagram.com/cybercrimejunkies/

Want to help us out? Leave us a 5-Star review on Apple Podcast Reviews.
Listen to Our Podcast:
🎙️ Apple Podcasts: https://podcasts.apple.com/us/podcast/cyber-crime-junkies/id1633932941
🎙️ Spotify: https://open.spotify.com/show/5y4U2v51gztlenr8TJ2LJs?si=537680ec262545b3
🎙️ Youtube (FKA Google) Podcasts: http://www.youtube.com/@cybercrimejunkiespodcast

Join the Conversation: 💬 Leave your comments and questions. TEXT THE LINK ABOVE . We'd love to hear your thoughts and suggestions for future episodes!

Chapters

• 2:14: The Evolution of Ransomware as a Service
• 2:26: Introduction to Cybercrime and Ransomware
• 5:33: Ransomware Explained For Small Business
• 8:28: The Role of Affiliates and Initial Access Brokers
• 11:23: Challenges in Cybersecurity and Detection
• 15:18: The Impunity of Ransomware Gangs
• 18:26: Motivations Behind Ransomware Attacks
• 21:21: The Impact on Healthcare and Critical Services
• 25:50: How Stolen Data Is Sold By Cyber Criminals
• 32:40: Under Cover on Dark Web
• 35:35: The Dark Web's Impact on Business
• 38:30: The Consequences of Data Breaches
• 40:55: The Complexity of Cybersecurity Breaches
• 44:21: The Reality of Paying Ransom
• 46:39: The Toll of Cyber Warfare on Professionals
• 48:52: Current Landscape of Ransomware Groups

Transcript

Ransomware Explained for Business | Under Cover on Dark Web

 

Expert Security Researcher, Jon DiMaggio, former National Security Agency (NSA) analyst, takes us under cover on the Dark Web, providing us insight in plain terms on: 

 

·      ransomware explained for small business and ransomware risks for small business, 

·      how cyber attacks stay undetected, 

·      how intelligence gathering is critical to security, 

·      secrets of cyber crime gangs, 

·       how stolen data is sold by cyber criminals, and

·       understanding the hacker mind.

 

 

Don’t miss Jon’s book, The Art of Cyber Warfare: https://a.co/d/a2r7C5G

 

 Chapters

 

00:00 Introduction to Cybercrime and Ransomware

02:49 The Evolution of Ransomware as a Service

05:58 Ransomware Explained For Small Business 

08:47 The Role of Affiliates and Initial Access Brokers

11:55 Challenges in Cybersecurity and Detection

15:05 The Impunity of Ransomware Gangs

18:01 Motivations Behind Ransomware Attacks

21:01 The Impact on Healthcare and Critical Services

24:01 How Stolen Data Is Sold By Cyber Criminals 

31:35 Under Cover on Dark Web

34:30 The Dark Web's Impact on Business

37:08 The Consequences of Data Breaches

40:41 The Complexity of Cybersecurity Breaches

43:00 The Reality of Paying Ransom

45:51 The Toll of Cyber Warfare on Professionals

48:07 Current Landscape of Ransomware Groups

 

Takeaways

 

Cybercrime is on the rise, necessitating ongoing discussions.

Ransomware has evolved into a service model, making it accessible to more criminals.

Data exfiltration is often prioritized over system encryption in ransomware attacks.

Access brokers play a crucial role in facilitating ransomware attacks.

Organizations often fail to patch vulnerabilities, making them easy targets.

Living off the land techniques make detection difficult for security teams.

Ransomware gangs operate with little fear of arrest due to geopolitical factors.

Economic desperation drives individuals to participate in cybercrime.

Healthcare organizations are particularly vulnerable to ransomware attacks.

Understanding the motivations of cybercriminals can inform better security practices. Jon DiMaggio has firsthand experience talking to ransomware gangs.

Ransomware groups often use broken English to communicate.

The dark web is just the starting point for data leaks.

Data leaks can affect not just the victim but their partners too.

Ransomware gangs are increasingly using social media to threaten victims.

Paying a ransom does not guarantee data deletion.

Companies that fail to protect data should face penalties.

Not all breaches have the same impact on businesses.

The reputation of ransomware groups affects their operations.

Cybersecurity professionals face significant mental health challenges.

Host (00:02.201)
Well, welcome everybody to Cyber Crime Junkies. I am your host, David Mauro and in the studio today is former security analyst with the NSA and security researcher and senior security analyst with Analyst One, Jon DiMaggio. Jon, welcome to the studio, my friend.

Jon DiMaggio (00:22.624)
It's good to be back. I've been on no other show I've been on as much as your guys, so I appreciate the love and you guys having me back again.

Host (00:30.703)
Well, you're always welcome. You're definitely a friend of the show. And I'm just telling you, like cyber crimes up, so it tends to be something that we need to keep bringing you back as we're like, what is going on with this? And, know, we've seen a lot of. Yeah, I thought we won. Didn't isn't it over? Is it mission accomplished? Right. Like, are we done? Yes, I saw it.

Jon DiMaggio (00:43.319)
Right.

Jon DiMaggio (00:46.86)
we won. You mean it's not over?

Jon DiMaggio (00:53.154)
There was an executive order yesterday, man. We got it. It's done.

Host (00:57.049)
Yeah, I thought they outlawed cybercrime. Aren't we done with this podcast already? Yeah. So, so let's back up a little bit. So walk everybody through a little bit about your history. Because for those that may not be aware of who you are and where you came from, I think that'd be interesting.

Jon DiMaggio (01:00.0)
That's right. That's right. It's against the law, man. No more work for me.

Jon DiMaggio (01:19.054)
Sure, former military police, former SIGN analyst with the NSA as well as some other government agencies over my career. Last, I don't know, 10 years or so, I've been in the private sector. I specialized in espionage when I was in the government and I did that for Symantec as well in the private sector side for many years. And analyst one around 2020, I dove into cyber crime and I really

got into human, which is human intelligence, which is virtual human in this case, where you pretend to be other people or sometimes you're yourself and engage with criminals trying to extract intelligence, get information combined that was CTI and I write reports, probably most the most known report series that I've written is the ransomware diaries, which is

Something I spend a lot of time doing probably going to take a break here for the next six months on that and do some other projects But that's definitely my baby

Host (02:20.898)
Yeah, that is one of my, one of my favorite things. Like whenever I'm trying to explain to anybody how the ransomware enterprise works, cause it's big business, right? And, and how, and why they do what they do and understanding the modus operandi. I kind of refer to that quite often. so let's talk about there's, there've been a lot of ransomware

attacks. Obviously, they're always in the news. They didn't always used to be in the news. So before, you know, 15 years ago, we didn't it was very rare to see them in the news. It was really between it seems to me like I could be wrong, but it seems to me between 2011, 2013. Cyber criminals started to like productize their offerings, and then they started to, you know,

It almost morphed from everybody's view of what a hacker is, like a kid in a hoodie, cracking Red Bull, like, you know, in their mom's basement, like creating all this complicated code. And Hollywood has portrayed them as being these cool geniuses and stuff. But it really changed. And we started to see it more in the news when they started to just write the code and create a platform, essentially, and then license that platform or

Jon DiMaggio (03:25.308)
Yeah.

Host (03:48.736)
licensed access to the code to just anybody that was criminal and then then it kind of exploded because there's a lot more criminals than there are people with technical ability. Walk us through like, you know, what did you see just high level over the last 15 years? Is that kind of your understanding? Is that is that a good kind of summary or recap of what we've seen, why it's gotten so popular?

Jon DiMaggio (04:08.237)
So I guess let me me walk back and we'll just do a brief summary on on that timeline. So yes, in the that timeline we did see, you know, I guess the first

we started seeing it being used to encrypt enterprises was the business club with Crypto Locker. But it wasn't that they were locking down the whole enterprise and using it. It quite is the same as we see today. But that was sort of the seed being planted. And when it really took off was in 2015 when we heard when Sam Sam ransomware became prevalent and that ended up being attributed back to Iran. It was a couple of Iranian guys that put that together.

And then I would say a few years later, I want to say around 2018, 2019 timeframe, we started to see the first Ransomware as a Service model. I might be off a little bit on those last dates. It kind of blends in with doing this every day. But yeah, somewhere around that timeframe. And that model is really sparked. if people don't know what that is, Ransomware as a Service is a partnership. It's sort of like a service partner model. So think about

you have with a telecom. Correct, yes, you pay for the software, the infrastructure and that the service provider who would be the ransomware gang, provide all those resources. You as the hacker go and use their tools and resources to compromise and extort victims. And then the two entities share in the profits or at least that's how it's supposed to work. Criminals aren't the most trustworthy people. So it often goes bad.

Host (05:30.369)
It's like a managed service almost, right? Yeah. I mean, it's.

Jon DiMaggio (05:58.658)
And then the drama breaks out and then we have the Ransomware Diaries.

Host (06:02.922)
Right. Exactly. Exactly. So, so ransomware as a service is a service model where, just to recap, where the, the developers of the code, the first group, the technical group or the criminal enterprise, it's like the, the, the council or the senior, when you, when you do an analogy to the mafia, it's like it's the management, it's all the dons, that's all.

Jon DiMaggio (06:25.4)
That's your management. Yes. Your leadership, exactly. Yes. That's right.

Host (06:31.466)
It's all the heads of the families that kind of have that, right? So they control things and then they have different, you know, digital mercenaries that affiliates that will go out and do the dirty work. And they don't necessarily know other people that are involved so that if they get caught, there's really not much they can show sometimes depending on how much buffer they have. And yeah.

Jon DiMaggio (06:42.456)
rate.

Jon DiMaggio (06:58.23)
And yes, and in this, I'm sorry, go ahead.

Host (07:01.139)
No, no, no, please, please go on.

Jon DiMaggio (07:02.764)
I just wanted to add one little thing to that in this mafia model, since I love the Godfather movies. Yeah, the ransomware as a service provider, they build and equip you with a gun, if you will. So they build what's called a ransomware builder, which is what creates a payload that has a decryption key. And they use that, or they have a key and they use that and it's different for each attack that they do. Yes, and that key is what the victim is paying to get back.

Host (07:08.886)
Yes.

Host (07:26.995)
affiliate.

Jon DiMaggio (07:31.736)
So they provide that builder, they develop the ransomware, they provide the infrastructure. Oftentimes they'll provide tools to steal data or whatever it might be. They provide what's called the data leak site or DLS, which is where victim data is posted. And it's all done through a nice graphical interface. You get the data, it shows up on the platform, it can use our tool. You start the timer when the timer is up.

the data is leaked or they pay and you stop the timer and it's not leaked. It sounds simple, but it's not quite that simple, but that's basically how it works.

Host (08:06.986)
So when a...

Criminal enterprise breaches an organization. They'll either encrypt the data, right? Launch the ransomware or they'll exfiltrate the data. They'll take it and then they'll, they'll use both of those. It's like a double extortion, right? To kind of blackmail them into paying for either on encrypting the data and give them the decrypt key or even sometimes if, they don't encrypt,

It's still we're still going to publicize it right and that's what's done on on the leak site

Jon DiMaggio (08:44.78)
It's all, that's true.

That's right. That's right. And the data, stealing data and extorting them for data has become more and more prevalent. We even see some that are just doing that. But I would say that the encrypting victim systems fall secondary to that as far as getting victims to pay because data is far more sensitive. And with your systems, can rebuild. can't get that. You can't put the toothpaste back in the bottle. You can't get the data back once it's released publicly.

or sold to criminals.

Host (09:17.749)
Right. Absolutely. Yeah, exactly. So, so let me ask you this. How in general, generally speaking, there's a million different ways, of course, but in general overall, how are these affiliates, the actual hackers, the criminal digital mercenaries, how are they getting in to some of these organizations? Cause sometimes I hear it's through a lot of times it's through phishing or it's a combination. It's clearly a combination of different tactics, but

There's fishing, there's social engineering, which we talk about all the time, but oftentimes they'll buy access through like initial access brokers. Can you walk us through that and what that is?

Jon DiMaggio (09:55.416)
Yeah, that's right. Yeah, so access brokers, basically they are hackers that go out and they compromise the organization. They silently gain access, but they don't do much when they're in because they don't want to be identified. They gain that access, they might escalate or usually they'll try to escalate their privileges. So get administrative privileges because they can sell the access for more if they have that. And then they go to

usually underground dark web forums. Sometimes you'll see it on Telegram, but they'll go and they'll sell this access and ransomware bad guys are one of their top customers. The other model is where the hackers have to breach the system themselves. Something you said, it does happen a lot with phishing emails and things like that, but what at least from...

the bad guys who I talked to over say the past two years, I've seen more and more sort of the preference of lot of these adversaries is, did you look for infrastructure that hasn't been patched, that's not secure, or that has a new exploit for it, or an old one if it's company still hasn't patched it. And that's how they gain access is through.

infrastructure and it kills me when it's things that all they had to do was update and patch their equipment and this would have mitigated it and they don't. But that's becoming, you know, they scan, they look and they gain access and they don't have to bother with the phishing emails. But that does still take place, but I'm seeing more and more of that.

Host (11:25.184)
Well, it's really shocking to like you. You'd think that, that a lot of these organizations that everybody's doing, like they're, they, they have the people in place or they have the companies in place to do the patching and it just isn't done. And it's just an, it's an non updated patching or it's, it's on such a delay for the patching that it doesn't get done. And it gets taken advantage of. It's just absolutely shocking.

Jon DiMaggio (11:47.651)
Yes.

Jon DiMaggio (11:55.136)
It does. to be fair, a lot of these companies, especially larger companies, they have concern about just patching something on how it will affect other servers and software that they have. So they're slower to do it. But the times have changed.

Host (12:08.064)
Great point. Great point. Because sometimes when you, yeah, sometimes when you patch, you break things. You break other things because of configurations, right?

Jon DiMaggio (12:14.446)
Yeah, that's right. Yes, yes. But times have changed and the risk associated with doing that, my opinion, is far greater. I feel like it's better to have something break and have an outage than it would be to have your data leaked and your owned and compromised and all your systems are encrypted. So they're rolling the dice when they do that. But that's just the world that we live in is, you know, it takes time sometimes for organizations to update. And I get that.

Host (12:27.507)
and then fix that problem. Right.

Jon DiMaggio (12:42.958)
But when there's also organizations that just they don't even know what they have out there and and they don't patch it. one of the big ones, I think I use this example previously, but was with the the the subcontractor that led to the breach of SpaceX. That subcontractor had public facing equipment, so stuff that's available to access from the Internet. And it still had default passwords that come when it's out of the box from the vendor.

and they just walked right in. So that type of stuff, there's no excuse for. That's right. That's right. Yeah, there's no excuse for that.

Host (13:12.189)
That's just brutal. Well, you see that a lot with Internet of Things devices, right? Like the smart refrigerators, the smart other devices, you know, the doorbells, like you name it, my favorite aisle on Best Buy. And like the security out of the box is like admin one, two, three. And everybody knows what it is. And yet nobody goes to the panel to reset that.

Jon DiMaggio (13:19.03)
Yes.

Jon DiMaggio (13:26.818)
That's right. That's right.

Host (13:42.067)
to a actual password.

Jon DiMaggio (13:44.462)
That's right. And they don't make it very easy. Let's say you're a small business. They don't make it very easy to seclude those. I do it in my own. My home network is set up with, I have a work network that uses business level grade equipment. And even with that, I have to have a separate network in my house at Div3. I have to have a separate to put all of those devices outside of.

network that I use because some of them, you know, it's very difficult or you need to have access to them. You can't have cameras or doorbell and turn off the Wi-Fi for it. Now, your, know, your refrigerator is your toaster, you wash your dryer, all those easy, just block and turn them off. For me anyway, I think it's not worth the risk, but there's others where you just have to have that. So they make it difficult is my point for consumers, small businesses, larger businesses have the engineering, they have the money, they have the equipment that make it a little bit easier. But yeah, it's definitely a problem.

Host (14:16.093)
Yeah.

Host (14:39.774)
Let ask you this. There's so many reports where the affiliates or certain types of threat actors are getting in networks and staying in there undetected. They're able to move laterally. They're able to escalate privileges. Why are organizations not able to see that stuff?

Jon DiMaggio (15:04.75)
You know, one of the reasons, honestly, one of the reasons is because a lot of these adversaries, they gain access and then they use what's called living off the land techniques. So they don't actually bring in malware. They'll use services that are implemented for other purposes, like to administrate your network, but they'll use it in malicious means in order to continue to gain that access. And then they download tools once they've escalated their privileges and they

They have a hold on the network and they can turn off security appliances. I'll never forget the first time, this was like 2018, the first time I saw an adversary turn off an EDR service on a victim's environment on their systems. And it was crazy to me that they were able to gain privileges high enough to do that, but it happens.

Host (15:53.351)
So they were able to go in and turn off the endpoint detection and response on the service. It's impressive. Yeah.

Jon DiMaggio (15:56.718)
That's right. Yes. Yes. Which is just crazy. Yeah. Yeah. It's it is. It's hard to believe they can do that. But to answer your question on why they're not that a lot of companies don't detect this, you know, honestly, it's so difficult to do. So you've got to have the money invested in it because you have to have something like an EDR. That's my opinion, the number one way to help prevent that is having a good EDR. But two.

Host (16:16.125)
Or a sim or, you know, yeah.

Jon DiMaggio (16:19.756)
Well, and then threat hunters, you need the humans to be able to go in and identify false positives or look at the stuff that isn't a red flag, but it's just suspicious because these guys are creative and they're constantly coming up with new ways to get on your networks. And, you know, I harp on this when I, when I teach courses and things, but, as a security analyst, you cannot sit there and wait for something to tell you that something's bad.

that you're never gonna be able to find new threats that are gonna be present in your environment. You gotta go look for it. You gotta look at the stuff that's suspicious, that's not necessarily flagged flashing red screens. Hey, this is bad. It's not always gonna work out that way. So you gotta be creative. You gotta be passionate. You gotta go look for this stuff. You gotta take that extra step.

Host (16:55.43)
Right.

Host (17:02.172)
Yeah, and I hear that a lot in the SMB space. I hear a lot. Well, we've got a we've got an IT company and they're they're monitoring my network. So so I feel I feel OK. And I'm like, but they're not they're not they're not doing SIM or they're not doing EDR. They're not monitoring the network looking for security risks. They're monitoring it for health of the device disk space for

You know, like in order to to to patch, they're not like it's they're looking at the same technology, but for different things, their job in the IT support range is to keep you productive, keep things going. They're monitoring whether you're online or offline, that type of thing. It's the security teams that are the Sox versus the Knox that are monitoring for anomalies, looking for escalated privileges, looking for

intrusions or data loss, things like that.

Jon DiMaggio (18:05.582)
That's right. that's also why, you know, one of sort of a rule of thumb is the more secure you are, the less ease of use your environment's going to be. And many of these organizations, especially ones that cater to services where it needs to be easy for people to use and access, they have to weigh those decisions, making it more secure and a little harder for people to use or being more secure. And that's why, one of the reasons why education and academic organizations are

such in healthcare are such big targets is because those all have to be available and timely to the customer base that they serve. And that makes them right targets for ransomware bad guys.

Host (18:45.904)
Yeah. And to me also, mean, just from a high level, seems like years ago we had two versions of our world. Like we were able to, yeah, we had computers in the office, but you know, we were still able to conduct sales, make payroll, engage with customers, render medical care and do all these things without technology. We could use technology. It was like an electronic version.

It might speed things up, but if it went down, we could still function. But ever since, like all the vendors got everybody to scan all their files and digitize everything and now everything is digital trans digitally transformed. Now, when something goes down like last time, if anybody's been to a physician lately, right, like the nurse doesn't come in with a freaking big pad of paper.

Jon DiMaggio (19:41.442)
Right.

Host (19:41.913)
and go, well, here's all your medical records. Let me see how you're doing. Right. It's all on a tablet. It's all connected to their systems. And so when those systems are down, they can't render medical care because they don't know your history. They can't see it like they can't access it.

Jon DiMaggio (19:58.988)
Right. You know, honestly, we were more secure then. Yeah.

Host (19:59.823)
So it seems to me, therefore, yeah, it seems to me, therefore, the effect that the cyber criminals are having is worse today than it was before, because before we could still function. Yeah.

Jon DiMaggio (20:09.326)
Oh, a hundred percent, a hundred percent. You know, I'm going to sound like a boomer here, but critical services, critical infrastructure, secret squirrel government stuff, your healthcare, like all of that would be so much more secure, not as ease of use, but it would be so much more secure if we still use those models. Honestly, you know, like when let's use the healthcare for example, this will never happen, but.

I would much rather that I'm responsible for my data and when you need my medical data, I give that to you when I go to a physician or something. To me, I would rather that's on me because other people clearly can't protect my data and we're helpless. There's nothing we can do. You can't say, I'm not gonna let you treat me today because I don't want my data being out there, but there's nothing that you can do. I mean, just sending a message to your doctor, it's permanently there on your record.

when you go to these portals. mean, everything's there. So you have no control of it and you have to hope that these third parties are gonna protect you. we know from the reading headlines every day, it's often not the case.

Host (21:13.888)
Unbelievable. So when we're talking about ransomware as a service, some of these platforms now in your in your role, I said like five thoughts at once. So hang on with me. So in your role, you have done things like gone undercover and spoken to like Russian ransomware gangs. You've you know, you've you've. That's that's really amazing. My question is these

Jon DiMaggio (21:41.326)
Thank you.

Host (21:43.342)
these these gangs, like how are they not arrested? I know the answer, but I want you to explain it like how are they not like how can they bankrupt a hospital or bankrupt a manufacturing company in Kentucky or Illinois and have no consequence like and they make tens of millions of dollars, hundreds of millions of dollars and the business is just

Jon DiMaggio (22:07.246)
Yeah.

Host (22:13.175)
destroy, right? And then they leak it and then they go to the press or if there's compliance, they notify the sec, they notify, HHS, like they're, they're really terrorizing small to midsize businesses in, in, in the U S how can they get away with it? It's like they operate with impunity. Like

Jon DiMaggio (22:35.98)
Yeah. Well, the reason that they get away with it is at least today, the majority of ransomware attacks that we see in the U.S. originate from Russia, the Ukraine, general region, but primarily Russia. the issue that we have is obviously Russia is not friendly with the U.S. and they provide sort of protection. It's laughable if we were to try to extradite someone from Russia, they wouldn't even entertain it.

So these guys, they have sort of protection as long as they don't do attacks that would take place against Russian entities. So that provides them the ability to even when we indict them, they're not arrested. They can't be turned over to US. They will never be charged unless they screw up and leave and get caught in a country that will extradite them.

Host (23:26.532)
So it's usually only if they connect, make a connecting flight through like Miami that we can get them, right? Or through Canada or something, right? Like that's the only way we can get them. Right.

Jon DiMaggio (23:32.302)
Yeah, yeah, there's places or the UK or somewhere like that. But yeah, absolutely. You're correct on that. Now, I will say that we are seeing an uptick in ransomware attacks that do come from other regions of the world. There's been an uptick of seeing ransomware attack coming out of China and places like that. But still, by far, Russia, that general region is the most prevalent for ransomware attack origins.

Host (24:01.433)
So they operate with impunity and then they're not able to be arrested. And really the country that they live in is happy because you just brought in millions of dollars of revenue that otherwise would not be coming to the country and you're gonna go spend that in their cities.

Jon DiMaggio (24:20.942)
That's right. Well, not just that. One of the things, and I know this firsthand from the relationships that I've had with bad guys, when they get indicted, often they get a visit from the FSB. And I've even seen, and I'm not going to say any names, just because I don't want to get...

Host (24:38.616)
So the FSB for those who don't know is the Russian kind of the old KGB in a sense, the Russian FBI. It's the Russian senior federal police basically.

Jon DiMaggio (24:48.758)
Yes, that's right. That's right. And a lot of often it's very corrupt and they'll pay visits to them and either they'll have to they'll want them to give them money, sort of the right and they go away or they will also they also sometimes have you know have their thumb on them and you know now they have sort of an entry point to know what's going on, use those resources that they want which we've seen happen a few times. But they definitely have an interest because

Those guys are elite hackers and we know the world, you know, runs on cyber. So it's in their best interest to get those guys to work with them. And if you had to pick between going to prison, going to the front lines in the Russia-Ukraine war, or, you know, going to work for the FSB part-time and still doing crimes, what are you going to pick? You know?

Host (25:39.222)
Right. Absolutely. So it's almost like getting back to that mafia analogy. It's almost like the local gangster part of the mafia that will like go to the businesses, right. And demand money for protection. Right. Like you've got to do this otherwise, you know, your place may burn down. We don't know. Right. And it's like the FSB comes in and says, OK, the Western states have an eye on you. Like you're going to you're going to

Jon DiMaggio (25:55.342)
That's right. That's right.

Host (26:08.386)
do what you do, but you're going to help us a little too.

Jon DiMaggio (26:12.218)
Yeah, that's correct. there was something funny that happened around Christmas time. One of the guys that we indicted, his last name, I'm probably saying it wrong, Matt Veve, I know him as Boris Wazawaka and other handles that he's used, but he posted to social media a picture of his Christmas tree and it had all this US flags and stuff on it. But then at the top of it, it had this large

cut out of President Trump's face on it. And I'm not gonna lie, I laughed when I saw it. It was so comical. It was on this tree and I'm like, this is just crazy. I these guys have no fear. They laugh at us and it sucks. But I laughed because I didn't expect it, not because I'm on their side. Just to be clear, was just one of those things that was so absurd. just, I'm like...

Host (26:47.861)
That's hilarious.

Host (26:59.936)
Right.

Jon DiMaggio (27:05.102)
This is nuts. These guys have no fear of being arrested at all. Like they're posting on social media.

Host (27:10.263)
Well, yeah, exactly. And what what is some of their? What's some of their motives for it? Like, I mean, I would think it's kind of obvious, like I would think there might not be great opportunity where they live for economic prosperity. And if you go to the dark web, they have like recruitment sites where these guys are like make $10,000 a week, which is a fortune over there.

Right. It's as it's not as expensive as where we live generally. And, you know, in terms of what you can do with with with that. then and you can operate with impunity and you can get it fast. It's fast, easy money. They don't they care about what you can do, your individual skills today, not where you went to school, where you know what type of education, what grades you got. Like none of that matters.

Jon DiMaggio (27:41.838)
trade.

Jon DiMaggio (27:59.726)
It is. Yeah.

Host (28:10.453)
Can you hack? Can you do this?

Jon DiMaggio (28:13.332)
right and there's sort two points there one you know some of these guys have have made comments and said things to me like you know there's not work here I can't go use my skills to make money to support my family but I can make a lot of money doing this and then you know I guess the second point you know that the indicted affiliate bastard lord

He was the indebted last year, big time affiliate for LockBit. He had worked for the Revo ransomware game previously and others. With him, was like, the first big payment I got was $150,000. It wasn't cryptocurrency, he's like, was life changing for me and my family. So I could never make that. And we were barely getting by.

Host (28:54.768)
yeah. And he's the one whose mom had his mom had medical condition, right? He had a lot of medical bills and he was used to working in a factory where he would have to like tape his shoes and barely have a coat and he went from.

Jon DiMaggio (29:00.962)
That's right. That's right. That's right.

Jon DiMaggio (29:10.156)
Yeah, was security guard at a school with no heat. That's right. Yeah, it was freezing. I couldn't. So, you know, that's right. That's right. So I'm not saying we should feel bad for people, we also human beings, think. Yes, it's good to understand. Yes.

Host (29:14.186)
Yeah, I read that on ransomware diaries. So yeah, yeah.

Host (29:22.711)
No, but that's their motive. Like, that's why. Like, but for the grace of God, like if I was sitting there, I don't know what I would do. Right. Like you would you would at least be challenged like morality. You would probably steer the right way. But like from circumstance, you're like, well, at least you understand the context of why.

Jon DiMaggio (29:42.368)
It's one thing to be, you know, have an understanding of why someone does it. And let's say that there's a reason that you can even be empathetic to like, if I was in that situation, I don't know what I would do type of thing. That's one thing. But when they keep doing it and they have all this money and they still keep doing it, that's just being greedy. You're a bad guy. That's right. Yeah.

Host (29:58.316)
and then they just keep doing it. Then you're like, well, yeah, yeah, exactly. Well, and who they do it to, there used to be, I mean, it used to almost like, you know, the mafia was always like, Hey, we're not going to touch the, we're not going to deal drugs. We're not going to do this. We're just going to do like gambling or whatever. And then they lied about that. They were lying about that anyway. Very similar story to the ransomware gangs were it used to be publicized anyway from them.

Jon DiMaggio (30:06.114)
That's right.

Jon DiMaggio (30:18.359)
It's right.

Host (30:28.244)
Hey, we're not going to touch children's hospitals, cancer centers, like places like that. We won't do that. We're just about, you know, these, some of these big companies, they have all this money. They're just being jerks. We're going to, it's like a Robin Hood mentality. And then they don't personally have to take accountability because then it's not me doing something bad. It's a noble cause, right? but that's not even the case, is it? Like they go after those hospitals, like,

Jon DiMaggio (30:31.598)
That's right. Yes.

Jon DiMaggio (30:52.92)
That's right.

It's they go after those hospitals. you know, when I was at DEFCON, I talked about this extensively, but the biggest sort of the end of of my fallout with with LockBit was, you know, when they had attacked St. Anthony's Hospital in Chicago and it has a children's cancer ward. because everything was encrypted, they didn't have services. They're going to have to move these kids into another hospital. That's not an easy thing to do. It puts these kids at risk.

And I spent an afternoon talking to him about it. And I had naively believed that I could get him to give them back the encryption key. Cause at the end of the day, if you're a bad guy, you can still get money by extorting them for their data. Not that I'm condoning it, but I just wanted these kids to be, you know, be able to get their treatment and other things. And I really thought I could convince him to do that. And I was wrong. And that's what, you know, sort of changed the tide, you know, as far as, uh, trying to, uh, to change how I went. That's right. That's right. That's right.

Host (31:31.684)
Ugh.

Host (31:35.508)
Right.

Host (31:39.133)
All right.

Host (31:48.743)
any empathy you may have had for them.

Jon DiMaggio (31:52.748)
Yes.

Host (31:54.675)
Wow. So you're somebody that has gone undercover and actually spoken with them. Now let me ask you this, do they speak English when you're talking to them on these talks channels or on the dark web?

Jon DiMaggio (32:04.12)
But yeah, most of them can speak in at least broken English because you got to remember almost all the victims.

Host (32:10.364)
or they use a translator or they use a translator.

Jon DiMaggio (32:13.998)
That's right. Yeah. But a lot of them do speak broken English because all their victims are usually English speaking. But yeah, there are occasions where they don't. then either, you know, we use Russian speaking nationals to help with these operations or you can use a translator, but you're not going to trick anybody using a translator. But I also have talked to these guys just of myself once they ransomware diaries kind of put me on the map. And a lot of these guys just at the time wanted to talk to me. So I've done both. But, yes.

Host (32:42.741)
Well, and for those of you who may not know, and if I can find the image of it, I will pop it up here. I just don't know if I'm able to find the image. But after one of your initial ransomware diaries where you talked about Lockbit, they read it and they put your face on their website on the dark web of Lockbit. That must have been a moment. Yeah, the avatar was your face.

Jon DiMaggio (33:04.286)
They made it their avatar, yes. Yes, on their account. Yes, yes. For years.

Host (33:09.702)
Like, and they were at the time the number one, yeah, the number one most like wanted most ruthless, notorious ransomware gang and the planet and your face is there. That's that causes some, that causes some lost sleep, you know.

Jon DiMaggio (33:22.946)
Yeah, I'll never forget that. Yes.

It does. does. And then over time, because they kept doing that for, I don't it was about a year and a half until they got kicked off the forum, they kept it. So I would see the lock bit having these arguments with other ransomware gang leadership with my face. And you got to be like, at some point, he's got to be a guy, who the hell is the guy I'm looking at? then they're probably looking me up and stuff like that. So yeah, was, it made life interesting. Sure.

Host (33:34.65)
my god.

Host (33:41.096)
with your face going back and forth.

Host (33:54.942)
Yeah, or some some federal agents reading that and they don't even know that it's you and they're doing that. Then they go and get a coffee in Washington and see you and you're like, like, hey, I've seen that guy like he's he's a cyber. He's he's what he must be visiting from Russia like that. Yeah. Right. my God. That's crazy.

Jon DiMaggio (34:07.052)
Yeah.

Jon DiMaggio (34:12.334)
or other analysts that I know that are also tracking them and they have to see my face every day. I've heard it from everybody, but yeah, all the law enforcement guys know me nowadays, but yeah, there was a time and yeah, it's, I mean, all I can do laugh about it now, but it definitely made for a funny story after the fact.

Host (34:23.08)
Yeah.

Host (34:27.496)
Hey, I've.

I've got a question. So when a ransomware gang threatens to release the data and it goes on their dark website, I've heard business leaders say, well, I don't go to the dark web nor to my customers. So why would I care? Right? Like, but the issue is, is everybody, even though it's the dark web and most business people don't go there, everybody else,

does like everybody that is involved in security. And so it makes its way to the news and to the mainstream media. Right.

Jon DiMaggio (35:08.364)
Yes, but I think that mentality is changing because there's been so many cases now, it starts on the dark web, but that's not where it ends. That's just where it starts. That data makes its way out of there. And then it's used not only against those organizations and their customers, but it can also be used to further compromise like their partners who have trusted relationships with them. And it just leads to more and more of this.

Host (35:32.903)
When I'm starting to see some of the cybercrime gangs also have things on the clear web or through certain apps, like you'll see a gang have a have a website or a page on Telegram and on like regular, which is on the regular web. Basically, like you can. Any of us can access that. You don't need the Tor browser and tails and a VM to get over to the dark web.

Jon DiMaggio (35:46.851)
Yes.

Host (36:00.09)
And then a lot of them also have, like you said earlier, like some of have social media, like they're, they're notifying it. And if you still don't pay and you still ignore them, they'll start reaching out to some of your customers or your partners. They,

Jon DiMaggio (36:05.518)
That's right.

Jon DiMaggio (36:13.59)
Yeah, they do interviews. yeah, yeah, no, they'll do that. Yes, they also interview with the media. But yes, they'll reach out that I've even seen several times now where they've actually hired call centers to read a script and call customers of big companies, telling them that their data has been taken and they need to contact the company and tell them that they need to pay to not have this leaked, which is absurd, right? That that actually takes place. Yes.

Host (36:38.941)
That's absurd. That is so like they're complete bullies. Like in the, in the schoolyard, somebody needs to stop that kid. You know what I mean? Like it is really brutal. And then if let's say you're in an industry that has regulated, right, they've been notifying HHS, the SEC, like the, the organizations like, and they're like, Hey, by the way,

Jon DiMaggio (36:43.765)
Yes.

Jon DiMaggio (36:48.906)
Agree with you. I agree with you.

Jon DiMaggio (37:00.372)
yeah.

Jon DiMaggio (37:03.713)
Yes.

Host (37:08.454)
We breach them. They haven't notified you yet or they're not being like they say we don't have access. We're the guys that did it. We have all the access. That's brutal.

Jon DiMaggio (37:11.598)
That's right.

Jon DiMaggio (37:18.146)
That's right. And they'll actually use that to extort them. And they'll be like, our extortion demand is less than what you're going to pay in fines and fees if this has to go public or if we notify them. And so yes, you're going to have your data leaked. It's going to affect your customer base. It's going to affect your reputation. Your systems might be encrypted. It's going to take a ton of money to fix that. And they're going to report you even themselves to these government organizations that track and find private sector companies.

Host (37:35.857)
Wow.

Jon DiMaggio (37:47.788)
It is, it's a tough place to be in. And I say this all the time, there's no shame in becoming a victim. Anyone can get hacked. I don't care how good you are, it's possible. It's how you handle it after the fact. And what I have an issue, just as much as I have issues with ransomware bad guys, I have issues with when corporate companies get greedy and they lie and it's their customers who end up taking the hit.

Host (37:56.131)
Absolutely.

Host (38:01.66)
Right.

Host (38:11.96)
Absolutely.

Jon DiMaggio (38:12.81)
And if they had just been honest and disclosed, things could have happened much smoother and protections could have tried to have been implemented. But yeah, when they lie about it and they don't tell the public about it and they say, we weren't compromised. In fact, they were, it's the consumer who loses.

Host (38:27.634)
which is a huge red flag when I see a story of a data breach and like, they didn't access anything. they were, I'm like, it was freaking black cat. They accessed it or it was locked bit. Like I'm telling you the access to it. And then three months later you find the whole, find out the whole story, but it's, it's, it's absolutely, it's absolutely brutal. know black cats not gone. Like they're gone. They did the exit scam. didn't mean to use them as an example necessarily.

Jon DiMaggio (38:38.232)
Yes.

Jon DiMaggio (38:45.719)
Yes.

Jon DiMaggio (38:54.966)
No, you're fine with that example, but still relevant.

Host (38:57.969)
Yeah, I mean, there it's like some of the stories are just phenomenal and I love the names because it's so good for creating characters. There's like the cactus, like dark angels. Like how cool is that for a name? The dark angels like I threw that name and I was going to write a article about them and I'm like I threw that name into AI like image generator and got some really cool images.

Jon DiMaggio (39:07.95)
It is. It's bright. It's It's bright.

Host (39:26.029)
And I'm like, you know that their logos and their tattoos are going to be cool. We're the dark angels. That's just ridiculous.

Jon DiMaggio (39:31.832)
Well, I think the most interesting name was Reval because it was based off of a video game Resident Evil. You know, I mean, you can't make this stuff up, you know.

Host (39:36.335)
Yes. Yep.

You can't make no, it's just they're all children. Like we're all children. But you know what? One thing. Tell me what you think of this as we wrap up like would you agree that not all breaches are created equal? Meaning you you see certain breaches and even smaller breaches, but businesses are down for weeks and their system like they didn't prepare like and

Jon DiMaggio (39:45.516)
Agree with you. Agree.

Jon DiMaggio (39:57.272)
course.

Host (40:11.128)
The bad guys were inside those networks for a long time, creating back doors, gaining all these privileges, exfiltrating data. Like there's those. And then there's some where like, yeah, they got it. They, they had services or they had some team in place or they acted, they prepared for like through incident response planning and they like triaged immediately and they took it more seriously. And you see this still damage, right? They're still happy.

right? But I think it goes to your point of there's no shame in being a victim unless you're more of a victim than you should have been had you not been negligent. You know what I mean? Like I would you agree with that?

Jon DiMaggio (40:51.864)
I'd agree with that. Yes. A hundred percent. I get really upset when I hear about like that example I gave or organization still had a default password set on public facing infrastructure. know, the companies should have more of a responsibility to protect our data. Yes, anybody can be hacked, but when you are, you know, just it's ridiculous and you don't take through the basic things that you should be doing to protect people and you have their data. again,

Host (41:03.482)
Yeah.

Jon DiMaggio (41:18.146)
they either don't have a choice, they have to either allow you to use it or they don't, you know, there should be more repercussions for those situations. There are victims that do everything right. They should do is to the compromise. But the ones who don't, where it's just incredible to me that that's that that takes place. And those are the companies that they should have penalties and they should have punishments is not OK. And then one other thing I just want to bring up, there's also, in my opinion, these companies that pay like change health care, for example.

Host (41:41.402)
Yeah.

Jon DiMaggio (41:47.992)
great example. They paid twice. They paid $22 million, allegedly, twice. And, you know, it's

Host (41:48.474)
my God. Yeah. Yes.

That's the Black Hat story, isn't it? Like were they paid and but but then Black Hat said, no, we're taking down like we're out of business and they ran away. They took the money and then the actual affiliate is still there going, hey, I don't know what just happened. They just ripped me off of my commission on this. I'm going, I still have your data. I'm still going to do the exact same thing that they were going to do. He went back to them and they had to pay again.

Jon DiMaggio (41:58.018)
Yes.

Jon DiMaggio (42:14.563)
Yes.

That's right.

Jon DiMaggio (42:22.444)
Yes, and the problem is that money, it feeds that ecosystem. It encourages them to do more attacks. And I feel like there's got to be a responsibility of some of these companies. It's ridiculous. Now, I'll admit that when I see something like that in a healthcare company,

Host (42:36.705)
It's hard to make sure that they've actually deleted the data. It's hard to make sure that they've actually deleted the data, right? Right.

Jon DiMaggio (42:41.57)
They don't, I know for a fact that they don't delete the data. That is a myth and these companies that believe it, I've seen it with my own eyes. I've had the conversations. There's black and white evidence that they don't delete the data. You're a fool. You're paying for them not to publish your data now and hoping that a criminal keeps their word, but it doesn't happen. We have these takedown events. There is almost always data from previous entities that it was supposed to be deleted and it's still there.

Host (43:00.355)
Wow.

Host (43:05.263)
prior breaches.

Host (43:09.401)
Yeah. What is the average percentage right now of people that once they pay a ransom, they actually get the decrypt key and they're able to restore their data. It doesn't, it doesn't solve the fact that they might've taken a copy of it and could still release it. But in terms of getting back up and running,

Jon DiMaggio (43:21.794)
Yeah, that's actually pretty good.

Jon DiMaggio (43:31.586)
Yeah, most of the ransomware groups, the successful ones anyway, they treat it like a business and they know if they have the reputation of just taking your money and not doing what they say, that future victims won't pay. So most of them will actually abide by that. But the point is they keep your data and then when things go south and their enterprise is interrupted, their operation is interrupted, that's what they have left now to use to still

obtain financial gain is they can sell that to other criminals. They can re blackmail the company. There's all sorts of scenarios. But at the end of the day, like I said, even when companies do things right, it's still that money that's spent on all this to fix this or to get it.

to the extortion or whatever it is, at the end of the day that falls on the consumers, know, that it's put into the pricing and you end up paying for it or people lose their jobs. I mean, it's the little guys and girls that end up getting her in this. And that's not as traceable when you just look at the incidents. So it's not as apparent, but that's the reality of what happens.

Host (44:24.451)
Yep. Right.

Host (44:38.798)
That's amazing. Well, Jon, I'm as you know, thank you so much for your time. Thank you for what you do for U.S. businesses, U.S. organizations, U.S. critical infrastructure. Honestly, like what you do, you are serving the country like I don't like nobody probably ever tells you that. But I'm really, really glad to be your buddy and and to highlight the things that you're doing.

Jon DiMaggio (44:55.566)
Thank you.

I appreciate it.

Host (45:08.045)
People want to find Jon, check out Analyst One, look up ransomware diaries. I'll throw a link in the show notes. of course, I completely forgot the book right there, The Art of Cyber Warfare, which is a really good book. I'll tell you, if you're not technical, right, and you don't want to get into the technical aspect.

Jon DiMaggio (45:08.568)
Thank you.

Jon DiMaggio (45:17.034)
and my book. I see it behind you. I always forget that. Me too.

Host (45:33.459)
most of that book still talks about the espionage and the people and everything else because I'm not technical and part of it I was like Googling all these acronyms and all this other stuff but then I learned something there but you don't even have to do that just the stories in there are phenomenal like that's a really really good book yeah

Jon DiMaggio (45:35.608)
That's That's right.

Jon DiMaggio (45:45.346)
Right.

Jon DiMaggio (45:51.202)
Yeah, I try to write and make things entertaining to read and understandable by a larger audience than just technical people. Because I think it's important that everyone can understand what's taking place and you don't have to have an engineering degree to get the idea of what's actually happening.

Host (46:09.101)
Well, I'll tell you, I'm I'm a former prosecutor back a long time ago, right? And I remember that the detectives that I knew that would go undercover in some of the gangs, they'd get burnt out. It would really take a toll on their, like, it's hard to be a bad guy and not get caught and not get your cover blown. It's just a lot. So, yeah, it's gotta be like, does it wane on you?

Jon DiMaggio (46:22.263)
Yeah.

Jon DiMaggio (46:33.102)
Yeah, that's me right now. That's where I feel after doing two years of this. It does. Well, I'm done with that operation with Lockditt and all of those guys. like, that's why I said I'm taking a break from ransomware diaries. I'm going to do some academic stuff. Like, I just need a break. Like, it takes an unbelievable toll and it's hard to convey that on your shoulders. It doesn't, isn't going to stop me, but it's there.

Host (46:38.369)
Like, it's gotta get to you.

Host (46:52.589)
Got it. It's 24 seven fighter. Yeah, it's it's isn't it's like 24 seven fighter flight mode. You're you're on the amygdala hijack 24 seven and it takes a toll on.

Jon DiMaggio (47:02.446)
That's right.

Jon DiMaggio (47:07.724)
It does high pressure, high anxiety. It affects you, your family, the people around you, all of that stuff. So there's no vacation, especially when you're pretending to be somebody you're not. There's no nine to five. There's no weekends. Like you're that other person. You can't just be like, I'm taking off. Sorry. so yeah, it's, it's a lot. It's a lot.

Host (47:12.3)
Yeah.

Host (47:25.569)
Well, thank you for what you do and the sacrifice that you made there. But dear God, just go, go teach some kids how to like break into cyber. Like, like just take it easy a little bit. Like, yeah. Hey, let me ask you the latest on lock bit. Just as in, in, in the final moments, what like,

Jon DiMaggio (47:28.398)
Thank you. I appreciate it.

Right? Yeah, that's the plan.

Host (47:50.145)
The last we spoke, the head of Lockbit, Lockbit's up. were like going to release the, the feds were going to release the identity. There was like geolocation found of where this person was. He kept telling you, that's not me. They got the wrong guy. They got the wrong guy. It was him. It was him. And we know exactly where he is and pictures of him and everything. And the stuff he liked, right? Like

Jon DiMaggio (48:07.746)
They always say that, yeah. That's right. Right.

Host (48:17.441)
The sports he liked, the cars he liked, where he liked to shop, all that stuff. Yes, I loved it. was like a it was like a Southern Charm magazine expose on like Martha Stewart. And I'm like, this guy's ruthless. And we're like, yeah, he loves to garden and his favorite like cognac. And I'm like, what? my God. It was it was great. So what's the latest with that with that? Is it still just it's just in in.

Jon DiMaggio (48:20.354)
Gardening. Yes.

Jon DiMaggio (48:27.406)
Right. Right.

Right. That's right.

Host (48:46.496)
Plateau phase because you can't go arrest him like you can go get him, right? Yeah

Jon DiMaggio (48:50.924)
Yes, that's right. can't. since then, since then, their developer has been, he was, he's actually been arrested because he was outside of Russia. Yeah. So he was arrested. He did. He did. That's right. Yup. Relaxing. That's right. So he was arrested. So the operation itself, on paper and what's in a lot of news headlines and statistics.

Host (49:00.128)
Yeah, I saw that. Yeah, and he had pictures on social media. He had pictures on social media, like at the beach, smoking, all that stuff,

Jon DiMaggio (49:19.072)
makes it look like they're still one of the top one or two groups. But for a trained eye, they're posting a lot of fictitious victims or victims that were previously extorted and breached. And they're also posting victims from other, when other groups, because they're affiliates who do it, other groups that they've worked for and done it. So they're sort of stacking the deck. Now there are still legitimate breaches, but they have 100 %

taking a hit and are feeling the pain because of the sanctions that makes it hard for victims to pay. So if you're a bad guy, why would you work for them and deal with all that hassle when you can go to somebody else? So they're your top tier hacker affiliates. That's not gonna be their first choice of where to go. And LockBit is trying to come back and he's releasing in a couple of weeks, he's releasing a new program updating it from LockBit 3.0 to LockBit 4.0.

And there's a lot of headlines about that, but here's what people aren't reporting. When the NCA, so that's made up of like Europol, the FBI, a bunch of law enforcement organizations worldwide, when they took them down, they obtained the source code for this new variant that's going to come out. So it's being marketed and it's being reported, like this big comeback.

I don't think that it will be as big as things have been with them in the past. Again, because law enforcement has obtained that code, which makes it easier to defend against. I'm not saying that it's not going to be effective at all, but it's not going to be what we saw in June of 2022 when LockBit 3.0 came out and it changed the whole dynamic of ransomware forever. It's not like that. I don't think it will be. Time will tell. But I believe that they'll keep...

Host (51:01.333)
Yeah.

Host (51:05.702)
Excellent.

Jon DiMaggio (51:06.732)
being out there doing their PR and trying to get their name out there, but I think they'll continue to diminish, but time will tell.

Host (51:13.737)
Wow. Who are the big players out there now? Black Matter, Black Basta. I'm sorry. Ransom Hub. Ransom Hub.

Jon DiMaggio (51:19.166)
Ransom so black matters black black matters gone that that's. Yeah ransom hubs one of the big ones that are out there you know there's a lot of groups from if you remember the country ransomware group when when that ended they broke up into many different groups.

Host (51:31.157)
course.

Host (51:35.253)
Yep.

Jon DiMaggio (51:36.238)
And that is a model that we're kind of seeing more of. And that's what I'm actually working on right now is looking at sort of Black Cat. They went away and we're seeing now a couple of different groups that have a lot of code similarities that have a lot of the same people working for them. It's not a one for one, but we have to stop looking at things as a group goes away. There's a rebrand and they're the same group. Well, no, they're actually now becoming multiple groups. Yes, that's right. That's right.

Host (51:57.576)
No, it's splinters. It's splinters, right? And they're different groups. Yeah.

Jon DiMaggio (52:03.436)
which makes it hard to track, hard to get your mind around and hard to do attribution on correctly. So it's difficult. That's actually what my next paper is going to be on, on how to do proper attribution. I'm going to do a use case to show that. But anyway, they give me lots of good content for examples for a use case.

Host (52:06.217)
Yeah.

Host (52:15.718)
Excellent. Very cool.

Crime's always up. So, all right, man. Hey, thank you so much for your time. I really appreciate it. Always great insight. We'll have links. Please connect with Jon. Follow him on LinkedIn. You and your team at Analyst One are phenomenal and everything you do is just outstanding. So thanks, brother. Have a great weekend. I will talk to you soon. Okay. Thanks, man.

Jon DiMaggio (52:23.606)
It is, Absolutely.

Jon DiMaggio (52:35.512)
Thank you. No, I really appreciate it. Thank you. Absolutely. You too. Sounds good, Dave. Bye-bye.