RANSOMWARE 🎯 What You Need to Know 🎯

Show Notes

Host David Mauro interviews Jon DiMaggio, a well-respected cybercrime investigator, delving into the operations of LockBit, once the Top ransomware gang and now a Cyber Crime Gang Exposed. We discuss the Ransomware Take Down of #Lockbit, and how Jon’s research led to cyber criminals exposed on #cybercrimejunkies.

#lockbit #ransomware #cybercrime

Don't miss the video: https://www.youtube.com/watch?v=fpRV4YAlXKI

Growth without Interruption. Get peace of mind. Stay Competitive-Get NetGain. Contact NetGain today at 844-777-6278 or reach out online at www.NETGAINIT.com  
 

Have a Guest idea or Story for us to Cover? You can now text our Podcast Studio direct. Text direct (904) 867-4466

🎧 Subscribe now http://www.youtube.com/@cybercrimejunkiespodcast and never miss a video episode!

Follow Us:
🔗 Website: https://cybercrimejunkies.com
📱 X/Twitter: https://x.com/CybercrimeJunky
📸 Instagram: https://www.instagram.com/cybercrimejunkies/

Want to help us out? Leave us a 5-Star review on Apple Podcast Reviews.
Listen to Our Podcast:
🎙️ Apple Podcasts: https://podcasts.apple.com/us/podcast/cyber-crime-junkies/id1633932941
🎙️ Spotify: https://open.spotify.com/show/5y4U2v51gztlenr8TJ2LJs?si=537680ec262545b3
🎙️ Youtube (FKA Google) Podcasts: http://www.youtube.com/@cybercrimejunkiespodcast

Join the Conversation: 💬 Leave your comments and questions. TEXT THE LINK ABOVE . We'd love to hear your thoughts and suggestions for future episodes!

Chapters

• 0:00: The Rise of LockBit: A Cyber Plague
• 3:01: Cyber Crime Investigation—Inside LockBit
• 5:18: The Business Model of Ransomware
• 10:57: Ransomware Take Down
• 12:40: Who Runs Cyber Crime Gangs
• 17:25: Exposing Cyber Criminals
• 24:50: Understanding Cyber Threats and Extortion
• 30:21: What You Need To Know About Ransomware
• 35:32: how To Stop Ransomware Attacks
• 37:42: Future of Lockbit
• 40:22: The Aftermath of Ransomware Groups
• 43:02: Insights from Cyber Warfare and Espionage

Transcript

Host David Mauro interviews Jon DiMaggio, a well-respected cybercrime investigator, delving into the operations of LockBit, once the Top ransomware gang and now a Cyber Crime Gang Exposed. We discuss the Ransomware Take Down of #Lockbit, and how Jon’s research led to cyber criminals exposed on #cybercrimejunkies.

#lockbit #ransomware #cybercrime

 Topics: TAGS: Ransomware Take Down, cyber crime gang exposed, Lockbit, cyber criminals exposed, exposing cyber criminals, What You Need To Know About Ransomware, how to stop ransomware attacks, Who Runs Cyber Crime Gangs, Cyber Crime Investigation, Ransomware As A Service, Cyber Crime News Today, Ransomware News, Who Runs Ransomware As Service, Exposing A Cyber Crime Gang, People Who Launch Ransomware, Latest Ransomware News, Lockbit, cyber crime junkies, Cyber Crime Gang, Jon Dimaggio, Ransomware News, When Hackers Get Hacked, How Do Ransomware Attacks Work, Cybersecurity, 

 Chapters

00:00

The Rise of LockBit: A Cyber Plague

03:07

Cyber Crime Investigation—Inside LockBit

05:54

The Business Model of Ransomware

09:09

Ransomware Take Down 

12:09

Who Runs Cyber Crime Gangs 

15:03

Exposing Cyber Criminals 

29:02

Understanding Cyber Threats and Extortion

32:50

What You Need To Know About Ransomware 

37:01 how To Stop Ransomware Attacks

The 

40:48

Future of Lockbit and Ransomware Landscape

46:32

The Aftermath of Ransomware Groups

49:40

Insights from Cyber Warfare and Espionage

Speaker 2 (00:00.078)
LockBit isn't just ransomware. It's a cyber plague. is organized crime run like a high performing business. Here's the timeline. June 2022, they launched a criminal bug bounty program. In August of that year, LockBit 3.0 tightens its grip on the U.S. ransomware scene. By October, health care systems in the Heartland were hit hard. Patients got turned away. Ambulances got rerouted.

Then came Royal Mail in London, Boeing, and even the Feds. Right here in America, towns got paralyzed. Data was held hostage, doctors locked out of systems, and small businesses were shut down permanently. They didn't discriminate. They hit anyone who couldn't fight back. If you had a firewall and a prayer, you were a target. Then,

February, 2024, the takedown. The FBI raids. 7,000 victim decryption keys were recovered and shared among the victims. Arrests were made in Poland and Ukraine. The FBI and the NCA from Britain mocked Lockbit Online. The cyber underworld began to implode.

their criminal organization and their criminal enterprise started to dissolve. But did it really? And who was behind it all? This isn't just a timeline. It's the true crime saga of our modern day. And now for the first time, Jon DiMaggio, the cyber researcher and sleuth who helped unmask LockBit's kingpin, tells the story.

hunted, who they hunted and how they began to crumble and why LockBit is not fully gone. If you run a business, if you live in a small town, you need to hear this. Don't miss this exclusive interview because they are back and they are going to strike again. This is Cyber Crime Junkies.

Speaker 2 (02:28.854)
And now this show.

Speaker 2 (02:37.826)
What if the most dangerous ransomware gang on the planet operated like a Fortune 500 company? Running business like any successful US organization would do, with metrics, dashboards, culture, benefits, and even scholarships. And what if I told you that the FBI just cracked into their inner sanctum, revealing secrets meant to stay buried? In this episode, I sit down with cybercrime investigator Jon DiMaggio.

who went undercover into the world of Lockbit, the notorious ransomware cartel that's extorted millions from businesses and rural hospitals, even children's cancer hospitals around the globe, including small midsize businesses just like yours. Recently, Lockbit themselves were hacked.

Their infrastructure dismantled, their internal communications exposed, and their planning and their methodology laid bare for law enforcement. But here's the twist. Their leader, Dmitry Koroshev, known online and even right there on Twitter as the LockBit sub, isn't some rogue hacker in a hoodie. He is a cold-blooded and ruthless entrepreneur.

He runs lock bit like a well-oiled machine, even having a $10 million bounty from the FBI on his head. Security researcher Jon Namazio reveals how this cybercrime empire operates from recruiting affiliates to negotiating ransoms. And while you haven't seen the last of them yet, even with their systems temporarily down, they're already planning and rebuilding.

They're making a comeback. If you're a business leader who thinks ransomware is just an IT problem, then think again. Stick around because this one could save you over a million dollars and even save your company. Look, let's be real. Cyber Crime is everywhere. Data breaches are hitting headlines constantly. I started cybercrime junkies for two reasons. Because true crime stories are addictive. And because leadership can be learned

Speaker 2 (04:59.146)
and great leaders need to understand cyber today without all the technical jargon. So do us a favor, smash that subscribe button, join a community that's done with doing things the way they've always been done. So let's get ahead of the threats and become the kind of leaders who actually stop them. These days being informed isn't optional. This is Cyber Crime Junkies and now the show. Lockbit.

From a high level, for those that might not be aware or have heard or seen any of our prior episodes, one of the leading notorious cybercrime gangs on the planet.

of

Mark and I subscribe to several things that pull things from the dark web, right? And we just see the breaches as they happen like during the day. And it's like lock, but lock, but lock, but clop with MOVEIT. And it's like lock, but lock and then the couple like new kids on the block. I'm like, who are you guys? You know, and then we're just like, it goes lock and like, so you uncovered some really shocking things and I've

some of the mainstream media starting to pick up some of this, like is LockBit, you know, folding or they have, are they imploding, are they having issues? There were several things that you kind of uncovered. So you want to walk us through it from a high level and then, you know, we can get into some specifics.

Speaker 1 (06:43.65)
Yeah, sure, sure. So, you know, there's a lot to this story, obviously, 70 pages of research, but the short, I guess, cliff notes to the point version of this, know, really, you know, there's been a number of problems that LockBits had with its operation. And that is a problem that it was lying to, not just the general public to protect its reputation, but to its direct partners.

And I'll talk about there in a second. But as I work through this and I began to realize these things, as I reached out to some of their top affiliates and partners in getting the confirmation of this and having them tell me, we're leaving the operation or we've left their operation because of it, I was like, how does the rest of the world not know this? And I'm sure I'm not the only researcher that found it.

There's got to be other people that saw it if I did, but as far as I know, I'm the only one that's that's talked about it or brought it to the public. So in in an essence, you know, they've been extorting people for money and they've been struggling to actually follow through with their threats of posting data. And think about it, they're they're hosting a massive infrastructure on the dark web in June of twenty twenty two. They switched up to new ransomware called Lockbit three. Oh, and

significant.

Speaker 1 (08:05.218)
They more than doubled in their number of affiliates and their attacks just blew up. don't have the specific metrics on it, but they've more than doubled what they did the year before.

Let me interject one thing, just by way of background for those that might not be aware. So Lockbit is like the core group, right? The name of the cybercrime gang is basically named after the code that they originally developed, right? It's the brand name of it. And then they themselves don't go and hack into the...

the victims networks, they engage these affiliates and they pay them. know, we've talked about it in other episodes. LockBit is really a unique model because they let the affiliates, these digital mercenaries essentially go and go and collect the money and then cut LockBit their share. the funds are extremely generous. As you've pointed out, it's not like

buy a new car or even a new house type money. This is like buy an island type money.

Right, yeah, correct. It's like buy an island type of money. You're 100 % correct. yeah, so LockBits Core gang, yeah, it's like a business operation that they run. Last time I asked, they had around 100 employees. That does not count what they call their partners, what we'll call their mercenary hackers or affiliates. And, you know, they pay them literally to go out and to compromise and hack organizations, steal their data, expose, you know, their sensitive information. And if they don't pay them,

Speaker 1 (09:44.386)
they claim that they're gonna post their data. And historically they've always done that. But that's kind of what I was leading to earlier is with such a large volume, they've just exploded with the amount of attacks and how much data they're stealing. And they've made such an easy to use interface where it's literally point and click. Okay, I have the data right now. I'm gonna load it up onto the website and it's gonna create a victim entry and now a timer starts. You're the victim. When this timer hits zero, I'm gonna put your data out there.

And it's that simple. The thing is, they've made such a strong reputation for themselves over the years now. know, September will be four years for them. They've made such a strong reputation that I think people just stopped actually looking to see if they could download the data or when they did, they just assumed, maybe it's like, I'm not used to using the dark web. I don't know. Maybe it's not working, but nobody realized that it's more of a problem. I started to pick up on it when,

Speaker 2 (10:43.822)
We background. Let's remember that after Jon released his last kind of expose on UnlockBit's dark web site, their profile had Jon's picture there. So there's nothing that lets you sleep well at night. The most notorious crime gang out there has your picture as their their avatar.

Yeah.

Speaker 1 (11:12.526)
They do. They do. Yes. So, so anyway, what I realized though is that they're not actually posting that data. And a couple months ago, they in the back end. So the public doesn't ever see this even on their leak site. Nobody sees this. But if you're in the like with them, the way they communicate on the back end, they use specific protocols and fairly uncommon, we'll call them apps that they use on that app. It's almost like that. Yes.

It's almost like their customer service communication. It's like if I'm an affiliate and I'm. Right, yeah, but with a lot less features. But it's the way that I come to you and I say, hey, my decryption key is not working. I got this victim ready to pay. They're going to I'm going to make 10 mil. I need you to help me with this and lockbit will help them out and get it going. Lockbit, you know, shut down for just like a day or two. And he did that.

because they were doing an update to their infrastructure. So after that update, thought, oh man, as I was in the middle of writing my report, I'm like, oh man, this sucks. They fixed it. More victim data is going to get out there. But what he actually did was it was almost like a facade. He made the website now look like, so instead of posting the data, it would be like, you know, let's say the ransom was 100 million after it expires. Now a criminal could buy it for 60,000 or the victim.

But so that's like giving him an excuse to not post it, but he still said, you know, it still says all of your data is exposed, but you can't get it. And then in other instances, it would just say it's exposed, but the data just wasn't there still. And then there's a third scenario where they claimed that it would be exposed. And then there'd be like a link to some, you know, public file sharing service. Well, here's the thing, those public file sharing services can be taken down.

and that's one of the things that these affiliates pay for is to have locks.

Speaker 2 (13:08.28)
they can't get caught and so and so that it can't get taken down. Right. And this gets to the very heart of it doesn't it? If you can't actually deliver on the thing you're threatening people on, right, your whole business model kind of

It's gone

was

different things, right? Some might work for CL0P for CL0P, some might work for it all kinds of project based basically, right?

Yeah, mostly they're hired guns exactly that they want to get paid they'll work for multiple gangs but many of the top gangs that at least the ones that I actually I communicate with them often at this point in my career from all the research that I've been doing and Feel like I know them as well as somebody could know them That's on the outside and you know, these guys were they were they were leaving there. They're like, you know, this is

Speaker 1 (14:09.634)
This is ridiculous. I mean, it was literally like, like they're upset with the customer service. They upset they weren't getting what they were paid for. They don't treat it like, know, like they're criminals. They treat it literally like this is a

It's almost like a start that hit big and then it just grew so fast that the customer service couldn't keep up with the demand.

And to make it worse, this tox communication method, because it is so limited and they now have so much business that it sometimes takes over a week to get a response. I mentioned they were gone for two days. Well, that was nothing. They came back. But you were still waiting for like a week to come back. it's been a big problem. I used analogy in my report.

because it just happened to me. If you've been on the phone trying to get your something fixed with an airline and you're sitting there for hours, you are so frustrated. Now imagine that you're paying them millions of.

Think about that. There's $10 million or $100 million that you're negotiating or ransoming and you need answers and they take a week to even get back to you.

Speaker 1 (15:17.358)
Yes, yes, it's crazy. And then the other, I guess, big thing that happened was, again, you have to really, I like to use the word stock, stock them to know when they're going to have dates and new updates and things like that.

around June they come out with their new and improved version of their product, right? Their platform, right? Yes. And they didn't

They didn't have this year. missed that. Instead, a few months earlier in January, so like six months earlier in January, they, I think it was January. Yeah. They essentially, what they did is they took a leaked version of one of their competitors, Conti Ransomware gang. took their leaked version and they just altered it to have their note, the Lockbit Ransomware note in it instead, and offered that up, calling it Lockbit Green. Here's the problem. I've had that on a VM of mine since February of 2022.

This is not new. There's some signatures out there to identify it. There's lots of things. that's fine for us as defenders. again, it's trouble for Lockbit when bad guys are expecting to use that. The one thing they did of going for them is the affiliates who liked working for Conti are like, OK, well, I like this malware. I can continue to use it. But again, we've got signatures. It's not new. It can be defeated. Good for us, bad for them. But these are all things that just

weren't really getting put out there. And LockBit has a strong narrative on these forums. And it's that everything's great business as usual on the top villain of the underworld. And everybody buys it. So I just wanted to shine some light where there hadn't been light in a long time and sort of challenge them that LockBit and be like, hey, companies, if you're a victim, you know.

Speaker 1 (16:57.804)
really assess whether you want to pay because you could roll the dice and you've got a good shot that they're not going to post it. Now, again, that doesn't mean that they may not try to post it to one of these file sharing services. But again, you can work with law enforcement and things to take it down. Still a risk, I understand, but it's not the same level.

definitely helps those on the right side of cyber crime.

That's got to damage their brand, Because there's certain, you know, guess street respect that they get, but now you're repackaging and relabeling Conti's. Ransomware. Well, yeah, here's the best part. And this really shocked me. Yesterday or the day before on the forums, Lockbit posted, and it's funny because they call me Johnny and they're like, yep, Johnny was right. He got us on this. But you know what? Now that he's pointed it out, we're going to fix it.

Fortunately, it's not that easy to just fix. And I knew he was going to kind of play it that way. I don't think Lockheed will go away completely because I mean, look at all the new ransomware gangs that stand up. It's not like it takes a lot to get it going, but to become the top dog and running the whole thing and making hundreds of million dollars a year, that is potentially what could be swayed. And my real hope is that shining this light not just tells the public, but it lets criminals know, if you're going to invest, think wisely where you join.

Speaker 2 (18:28.546)
to other people that have relationships with cybercrime.

relationship with the draft guy at Arby's you know that's not as deep as I can go. It was like yesterday a friend of mine who's working a NIR investigation for a small company they haven't been able to their ID that you use to start negotiation on the chat log he couldn't get it to work so he was like hey I've never used you know the talks to talk to them directly we always you know use the proper channels can you

get me their tox ID and I was like sure. So I went to log in and sure as I'm doing it I couldn't believe it because I honestly have been feared that there was going to be retaliation and Lockbit pops up and he's like, hey Johnny, I'm back.

So let me ask you about that. Lockbit, the name of the code, the name of the gang, right? There's the core group. you said that core group has about 100 regular employees that is part of the core group. But then there's also all of the affiliates. So this is a large organization. This is large criminal organization. This is huge.

You're into it,

Speaker 1 (19:39.438)
Yes

Especially the way that it's especially the way incorrectly from wrong But especially the way that it's organized in the sense that some people do this task some people do that task and they don't know each other Like that's the definition of

Correct exactly what you mean? Well, I mean criminals got upset that I called it that and called me naive and said how dare I make those accusations and I'm like Maybe you watch too many movies. I'm a super nice crime. This is This is what it's become though and that's exactly this is like the exactly what it is and it's that one of the top if not the top organization in Russia that's doing you know, these type of

operations. it definitely is an organized criminal crime syndicate for sure.

Mr. Lockbit, the sup kind of, yeah, when he shows up and says, hey, Johnny, I'm back. A couple of things pop in my mind. One, run as fast as I can down the street and call my parents. Like, I don't know what to do. Two, but honestly, what, so is there one head?

Speaker 2 (20:52.578)
Because in your last research, you said the one managing the administrator of all this is basically who we're calling lockbit, but there was really another one you felt was also like a president and like a vice president, kind of.

Yeah, there's one core guy who is behind it all and then he has, you know, just like any type of crime family. Consigliere. You've got your captains, you've got your street soldiers, you've got your affiliates. Yeah, and now the operation is so big with talks. used to be, you know, if you tried to talk, you would talk to him or one other person. And now, you know, they're 24-7 now.

Yeah, whatever.

Speaker 1 (21:33.518)
And it takes over a week for them to get back sometimes. So yeah, they've got multiple people that are that working that that channel but but it's I've talked to them enough that it's obvious when I'm which role you can tell the personas from the type of language or the the way they're speaking and what they're speaking to To them enough that it's just it now it's usually the one the leader that I usually talk to but sometimes

It's there's a guy who's younger there that's way more friendly. But they're always professional with you. They're never shitty with me. And it shocks me because they do. seem good shitty with people. And, you know, I mean, I'm maybe because I'm professional with them. I don't know. But I prefer it that way. But it's just it's for me because it's at a point now like and I can I can tell you guys a story if you want. there was a moment where somebody that would be in the know was concerned that the leader of Lock that might have been killed and he was not.

But but literally like these people are gonna not like me for saying this but I don't want to see physical violence or harm happen to this person They should be in jail, but I don't want to see something horrific happen to them So I was honestly relieved when I found out that they weren't dead and I know that sounds crazy because people are like, yeah You know there there do these horrible things, but I just I don't want to know the person

If talk to people in federal law enforcement, they feel somewhat similar when they go after organized crime, right? They've kind of developed professional relationships with them in the sense that, look, there's a foul on the play. You got to go into the penalty box, right? You've got to do that. But I don't want to like hurt the person necessarily. Right. Like I'm not trying to like physically harm the person. I don't wish that on them. You just want them to play by the rule. Like come work for a

It's weird.

Speaker 2 (23:21.71)
come work, like take a huge pay cut, but come work for the right side, you know?

I think the leader of luck that it's past that but you know, I want to see him in a cell not

Exactly. how, we've talked about this in the past, you know, what are some of the reasons these guys don't come to justice? And I'm only asking that I know the, think I know the answer, but I want to ask based on your experience.

Yeah. Well, so honestly, my answer is different than what it would have been a month ago. So a month ago, I would have told you, you know, it's and this is still part of it. You know, I would say it's it's the money. It's the the street cred. It's the, know, being infamous and known throughout the world and the allure to it. But honestly, what I've I've really been trying to understand more and I've got a long way to go, but sort of the the culture.

there. And, you know, I was talking to somebody who is in the legal system and represents people involved in ransomware crimes. And one of the things he pointed out to me was a lot of the people, if you look, are really young. And the reason they get into this is because they come from parts of the world where they don't have any opportunity. Their families and themselves are even threatened at times. And this is a no brainer for them.

Speaker 1 (24:51.688)
and I really hadn't looked at it that way. So to answer your question, some of them, it's the path that makes them.

similar to your research on Vastor Lord, the last ransomware diaries volume two where you heard his story and the reason why he got into it because one of his mom was in the hospital and things like that. There was no other way to pay for the medical care, right? Because of the part of the world that they're living in.

Correct. Yes, that is correct. And, you know, it's like this kid that got arrested, I think it was in Arizona, you know, who was working for a lock bait and, you know, he came from Eastern Europe. That's where he's from, but he just got arrested here. But the point being, he was 17 when he started working for him. And I was pretty hard on him in the report, but in reality, like, I hope that person learns, like, he's gonna get another chance. He's young enough. He's gonna have a second chance. And I really hope that things change for him.

he takes a different path. but, but again, I didn't quite look at the reason why I'm like, why would they do this? I'm so stupid. But you know, I have a whole different life than we have a whole different life. doesn't make it okay. I'm just saying I'm less judgmental about the about it now. It's absolutely wrong. But I'm gonna, I can be wrong and I can come after you and want to get you arrested and chase you. Absolutely.

I guess yeah, and I mean what's really wrong about it is the when they do leak the data if they can get their infrastructure fixed if they actually do leak the data You know the harm that comes when it's medical records and it's private things that are You know sacred to people and they get and they get released and you know that stuff can be used to You know harass and torment people for years to come the financial record

Speaker 2 (26:38.382)
It can be used for identity theft and you know, identity theft and things like that have been shown to lead to suicidal ideation, depression, a whole, it's causing a lot of harm. It's not just data, right? It's not just a bunch of Excel spreadsheets with data. Like it's not just that. It actually is really harming a lot of people. So let's not ever lose track of that. But some of the people and the reasons

clearly justifiable if you think about it, right? So let me ask you, were they breached, do you think? Was Lockbit breached or did they take it? What do you think happened?

or something that.

Can I say that part of the story? Because that's super interesting. It just happens. Yeah. it was, I was at, I was at Black Hat. Yeah. a couple of weeks ago. And while I was there, right before I left, I had made a social media post, which in hindsight may not have been the smartest thing I've done. It was a joke. I took LockBits data leak site, took a screenshot of it.

Just a couple of.

Speaker 1 (27:51.982)
I made a counter to match when my report was gonna come out and I basically, oh, and I made Lockbit a victim. I changed it from Lockbit 3.0 to Longbit 3.0 and I put my face on it as the bad guy and I made them the victim entry. And I said, me $10 million or I'm unleashing all of your secrets on whatever it was, August 15th or whatever. And it was, I mean, it was a joke. I thought it was very obvious. Unfortunately, at the same time that I did that, someone actually hacked

or tried to hack Lockbit. So at the same time I did that, Lockbit actually disappeared on TOCS. They went offline and they were gone. Yeah, they were gone for it was like 10, 12 days, something like that. They were just gone. And that has not ever happened since they've been in existence. One or two days was the longest we'd seen before. So this was huge. so these affiliates who I have relationships with started reaching out to me and they're like, are you, did you really hack our infrastructure?

Are you de-anonymizing us and are you gonna release our identities? And first off, even if I could do that.

DocsThem?

Yeah, that's that's not fair at all,

Speaker 2 (29:02.494)
I mean, like, look, law enforcement knows who these players are to the extent that they do. It's not like that could lead to physical harm.

Yeah. Of course. Yeah. Right. Yeah. It's not your personality. I'm not out out there publicly and embarrass people. that's, that's not what I'm about. Whether you're a criminal or whoever, it's just not how I handle things. But anyway, I'm not a hacker either. So I'm like, no, I'm like, think I could do that. But you know, I haven't hacked in probably, you know, 15 years. that was legally for a job.

But anyway, I don't have the kind of skill set, I couldn't do it. But here's what the problem though is multiple people are coming to me that are senior level people. And I realized it's not just me. I thought LockBaget blocked me. I didn't realize no one could talk to him. And that's when I realized, oh my goodness, like this is a lot bigger than I thought. So it looks like I was extorting them and their infrastructure went down. then... Yes.

Was this your post?

That is, I just wanted to share that with everybody. So this is, this is, this is Jon's post. Check that out. let me zoom in for everybody. and you can kind of see what all did you say? You said lock bit you have until the 15th of August to pay $10 million. And then right after that was when,

Speaker 1 (30:11.406)
I

Speaker 1 (30:38.542)
Yes, the right after that is when they disappeared. started getting people asking me, you know, if I had actually hacked them and I was like, yeah, this is like this is like I said, it was supposed to be a joke.

Speaker 2 (30:56.184)
Do we have any information about what happened? Like, was it a DDoS attack? Was it just infrastructure, the hosting side?

So the next day I got a message from somebody that I don't know and they showed me a screenshot from a private report from a cybersecurity company who I'm not going to name just because it's not my business to name them. And in that report there was a picture of the admin panel. The admin panel is not something that very only like affiliates people

close in really know about it. I'm sure there are some other researchers that have figured it out like me, but what I'm saying is 95 % of the ransomware population doesn't know it unless you're working for LockBit. So I knew that this legitimized the report, the fact that they had the tour link, the URL, the onion link, and they had a screenshot of the panel. And then where you log in, it said, do we really have to indicating that they'd found a way to bypass it.

And there was other information that then was given to me that the leaders or the crew, the main crew of Lockpitt had found some code on their infrastructure that shouldn't be there. so I can't reach out and tell them it's not me, because the bombs are down. And I was sweating. I was already having other security-related concerns at the conference. yeah, was, I mean, this is the life that I live.

I'm just trying to explain so you can like, yeah, life, know, day in my life, like, yeah, that was definitely stressful. But, you know, that's why I like, I've always tried to be professional and establish a relationship even with bad guys, because I think that's probably what saved my ass that people believed me was that I, the bad guys believed me is that I did have that relationship. And I guess they came.

Speaker 1 (32:50.338)
to

I mean, I think about that, that could have been a takedown through law enforcement, through an offensive means.

the

lovely.

Speaker 2 (33:30.134)
Now we're on the same side, right? Like we're not trying to just don't let us muck it up. That's what we're trying to do. So let me ask you, did you have you heard from Bastar Lord or did you, did you get any sense from him? I thought there was some mention in your, in your recent report because he was the subject of like the human side of ransomware. He was an affiliate. You understood the human reasons why he was drawn to this life of crime. And then,

And there was at the end of that, we kind of left it with, you know, it looked like he was thinking of getting out of it or not. But, you know, some like, who knows? But now that Lockbit was having these struggles, did he did he have you communicate with him? Well, what's his feedback?

I communicate with him fairly regularly, maybe once a week, once every other week. We'll have a chat here and there. If I need information about non-lockbit stuff, sometimes I'll ask him because he's connected with the National Hazard Agency, which works for a bunch of hacking crew, ransomware crews. So yeah, I'll talk to him and ask him about things.

When this stuff was going on, definitely reached out and asked him. he, just like many of the other ones, thought that I was behind it. And of course, I assured him that I wasn't. But yeah, he definitely thought that I had done it also, which again, just shocked me that people, I couldn't believe that people believed it. It makes sense to the post out and then they appreciate you thinking so highly of my skill set, but this was probably beyond what I could do.

Meanwhile my email friend

Speaker 2 (35:19.214)
So the the you have a picture in your ransomware diaries volume three of this tattooed young lad who's got like snakeskin pants on and stuff and he's that's the FBI's Newark, New Jersey field office saying that they've been very busy. It was that the one the gentleman that got.

indicted that it was the former Lockbit affiliate.

he is indicted needs a former affiliate but that's not the one i was referring to earlier forces a lot smarter and i was talking about boris his name really is not forces is last year last

And he hasn't been caught, correct? Right.

He's not been caught no no he's there's a ten million dollar

Speaker 2 (36:13.39)
10 million dollars on your head. That's why he's got those snakes in the full arm.

It's

I'm right, you know, I've talked to him not as frequently as Bastar Lord, but still once every couple

Does he work for other organizations too, like Lockbit and Conti or CL0P or whatever?

did. He doesn't now. Now. So that's what I wanted to know what he was doing. You know, he was behind a lot of the big groups, you know, he had worked with he was one of the guys behind the Washington DC ransom that took place a couple years back and some other big ones. But but he's connected to a bunch of gangs. But Lockbit was one of the core ones that he worked for. And, you know, so that's one of the things I wanted to know since I talked to him fairly regularly. asked him, I'm like, Hey, man, are you

Speaker 1 (37:01.518)
still working in Ransoms now that you've got so much action, are you still doing that? And they said, no, he's taking a break. this is his version of a break is he's now looking at developing zero day exploits. And he didn't say this part, I'm saying this, I'm sure he's going to sell those to Ransomers. But yeah, he was working, when I talked to him, he was working on a new vulnerability for Microsoft SharePoint that he was trying to polish off. But he also, and this didn't put this in my report,

I wouldn't share this except he put it out there publicly. So yeah, he's doing well, he's getting married, things like that. So he's not feeling the heat. This indictment, if anything,

His street credibility, right?

the

out of traveling to the west, I guess. Right?

Speaker 2 (38:01.422)
Share his new exploits of SharePoint. Yeah, so wow. Lots of lots of things to discuss. So can I can I ask you on separate from your ransomware diaries? The the MOVEIT exploit has been all over. Right. And with with the CL0P ransomware gang, which is traditionally operates kind of like Lockbit, right?

but now they haven't really been launching ransomware. They've been, they took advantage of that zero day exploit for this file transfer program that it seemed like everybody in the world was using at the time. And they're just going to pure extortion. They're just like going in, stealing data and then leaking it. And apparently their infrastructure works because it's constantly being leaked. What's your take on that? I mean, is there,

How common it seems to be growing every week. seems to be. something we've been following from the beginning because my fear right off the bat was this is going to be like another SolarWinds and it seems like it's growing and growing and growing. Yeah.

more of it.

Well, here's the thing. They get the zero days the most effective when people don't know about it or there's not a patch. I was talking with some other analysts and kind of had this common idea theory. What really happened here is they used that and they got into all these companies. But soon as they got in, they created additional back doors. So by the time all these companies are hearing about it and they're patching it, they think they're clean and they're not. And that's why we keep sending.

Speaker 2 (39:41.23)
It doesn't matter if you patch it, right? They still have the back doors.

the

Interesting. Interesting. So, so what's next for Lockbit in your opinion? Like what, like, I mean, I was almost sensing when I first read this, it reminded me of our evil and Reval and how they kind of got too big. They might've done something wrong with the Russian government, the FSB or something. And then they got taken down this big, you know, this big visual display.

That's our.

Speaker 2 (40:39.658)
Or did they? Right? What happens next now for Locker?

Speaker 1 (40:48.094)
You know, here's the thing. Lockbit's gonna do everything humanly possible to fix their program. I don't know why they just don't go away. They've made so much money. Honestly, know, being evil, I can't figure it out, but they're not gonna go away. They've made that very clear to

They're addicted to the process. They enjoy the day in and day out part of it.

They're going to try.

Speaker 1 (41:14.51)
Right, what I think will happen, I think that they'll continue to have problems. think that over the next year we're gonna see, it starts to really, we've already seen some of the impacts. They're booming again right now, but we've already seen some of the impacts. I think that they're gonna, business will slow down and as it slows down, their problems will also start to get better because of the U.S.

less data and there's you new kids on the block that are coming up eventually somebody's gonna gonna become more popular and and LOCKBIT will will go down in the numbers but they'll still make lots of money and it'll still be a pain but I I hope that they completely fold and that happens the only reason that I'm saying that I can't go on a limb and say that's gonna happen is because these guys are just they're so dedicated there's dedicated to running their program as I am to chasing them I mean they're just they're

They love what they do. It's strange, but they do. so I don't see them just folding, but all these things, all these problems they have, all these issues, you know, one of the things somebody said to me was like, you know, Hey, whether I agree with it or not, they said, Hey, you know, you were part of making them go offline for like nine days. And while the lights were on, nobody was home. So while their websites was up and the automation was still working, there was nobody home.

Yeah, that doesn't happen often. So, you know, if you could do it, others can do it, law enforcement can do it, governments can do it. So I do think eventually the more of these type of things happen, the more opportunity there is for mistakes and for interception and to get in and the more paranoid these groups are going to get. So I do think that there's going to be windows for law enforcement to do things. And I do think that there's a possibility that lock will go down over the next year, which is why I made the cover that I did.

We're definitely seeing cracks. It's whether or not they can fix them before things fall apart. And I'm not a fortune teller, so I can't say that. But what I do know is they've known about these problems for a while and they haven't been able to fix them. That's good for us. You can't help but think that it's, you know, it sounds like like grasping for straws with the repackaging of CONTi's code. Like that sounds like a desperate move, right? Like, I don't know.

Speaker 2 (43:12.884)
Awesome.

Speaker 1 (43:25.772)
Well, that's the other thing I forgot to mention. other thing is, at least as of January, February, they were trying to steal payloads from... Yeah. They want their affiliate hackers to use multiple ransomware variants to encrypt victim data. So that way, if the FBI gets one key, they're stuck and have to pay a ransom. So that would be bad for us. Fortunately, it's bad for other ransomware gangs too.

the competition. You're right about that.

Speaker 1 (43:55.598)
who are not just gonna lay down and let that happen, but he's trying and LockBit is very capable. We should never underestimate that organization. he's trying, hopefully it doesn't happen, but yeah, he doesn't have a developer. He doesn't have new ransomware that I'm aware of. Eventually, I gotta imagine that's gonna change, but think about it. How many experienced ransomware developers are out there that are out there?

I don't think MIT or Stanford has a program for that. during the, like, I think your point, it's almost one of those things, the closer you get to the target, the more blurry it is, right? Like as you're talking about them getting panicky and Mark pointed out them, know, repackaging a competitor's code and all that. It's almost like during those moments of panic,

they could burn the wrong bridge and cross the line like Reval did, right? Potentially.

Yeah, definitely. It's definitely a possibility. And the reason that there's even a higher probability of that is because also something I realized during this round of research is Lockbit made a statement. He's like, I watch my affiliates by watching the news. He's like, why do I have to follow them when the media does? So what that tells me is there's not, even though he says in the rules on their page, they recently updated to be really specific, but not to...

attack you know x y and z type of industry or critical infrastructure the point is is that there's not a means to prevent it he has to see it after the fact so all it takes is one one one of these guys being dumb enough to go and attack critical infrastructure that that makes you know that sort of an impact like we saw with Reval and you know

Speaker 2 (45:51.938)
structure. And I know that the LockBit platform will check languages and things, right? But you don't, they don't know everywhere that Russia has interests, right? And so they could go after it, hit something that could be damaging to the motherland and then get themselves in trouble.

Interesting, interesting. So you first came about a huge splash years ago with the Are Evil, with your investigation there. people have asked me like, what, whatever happened to those gentlemen?

Well, that's actually what one of the top contenders what my next research might be because I have a lot of insight information on that as well. I'll clear the end result because the interesting part of that research is going to be showing the insight information that proves it. But the revolt that exists today is not the revolt that we saw in their heyday.

Yeah, I was just going to say a little bit. I've got to share something.

Speaker 1 (47:00.064)
leaders of Reval that made all those things happen are gone. They're not arrested. They're just gone and they've gone into the sunset. There are people that are part of the gang that were arrested, but they were not the court players. so they have, actually sold the Reval ransomware to an affiliate crew who tried to repackage it for a while as though they were Reval, but they didn't do a good job of it. And they didn't.

have the same tactics, same human behavior as anything. And they just went about doing things differently. And again, I'm minimizing it because I've got some good stuff on that to blow that open. But the end result is that that's actually a different group. Those are affiliates. And now the guys that were arrested, those are the people that you see now that are it's been in the news that are working and supporting Russia in the war against Ukraine. And that's why you're seeing Revo ransomware being

That's what I was asking. Because they were brought to, you know, we saw images of them in court, in the Russian court. And I'm like, okay, well, you know, their court system isn't what our criticism is. Yeah.

work for Russia.

Right, right. Yeah, no, no, they do. Those guys were part of that crew. It's just they weren't a leadership core. You know, it.

Speaker 2 (48:21.582)
I imagine the pay is a little different.

Probably a lot less. Yeah, the pay is you get to live. Right, right. would take that over.

the

Sorry.

Speaker 1 (48:58.906)
I feel like I got a little too close to the sun at this point I think.

Blockbrinkante.

Yeah, maybe lock, but you know, clobbering Conti joined for like a

yeah, yeah.

Yeah, well, thank you so much. Everybody will have links to the Ranceware Diaries, volume three in the show notes. And if you haven't got it and you can't, I just realized my background's blurred. But if you don't have Jon's book, it's the Art of Cyberwarfare. It was one of the best. it's so good, Jon. Like it's.

Speaker 1 (49:14.574)
Good stuff.

Speaker 2 (49:40.27)
Part of it is technical and then part of it is like if anybody's ever studied political science or international relations or anything like that, like you lay it all out, all the players, you understand it. It's a great framework. When you hear the news, you're like, I know what role these guys are playing in all of this because so many of these things, there's a story behind the story. It's not just about the data that gets stolen, right?

espionage or something else that is tied to this. There's a longer play.

Yes, you know and in my most of my career I actually did espionage not ransomware and so, know, I wrote that book You know, there's lots of things I was part of that I just can't talk about but the knowledge information that I was able to share I could and so I just wanted to tell good stories and sort of teach You know cool spy stories and get people wanting to get into the industry I appreciate the plug

Yeah, absolutely. We'll have links to the book as always in our show notes. And we will talk to you soon. I promise you we will be talking to you soon.

the

Speaker 2 (50:57.102)
Oh, that's great. If Mosher doesn't step up his game, in some questions for my guests. Like, it's going to be the Jon David Show. I'm just kidding. You're always welcome. no, absolutely, Jon, thank you so much. We're very humbled and grateful for you to be here. Thanks. to see you again. Thanks, everybody. Reach out to Jon on LinkedIn and through Analyst One as well.

yeah. yeah. No, I read all your stuff on Twitter. It's always good stuff. That's usually where you go head to head and you make some of these both claims and then the Twitter feed becomes some content for later. So it's a great point. Yeah. Right. So, all right, everybody. Thanks. Thanks for listening. Thanks for watching. We appreciate it. Thanks.

job.

Speaker 2 (51:48.206)
Well that wraps this up. Thank you for joining us. We hope you enjoyed our episode. The next one is coming right up. We appreciate you making this an award-winning podcast and downloading on Apple and Spotify and subscribing to our YouTube channel. This is Cyber Crime Junkies and we thank you for watching.