Luke Connolly

Welcome to the Cyber Insider, Emsisoft's podcast all about cybersecurity. Your hosts today are Brett Callow, threat analyst here at Emsisoft. And I'm Luke Connolly, partner manager. We're really pleased to have Jon DiMaggio as our guest again today. Jon is the chief security strategist at Analyst1 and a specialist in investigating enterprise ransomware attacks and nation state intrusions. Jon has authored investigative reports, including the most recent, Ransomware Diaries vol 5, Unmasking LockBit.

0:00:46

Luke Connolly

He's exposed the criminal cartels behind major ransomware attacks, aided law enforcement agencies and federal indictments of nation state attacks, and discussed his work with numerous media outlets, including the New York Times and WIRED. In 2022, Jon authored the SANS Different Makers Award Cybersecurity book of the Art of cyber warfare, an investigator's guide to espionage, ransomware, and organized cybercrime.

0:01:18

Luke Connolly

Jon, welcome back to the Cyber Insider, and thanks for joining us.

0:01:22

Jon DiMaggio

Of course, I'm glad you guys aren't tired of me. Always enjoy talking to you. So thanks for having me. 

0:01:30

Brett Callow

Never tire of having you on, Jon. So what's changed since we last spoke to you in January of last year? Is the ransomware problem or cybersecurity in general?

0:01:41

Jon DiMaggio

Well, yeah, you know, it definitely hasn't gotten better. You know, things have changed. But, you know, I think that, you know, we're at a point in time where, you know, you could almost qualify it. Like you used to see where there was like the italian organized crime with the mafia. And then as time changed and you had more, smaller street gangs sort of take over that environment, things got much more hectic, violent, and things progressed. And I don't mean violent necessarily with cyber, with ransomware. But my point is, is that there are groups popping up everywhere. Now.

0:02:19

Jon DiMaggio

You still have a handful of larger, more organized structures in that space, but you're seeing a lot of newcomers and we're seeing a lot more turnover, meaning where some of these organized ransomware groups are coming and going, rebranding more often than we saw before. So this year has been pretty interesting so far, as far as it's definitely kept me busy, but. Well, I don't want to say I wish I could say things are getting better. They're not getting better. They're just, they're just a little bit different.

0:02:47

Luke Connolly

You've written a lot about LockBit, specifically and its boss, LockBitSupp. Can you give us a bit of history of this person and his criminal gang and some of their more infamous activities?

0:02:58

Jon DiMaggio

Yeah. So LockBit started in 2019. They learned quickly that a brand name makes a difference. And, well, they started out being. Being called the ABCDransomware gang. That doesn't exactly strike fear in your victims. So they chose the name lockbit and they used that as a extension that would be appended to files that they encrypted, and they updated their notes to use that name. And in 2020, they became a traditional ransomware as a service model, which essentially means it allows you to conduct a much higher volume of attacks. It's where you provide a service as the service provider, the infrastructure, the ransomware payload, the negotiation panel, the admin panel, and other resource attack resources.

0:03:43

Jon DiMaggio

And your affiliate is the hacker who does the dirty work. Use those resources to breach encryption, steal data, and extort a victim. And then the two parties, the two criminal parties, the service provider and the affiliate hacker, they share the profit that is made from those extortion attempts. Moving past that, LockBit has been known for a number of high pr worthy attacks that make the news they were behind.

0:04:15

Jon DiMaggio

There was a big one a year or two ago. Within trust. They have targeted large defense contractors like Boeing, so I'm just not going to try the China based bank that had a presence here in the US, they took that one of their US branches down and infected a lot of money and issues at a government level, which really surprised me. They also hit one of SpaceX's contractors, leveraged that to take engineering diagrams and ip that belongs to SpaceX. They tried to extort SpaceX from that.

0:04:55

Jon DiMaggio

There was a lot of direct trolling from the leader of lock bit towards Elon Musk. That, of course, got a lot of attention. There was the entrust incidents, and trust is a cybersecurity vendor. LockBit hit them. They did one of the greatest things ever, though they don't take credit for it. They ddos lockbet and flooded him with messages saying some vulgar things about LockBit. That was one of the greatest things I've ever seen a victim do. RoyalMail. That was another massive one where lockbit didn't take credit for it at first and then did after the fact, which just, you know, kind of goes to, to show what he says is true, that he doesn't track attacks because he has the news do that for him. And now that he has a leaked builder out there, meaning a developer leaked their ransomware builder. The guy doesn't even know half the time, even though his ransomware is used, if he's, if his organization's behind it or not. So there's been a lot of interesting events. There's always drama with lock that on top of all these, these, you know, high profile events, which is, you know, one of the reasons that I've, they've kept my attention in addition to the, you know, relationship that I've built with the leader of the group over the past couple years.

0:06:04

Brett Callow

What do you actually know about the structure of the group? Is it all mainly the leader or are there other high ranking members of that operation?

0:06:15

Jon DiMaggio

Yeah. So the answer to that is it has changed over time. I originally believe there were between, you know, five and six people at the top. Two, at least two, if not three, that operated the account that is known as LockBitSupp, one of them being the leader of the group over time. And that makes sense because you got to think about it. They use that, that handle and they use the medium tox, which is an encrypted communication application to talk to everybody.

0:06:46

Jon DiMaggio

They talk to all the criminals who work for them. They talk to media and journalists. They talk to me. That's how they communicate. So for that to be online and available 24/7 obviously there needs to be more than one person. I'd say over the past six months or so that has changed. It appears now to be one person behind that account. I still believe there's other people. Obviously within the core group, you need a developer, you need someone to help with infrastructure, you need someone to help with organization. You can't do it all yourself.

0:07:16

Jon DiMaggio

But I do think that original number has gone down for whatever reason. I do think that some of the key members have left, which is now why you just have that central entity controlling it as before. There seemed to be a few people that were in the loop, though. There's always been that one person that seems be the overall lead.

0:07:37

Brett Callow

In February, law enforcement led by the National Crime Agency out of the UK disrupted LockBit's operation. And last month they actually doxed him and put a name to the persona. What impact do you think that will.

0:07:56

Jon DiMaggio

Here's the thing. Everybody talks about the indictment as a docs, and that's exactly what it is. It does, it outs the person that it is. But that was more of a vehicle to allow them to apply sanctions, and that's where the real impact will come. In an indictment identifies sanctions, restrict. So with sanctions, at least in the US, victims will not be able to pay anyone affiliated with LockBit unless the government makes an exception. And if they do, you know, I mean that now we're talking about, you know, an actual crime taking place, and you get into a lot of the back and forth that we really want to penalize victims. But it is what it is. Sanctions are applied. I think it's a good thing.

0:08:46

Jon DiMaggio

I believe that's going to drastically affect LockBit, because if you're a criminal affiliate who hacks and uses resources and you sign up with a group, a ransomware gang that no one in the United States is allowed to pay, and you have to work twice as hard to squeeze out every penny you can out of it, but you could go across the street and either do some other sort of crime or work for another ransomware group, you're probably going to do that. So as much as we see LockBit touting that he's not going anywhere and everything else, he's going to become insignificant just because people won't be able to pay. And without the money, the crime and the people and the volume are going to go with it.

0:09:27

Luke Connolly

When you were last on, in January 23, you said that a lot of cybercriminals don't like or trust locke bits up, who, as Brett said, has been outed as Dmitry Khoroshev since their operation has been shut down and popped up again in the past. Has anything really changed? I mean, is he still out of reach of law enforcement despite the fact that there's been an indictment against him?

0:09:50

Jon DiMaggio

Yes. So that's a good question. So when all of this was going on with the indictment, I didn't know if I had the right guy, but I had been looking at Dmitry as well. And I always do deconfliction before I publish. And they'd said, no, wait, I'm publishing that. And I said, okay, well, let me know. Give me enough heads up so I can get this written in time before I do publish. And of course, they tell me on a Friday that on Tuesday I can publish and that they are going to be doing some more activity involving LockBit. So I had to write everything and wait for the day of. But I also published a report that had a ton of information on Dmitry an hour after the indictment. And the reason I'm bringing that up isn't to tout that, hey, I got something out quickly. It's because I had the guy's name, his phone number, his passport, his address, I knew where he lived. I saw pictures of his apartment, cars that he had, everything. So it was. It was really difficult for me. And I just pick up the phone and call him and be like, hey, Dmitry, I guess I'm winning this cat and mouse games. I know exactly who you are because that would be, you know, a really, oh, crap moment. Of course, I can only dream of doing that. I couldn't actually do that. Cause it would screw up a law enforcement investigation.

0:11:00

Jon DiMaggio

But my point in this long winded answer is, you know, now that his identity is known and who he is, you know, all the things that he did with the touting and the, you know, talking about his fast cars and his boats and all of his money are really coming back to haunt him. It's really funny because LockBit pushed that persona. You know, he thinks he's Tony Montana from. From Scarface. I use that analogy with him all the time because I feel like he saw that movie and decided that's who he needed to be online with this Persona and the person actually behind it that I've got to know for the past two years is completely opposite of that. So it did not surprise me when, you know, figure out who he was and that he wasn't living this gangster lifestyle with lamborghinis and boats and women and money and all that. It didn't surprise me at all because the person I've been talking to is so much more low key than that.

0:11:51

Jon DiMaggio

That's literally a persona he has pushed, but in doing so, he has really screwed himself, because no one wants to hear how you're super successful and you've got all this money and you're laughing at other people. You know, it's created a lot of enemies for him. And now that he has known, that, in turn, has caused a lot of problems for Dmitry.

0:12:11

Brett Callow

The National Crime Agency also released a list of affiliates. First names and last names in some cases.

0:12:20

Jon DiMaggio

Yeah.

0:12:21

Brett Callow

And some of those names were not Russian. They sounded quite western, if they're real, of course. Do we have any indication of how many affiliates maybe within reach law enforcement?

0:12:36

Jon DiMaggio

So the short answer is no. And the reason that's no is the names that law enforcement identified that look like they're, you know, not, you know, eastern european people in that region, the names don't match that. You know, I believe, you know, law enforcement, when they have an indictment or they have a name, especially if they're going public with it, because there's a lot of effort that goes into that behind the scenes to collect that information.

0:13:05

Jon DiMaggio

That's not always made public. However, you know, at the same time, a lot of those names that were released, that were not released by law enforcement as, hey, this is the real name. A lot of them were names that LockBit gave affiliates who joined the panel that were, you know, americanized names. So you really got to look for the ones that law enforcement names to identify. But you're correct, there are certainly affiliates that are, you know, all over the world, include the US.

0:13:32

Jon DiMaggio

And, you know, we can look at, well, not LockBit, like the comm is a great example. You know, there hasn't been a ton of movement on that, and most of them that were, that were associated with that allegedly are in the US. So I think it's harder than people think. Obviously. I think we're getting closer or law enforcement's getting closer. But, you know, unfortunately, we're just not seeing, you know, enough arrests. And a large part of that is that these guys are dispersed across the world, but certainly there has to be some that are within our reach that haven't been arrested.

0:14:04

Jon DiMaggio

Sometimes that's because they don't necessarily know where to get them or exactly how to get them. But the other part of it is, you know, a lot of times you'll find those individuals and you will use them as a collection source. So you don't necessarily want to let on that you know who they are so that you can collect and use them as an intelligence source. I've also seen where they will quietly arrest someone and then continue to leverage their access to collect information.

0:14:31

Jon DiMaggio

So it's definitely not black and white. There's a lot of gray. So I don't want to beat law enforcement up for not making more arrests because there is a lot more that goes into it. But you are correct, we have not seen a lot of new arrests, though. We have seen new people named.

0:14:46

Luke Connolly

As you've said, you've spent a lot of time investigating LockBit, and you've had interactions with Dmitry. But now that he's been identified as the head of the group, are you going to change your focus and your investigations on another cybercrime group? And if so, which one or who are the candidates?

0:15:03

Jon DiMaggio

Yeah, well, you know, it's been a, it's been a two year journey. You know, the ransomware diaries wasn't supposed to be primarily about LockBit and all, but one volume has been. And that's just because, you know, I got the, I became part of the story. I didn't go into it without intention, but I literally became part of the story because I became so involved with the group and they just kept me so entertained with all the drama and crazy antics. It was. It was. It was hard to walk away.

0:15:31

Jon DiMaggio

But yeah, there is. This is sort of the end of that journey. I might have one more thing I'm working on to try to find evidence to link Dmitry directly to LockBitSupp, or at least directly to LockBit, since that hasn't been presented publicly. Whether I find it or not, it's another story. But that's. I start that effort on Monday. If I do find it, there'll be one more volume. If I don't, I will move on.

0:15:56

Jon DiMaggio

I have not decided who or what group I'm going to focus my attention on next. And part of the reason for that is I've been working so much on this for the past two years. I really want to just take the summer and just have a regular eight hour a day job without all the crazy stress of talking to bad guys and real world events and just enjoy myself and not get burnt out, which is a real thing in this work.

0:16:19

Jon DiMaggio

So, in short, I don't know who's next, but I definitely will be continuing and there will be a next operation, next set of research. I just don't know who that's going to be yet.

0:16:32

Luke Connolly

And just to follow up on that, just to remind our listeners, when we last spoke in January 23, LockBitSupp had actually started using your image for their online profile in some of the dark web forums.

0:16:46

Jon DiMaggio

They did. They did. That's one of the things I did when I released the ransomware diaries-5 is I took Dmitry's real picture and I put his face on that profile. I figured that's fair play since he did it.

0:16:58

Brett Callow

To me, we seem to be seeing more psyops or trolling, to put it more simply, from law enforcement recently. What do you think's driving this? What do you think they're hoping to achieve?

0:17:12

Jon DiMaggio

You know, I was shocked to see them use those tactics. And obviously, you know, a lot of the. A lot of the work that I do is all, you know, a mental game, you know, a cause and effect. Get in someone's head, in a bad guy's head, try to get them, you know, unbalanced and see what they do. And I feel like law enforcement just did that, but on a much bigger, more effective scale. I really. I'm very happy that to see law enforcement, you know, taking those tactics, I have to imagine with the success that Operation Kronos has had, that they will, that the NCA and other law enforcement organizations will continue to leverage tactics that do get in adversaries heads and do a cause, do apply damage to their reputation, and make it harder for them to do work and get people to want to come and support them.

0:18:10

Jon DiMaggio

Because at the end of the day, just doing a takedown or just doing an indictment, as we've seen in the past, is better than nothing. But it really didn't have a long term effect as we're applying a longer range planned psychological operation to tarnish that reputation and that brand is effective. And then even when they stand up, new infrastructure five days later, it doesn't really matter if you don't have this criminal community supporting you and you don't have the heavy hitters working for you, and you just have a little bit of distrust where adversaries don't feel safe necessarily using your infrastructure and your panel because you couldn't keep their anonymity.

0:18:54

Jon DiMaggio

It's very funny because they begin to feel like victims of ransomware attacks feel when their data information is taken, except in this case, it's law enforcement who took it, and it's the. It's the criminal who now plays the role of the victim. So I think it's brilliant, and I hope we see more of it.

0:19:10

Brett Callow

LockBit does seem to have bounced back a little bit from the disruption. How much do you think they've managed to recover?

0:19:20

Jon DiMaggio

Well, any other group would have rebranded, but LockBit, you know, it has always been doubled down, that they're not going anywhere, and that is their brand. They've worked too hard over the past four years to build it, and they don't want to walk away from it. And I get that. And if this second phase of the takedown that took place in early May had not happened, I think we'd continue to see locke coming back. And while we had the first takedown and then he started posting previous victims, he even posted a few that were not actual victims.

0:19:59

Jon DiMaggio

And it was clearly his goal was public perception and to get the numbers up. I feel like that backfired because obviously there's researchers who quickly realized and figured out that that was. That was what they were doing, and it just made them look foolish. Now, they're a popular brand, so there's always going to be people that want to work for them. And there have been new attacks, but that's different than the really skilled hackers or affiliates that he had before supporting him.

0:20:27

Jon DiMaggio

Not to say that there's none, because he does have some, but he definitely slowed down, lost some of those employee partners, if you will, and it was affecting his business. With the second phase of the takedown again, the sanctions are going to make it harder to get paid and people just aren't going to want to work for him whether he likes it or not.

0:20:48

Luke Connolly

Talking about psyops again for a second, a lot of people are for it, but there's also been some criticism of it. For example, one person felt that trolling the people responsible for attacking hospitals and potentially actually killing people wasn't a strong enough response and that law enforcement needs to be doing farming more. What's your take on that?

0:21:09

Jon DiMaggio

Well, it's easy to be in that seat after the fact and talk about what someone should or shouldn't have done. I'd love to have a conversation and get input from that person and what they feel that they should do. Because we can't walk into Russia and arrest anyone. There's no collaboration from a government or law enforcement level and they are protected. So if you can't get your hands on the key players that are involved, you have to focus on the things that you can effect.

0:21:39

Jon DiMaggio

And what we can affect are the money coming in, the trust and the brand of the attacker, and we can try and take down the infrastructure, resources and tools that they use. And that's exactly what law enforcement is doing. So in my opinion, and I feel pretty strongly about this because I used to beat up law enforcement pretty hard on the way that they did things, and I am now like a cheerleader over here for them because they finally got it. So my point is, if you're going to criticize, I'd like to know how you would do it better because we have a lot of roadblocks in the way and everyone's always focused on things that can't be done. And that's what they're using to measure what they would qualify as a win.

0:22:25

Jon DiMaggio

And I'm much more in the reality field because I look at this stuff day in and day out and we are in a bad situation and there is no easy win. So we have to look at the areas that we can actually make a difference. And I think law enforcement did a great job at squeezing all the juice out of this rock.

0:22:43

Brett Callow

We're definitely seeing more and more disruptions from law enforcement. They do seem to be getting better and having more success than they did in the past, but the number of incidents don't seem to be reducing. Just how much of an impact do you think their work is actually having?

0:23:05

Jon DiMaggio

Well, I don't know what the numbers are, but I'm pretty sure or law enforcement significantly undermanned in this process. I don't think they have the people. I don't. This is probably off topic, but I don't think they have the budget or the support at senior levels of our government administration. And I'm not into politics. When you see massive cybersecurity budget cuts and then everybody complains that we're not doing enough, you don't have to be a rocket scientist to figure this out.

0:23:35

Jon DiMaggio

We need more people and more resources to do more. So until that happens, you have to cherry pick the pockets of activity that you go after. And that's really what we're seeing today, is they're trying to pick the high value targets, the most damaging threats to the US and other allied countries, and that's who you have to go after. So until those numbers and those resources change, I don't have a good answer and I also don't have a say in any of that. So like everybody else, I just have to sit back and have my own opinion. But I do think that we need to dedicate a lot more resources if we're going to even get a hope at actually making a dent in this fight.

0:24:18

Brett Callow

You did have a say in what government do. What would your answer be?

0:24:25

Jon DiMaggio

Well, it wouldn't be popular, but I would do a straight up ransomware ban. There are companies that would go under and fold. There were people that would lose their jobs. It would be like ripping off a band aid and hemorrhaging out. It would be bad for a little while. But I think that is a better solution than it being almost as bad for a long, long, long time. And the fact is there is no quick solution outside of that. And if there's no money, there's not going to be that type of crime. And people have to find other ways to make money, whether it's in other crimes or getting a legitimate job. But the point is, is that, you know, everybody looks at the ransomware we're ban as this horrible thing. And they're right, it would be. But it would be for a short period of time as where we have something that's like 80-90% is bad, where companies are getting just destroyed, decimated, and we're putting all this money back into the criminal ecosystem and it's just going to go on and on and on for a very long time.

0:25:27

Jon DiMaggio

And I just think it would be better to just hit it off hard, take our wounds and drive forward.

0:25:34

Luke Connolly

And with that, I'd like to thank you, Jon, for taking the time to join us here today. And as always, we thank our listeners for tuning in to stay up to date on the latest in cybersecurity. Be sure to subscribe to our podcast. Thank you, Jon.

0:25:50

Jon DiMaggio

Thanks for having me.