Infiltrating an International Ransomware Gang
33:14 Share

How is Microsoft Security helping customers stay ahead of 600 million attacks without slowing down business? From automakers to sports organizations and digital banks, Microsoft Security delivers deeper insights, scanning trillions of signals daily to help you see around corners and protect your business. Security is your job, and it's theirs too. With Microsoft Security, you have a partner that helps your business move forward confidently.

To learn more, visit Microsoft.com slash CISO. Pushkin. Just a quick note, this is a bonus episode of What's Your Problem? And it's sponsored by Microsoft. John DiMaggio studies cybercrime for a living. It's his job. But when he wanted to understand an international cybercrime gang called Lockbit, he realized he couldn't learn everything he wanted to know from the outside.

So he started trying to figure out how to get people on the inside to tell him what he needed to know. So I spent a lot of time studying, going back to, you know, World War II, when they started having all these documents about how to use the human tradecraft to sort of recruit and convince people to do things that they don't necessarily know that they're doing to support your cause. So were you telling me you started studying sort of World War II era spycraft? Yeah.

Yes, that's correct. What's something you learned from World War II era spy craft that helped you weasel your way into a ransomware gang? Everything from, uh, their ego to, uh, understanding who their adversary is and, and, and making them feel that being friends with you will benefit them because you have a common enemy, uh, or even, even being adversarial towards them, uh,

and saying certain things just to see what their reaction is to sometimes understand the truth. There's also sort of the plan and prepare phase where you have to go and sort of stalk them and understand who their contacts are, who their friends are, who their enemies are, where they hang out online, all of that stuff. So you have this set of strategic ideas in your mind. What do you actually do?

So what I did, the first thing I did is I needed to figure out sort of their digital fingerprint. So I profiled them. I began looking across the dark web. I obviously started with the easy one, their data leak site, their own infrastructure. And I went from there and I eventually found the forums that they live on.

And there's some very prominent Russian hacking forums that have been around for about 20 years. So it made sense to start there. And sure enough, they were very prevalent on that website. They were very involved with conversations. They have friends there, enemies, and they do their business. Oh.

So they actually would go there just to talk and sort of hang out with their buddies. And the drama, it was like a soap opera, the drama. These guys would get in these big arguments over the stupidest things. I just started profiling and visually mapping out who was who, who they were talking to, what those other people's roles were. Again, then I would find the ones who were their friends and I would try to approach them and the people who worked for them. And did it work?

It did. Well, it sort of worked. I'm Jacob Goldstein, and this is What's Your Problem? My guest today is John DiMaggio. John is the chief security strategist at a company called AnalystOne. And I wanted to talk with John about Lockpit, this ransomware gang that was behind attacks that extorted over $100 million from companies around the world.

John wrote this sort of book-length series of online posts about LockBit. It was part of a thing John called the Ransomware Diaries. The story of LockBit is a great window into the ransomware industry. And it is an industry with a lot of remarkable similarities to ordinary non-criminal industries. LockBit tried to brand itself. It tried to attract talent and notch key wins, just like any software company.

But then there's also the part that is not like any software company. There is the crime part. And it was the crime part where LockBit went too far and wound up drawing the ire of international law enforcement agencies that, in fact, have their own set of innovative strategies. And John watched all this happen up close. He told me his key contact on the inside had the username LockBitSup, short for LockBit Support.

I didn't know it at the time when I first started talking to them. But what I found out as I began to talk more is there were two personalities behind the account. One seemed to be much younger, friendlier, more in tune with sort of pop culture. And the other one who I gave a name, Mr. Grumpy Pants, because he was all business, always serious. And that was kind of how I differentiated. Tell me about the sort of...

conversations you had with LockBitsUp. Like, what was the nature of those exchanges?

Well, so you have to understand that when I did the initial part that was sort of covert, pretending to be somebody else, I only got so far with that. And after I wrote The Ransomware Diaries Volume 1, they knew who I was. The farthest I got was talking to them as myself. And they, you know, it was just, I started with, hey, do you guys know who I am? I want to have a conversation with you. And they were, you know, said to me, yeah, you're our favorite researcher. We love you. Okay.

and they were very willing to talk, which is why I got so much farther talking to them as myself, as I did pretending to be a hacker. Uh-huh. What's the thing you learned from lock bits up? What's a, what's a, what's one detail of your understanding that was improved by that relationship? Uh, well, there were a lot of things, but, uh, one of the key things I'd learned was information about, uh,

And they internal problems that they had with affiliates. For example, they complained that they've got really good hackers, but some of these hackers are younger kids and they're good at hacking, but they're really bad at negotiating. And he was they were unhappy about the amount of money coming in.

So they talked about that and coming up with a model of how much they would accept. And they created sort of a formula per company. And so just things like that, things around attack resources. They asked me one time if I would buy them. They couldn't get a domain tools account and they wanted to know because they couldn't pay for it with crypto. They want to know if I would buy it for them, which...

Of course, they're playing with me, you know, and it was sort of a cat and mouse fun relationship for a while going back and forth. So it was it was friendly for most of our relationship until it wasn't. So, OK, so you're in this world and I just want to step back for a minute to talk to talk about what's going on in a big way. Right. There's this phrase that's sort of central here, which is ransomware as a service. Ransomware is like.

something a lot of people are familiar with. It's basically some bad actor, some hacker, hacks into some company's computers, locks them up and says, we're not going to unlock them unless you pay us a ransom. That's ransomware. Exactly. What is ransomware as a service? I mean, we know about software as a service, right? It's basically you pay whatever amount a month and you get to use software. What's ransomware as a service?

So ransomware as a service, there's more than just ransomware. So you have this two-part model where you have a service provider. That service provider provides the actual ransomware code. They also provide infrastructure. So the provider provides these services. The hacker goes and does the dirty work of the actual hacking. And together, when a victim pays the extortion, they share the profit from it. The benefit from using this model is

is you can have a lot higher volume than if it was just five guys in a group doing it themselves. By using this model, you can have many people doing attacks on your behalf, much higher volume of attacks, much higher revenue. So LockBit is basically just a software company. They're like...

They're like an enterprise software company. They write software and provide various tools for users. But in this case, the users are criminals, are people who want to hack into various computer systems and steal data and extort money.

That's correct. And but the other piece to it is the service provider aspect. They're the ones that are sort of in charge that run the show, that give direction, that step in whenever there's an issue. If there's a victim not paying, sometimes they'll come in and help with the negotiation or take over or give direction on how much you can you can accept as a payment.

or even say this is you can or cannot hack this company. So they're definitely in the leadership chair. So I want to talk about how LockBit sort of grows and makes a name for itself. And one of the things that's really interesting is kind of how uninteresting it is. It's like, oh, it's this international criminal gang and they're acting like a boring software company. And it seems like

A key early moment for them as they're trying to grow and differentiate themselves in the market is this summer paper contest in 2020. Tell me about that. Yeah, it's pretty crazy. So on this long-running forum that I mentioned earlier, this Russian hacking forum, Lockpit really wanted to get their brand out there. So what they did is they sponsored this hacking paper conference.

contest, meaning hackers would submit these papers on different ways to hack and lock bit. They would they would take part in this and they would help review. And there was five winners. And the I think I don't remember what the what the what the I think was five thousand dollars. Maybe you put a screenshot in your report and

And what's amazing is how banal it looks. It looks totally like some college software contest or just some boring enterprise software company. Like there's this little kind of clip art of just like a dude at a laptop with a little plant next to him. Although there is also a skull and crossbones next to him. It's like, we're just coders, but we're bad.

And as you said, first place is $5,000, which seems like not that much, right? They're exploiting, they're stealing tens of millions of dollars at this point, right? And then it says, like, accepted article topics, just like it would in a college contest. But under accepted article topics, it says, hacks, any, methods for pouring shells, fixing, elevating rights, your stories and tricks, interesting hack stories. It's such a fantastic combination of...

Well, banality and evil. It is. But here's what you have to think about. There's two benefits for this. One, what I mentioned, sort of getting their name out and getting known with hackers. But two, they're looking for those upcoming rising stars, if you will. It's recruitment. It's talent pipeline. Yeah. That's right. And that's why Lockbit was different than most of the ransomware groups because they approached it as a business and they thought out of the box.

And that's kind of what set them ahead and apart at the time from other ransomware groups. So does it work, this strategy? It absolutely worked. I mean, there's a reason that people know their name and know who they are, and there's a reason that they have so many people that at the time, anyway, really wanted to work for them over other groups. It was propaganda, and it worked. And so it seems like by around 2021...

They've hit the big time. And there is this one hack in particular that you write about in the summer of 21 of Accenture, the big international consulting company. Tell me about the Accenture hack. So in the Accenture hack, you know, the affiliate had gone in, compromised them. They locked down their data and locked it, you know, put it on their site that, you know, they were a victim. Reporters started to report about it and you got a lot of buzz in the media.

Now, the problem with the Accenture hack is that Accenture denied that the hack took place initially, saying that it wasn't real and it didn't happen. The issue with that is their customers' data was on their website, and you could go see it and validate it and download samples of it. The customers' data was on the LockBit website.

That's correct. That's correct. And it was just a sampling, but you could see this information and it looked quite authentic. So does this Accenture hack sort of put Lockbit on the map in a bigger way?

Oh, 100%. I mean, the media surrounding that was very loud. I mean, it was across many organizations. Lots of well-known journalists and organizations reported on it. All this feeds into the propaganda. Not that journalists shouldn't report on it. I'm just saying, you know, LockBit plays that to benefit them as well. Yeah. So basically the press coverage is good for LockBit because...

hackers see it and go to LockBit and say, hey, I want to be an affiliate and do some hacking, essentially? That's right. And to be fair, the same thing for me, from writing these reports. Yes, it helps researchers, law enforcement, but it also helps them. That's the reason that they were friendly to me, is because they were fans of a lot... I have probably just as many criminal hackers that are fans of the ransomware diaries as there are researchers and regular people that are not criminals. Well, I mean, there's an ecosystem here, right? Like, the...

The job, there's a universe of people whose job is fighting criminals and a universe of people who are criminals who are trying to evade being caught. Right. And that's right. The kind of intellectual universe has got to be almost entirely overlapping. Everybody's trying to figure out what everybody else is doing. Everybody's sort of using the same tricks on each other. It makes sense that the bad guys and the good guys would be reading the same stuff.

It does. And that's really where that human framework came in because his ego was the main thing I was able to play on in order to get information. And even when there were lies in that information, I talked to the people who work for them. So I would take those lies and I would present them in a different way to those people to get a response in any

that would help me to validate what's real and what's not. Is there some specific example of playing on his ego? Something you said to flatter him or something?

Uh, well, yeah, you know, one of the, one of the things that, that was big, uh, for him was, you know, he wanted to be sort of the Darth Vader of ransomware, my words, not his. Uh, but you know, he, he wanted to be this, this top person. So, you know, when you would talk about him changing the game of ransomware and, and telling him, you know, you guys are, are, are, are on top, you know, how did you get there? How did you do, how did you get ahead of, of,

other groups like like Revol and in time Black Matter in groups like that and you know he loved that you know it would just that was a thing that would get Mr. Grumpy Pants talking was was sort of playing on his ego you know asking questions about how he got to be not the top brand in ransomware and how he's better than all the other ones and he fed right into that.

Coming up after the break, what happens when LockBit is used to hack a hospital for children with cancer? What are some ways that Microsoft Security is helping customers stay ahead of 600 million attacks without slowing down business?

For sports organizations, it means letting fans share in the action without sharing sensitive information. For automakers, it means driving change and securely innovating their development process. And for digital banks, it means staying ahead and keeping up with evolving cyber attacks. Microsoft Security equips you with deeper insights to help you pinpoint vulnerabilities, see around corners, and innovate confidently.

We scan trillions of signals daily, giving you the guidance, expertise, and tools to protect your business without sacrificing speed for safety. Security is your job, and it's also theirs. With Microsoft Security, you have a partner that looks deeper, keeps you ahead, and helps your business move forward securely. To learn more, visit Microsoft.com slash CISO. So kind of early 2020s, LockBit is...

king of the ransomware world. And then it seems like in about 2023, they sort of start going too far or their affiliates start going too far, right? They start to get into trouble. And it seems like the hack of a hospital that is actually called Sick Kids, which is a children's cancer hospital in Canada, is kind of a turning point. And, like, I do wonder, like...

You could hack anybody. Why would you hack a cancer hospital for children? Like, is it because you want to be as evil as possible? Yeah, it's because they see them as a as an easy target because a hospital has to be available and make the resources easy, easily accessible by their patients, clients, medical organizations.

And inherently, the more accessible something is, the less secure it is. So it makes them an easy target. They have a lot of money and they're more likely to pay because the data is so sensitive and the systems that are encrypted are so critical that it makes them a ripe target. And that's the reason that they'll go after them. Initially,

The hospital was hacked. The systems were encrypted. Data was stolen. And they didn't they weren't going to let them out of this. They were going to force them to pay or they weren't going to give them the key to decrypt their systems and didn't seem to care that these kids couldn't get the care that they needed and the treatments that they needed.

The only reason – so what ended up happening was with all the media around it, it was such a bad look for LockBit that the leadership of the group decided after about two weeks, they decided, okay, we're going to go ahead and we're going to give them the encryption key just because this was getting to be too hot.

And if you remember, like the whole Colonial Pipeline thing with the Dark Side ransomware group, you know, that got that got so much attention that, you know, government agencies got involved and went after them. And when that happens, it's very bad for ransomware groups. So they essentially saw things could possibly go that direction with the amount of bad publicity they were getting and decided it wasn't worth the payment they were going to get. And they went ahead and provided the hospital with the information.

encryption key so they could get those systems back online. And in fact, their concern about a backlash was justified, right? It seems like international governments kind of led by the UK do start to go after LockBit around this point, right? What do you do if you're a government and you want to go after a Russian hacking gang?

Well, it's not easy. The things that you have to do is you have to use resources that people like me don't have available to try to figure out their infrastructure, their hosting infrastructure, where their servers live, which is very difficult when they're on the dark web. It's hard to figure that out. Because this is the cat and mouse thing. They're like complicated...

smart systems these people use to hide their location, essentially. That's right. Yeah. That's right. And so that's one aspect is trying to figure out that infrastructure and

In some cases, you can use legal means to take it down, but with groups like LockBit, often they will use service providers that are in countries that cater to criminal activity and won't respond to subpoenas. The other thing, though, that these governments and law enforcement try to get into is the infrastructure that is public, the panel that the bad guys use to log into with the graphical interface to control these attacks.

And there's technical ways to do that. And then there's also the ways of infiltrating the people who work for the group to get their credentials and access. So they're basically hacking. They're basically hacking the hackers. So in February of of 2024, this International Coalition of Law Enforcement Agencies actually takes over LockBit sort of publicly facing site. Right. LockBit's dark Web site. Tell me about that.

Yeah, so it was great. When you went to the website that day, it was no longer LockBit's data leak site. Instead, it was a mock site, so it looks just like it, except instead of having real victims within the site, the NCA put the criminals as the victims, and they named affiliates as the victims.

And they had a countdown timer for LockBit's sub saying they were going to release his identity. And the countdown timer is the kind of thing that the bad guys use when they hack a company saying we're going to... That's right. Yeah, that's what they do. The countdown timer for traditional victims is how long they have to pay till the data is leaked. So in the same way that LockBit was...

essentially marketing itself. Now the cops, now the law enforcement officials are doing that same kind of

They're sort of doing this kind of propagandistic thing to attract attention, presumably, what, to scare off all the affiliates? Like, why would they be doing it in this showy way? Just for attention, to get good press? No. It was a psychological operation. So prior to this, they never did this. The way they took sites down were just to take it down and put a message up saying law enforcement took this down. This was psychological. It was meant to...

Yeah.

And to make people not trust LockBit or want to work for the organization. So it was very planned and thought out and methodical. It wasn't just, you know, to get attention. It was specifically to hurt that brand and make affiliates afraid to work for them.

And in addition to that mock website on the backend, that panel that I was mentioning, that admin panel that they would use now, when, when that took place, when the takedown took place, when the affiliates logged into that panel, they had tailored messages with their username by law enforcement saying, Hey, you're logging into the panel. We know who you are. We've been monitoring the activity you've been doing. We've got your wallets. We're going to be coming to talk to you soon. Uh,

So it was very detrimental to criminals. That was a brilliant operation, in my opinion. And you mentioned that they had a countdown timer for when they were going to reveal the name of LockBitSup, the person, although you said there's people, but at least one of the people behind this, behind LockBit, one of the key LockBit players. Did they in fact reveal the name of that person?

They didn't. When the countdown timer in February went... At that time, they didn't, but there's a reason that they didn't. But they did not do that in February. The reason that they didn't is because Lockbit agreed to tell them information about some of his adversarial group. There was a group called Black Hat who he didn't like, and he agreed to try and give them information. So they used the threat of naming him as Leverage and getting him to flip, basically. That's correct. Yeah. Um...

Do we know who he is now? Was he ever named?

Yeah, it was several months later. The site came back online, meaning the law enforcement version of the site came back online. There was a new timer. And once again, they said they were going to reveal Lockbitt's name. And the timer began again. And on May 7th, when that timer expired, they did. They released his name and his picture, Dmitry Koshevev. They put that out there, indicted him, wanted posters, the whole nine yards.

Is that grumpy pants? That's, well, my opinion, my opinion is that that was the younger person. Oh, interesting. And the other guy's still out there, but I think law enforcement might tell you otherwise. Though they do agree with me that there's two people. So he's been indicted but not arrested? Is that what you're saying? That's correct, because he's in Russia and there's protections there. The law enforcement just can't get their hands on him. Unfortunately, the criminals are protected when they're in Russia.

So is that the end of LockBit?

But no, they continued, but they continued at a much lower level. They didn't have the quality of hackers still working for them. They started having to lie about attacks to try and stack the numbers and things of that nature. Do you think the law enforcement officials campaign, the whole thing of like naming the people and doing all the stunts on the website, do you think that worked? You think it was sort of like lock bit rose on marketing and in a way fell on the marketing of the government? Yeah, well...

Was it 100% effective? No, but it was about 80% effective. And prior to this, I would say that most of those operations were like 40% effective. And what I mean by that is this actually affected the brand where people, the quality hackers, the quality affiliates, why would they work for this organization with all this heat where they can't trust that they're going to be protected when they can go work for some other criminal organization? Like any software company, their biggest problem is

Finding and keeping good people. That's right. That's exactly right. And by good people, I guess in this case, it means bad people. Right. So, okay. So this is a year ago, basically. This is early 2024. LockBit gets mostly taken down, not knocked out, at least knocked down.

where are we today? Like, what is the state of the ransomware industry? So it's changed a bit. Um, you have, uh, I would say you have more groups, but you don't have sort of these, you don't have as many, um, big organizations that sort of, uh,

hold the majority of attacks. You have smaller to medium-sized groups that work more under the radar, meaning they're not doing the same volume of attacks. They're also not getting the same amount of money and ransom extortions as they did before. But they're still out there. They're just doing it. The model just changed a little bit. And so as part of the

idea that, oh, maybe trying to have a big name and be like a famous criminal gang is not a good long-term strategy? That's exactly correct. I think that this is what really made them realize that. People are sort of lower on the radar, just trying to get money and extort, but not necessarily have this voice that's heard across the world. What's the big lesson to you from the Lockbid story?

The big lesson there is being boisterous, having this ego is actually a downfall. Being loud, getting publicity, getting your name out there, while that might help attract people to come work for you, there's the opposite side of that where it also attracts a lot of attention from law enforcement. And if you're a criminal group, that's not a good thing. And I think bad guys have...

figure that out between mainly from 2024 with both the Black Cat ransomware group and with LockBit. Those were your prominent players. And those guys both got decimated by law enforcement. And that happened because of the attention that they drew to themselves. So I think that's the lesson that adversaries have learned is you have to be quieter about what you do. We'll be back in a minute with the lightning round.

What are some ways that Microsoft Security is helping customers stay ahead of 600 million attacks without slowing down business?

For sports organizations, it means letting fans share in the action without sharing sensitive information. For automakers, it means driving change and securely innovating their development process. And for digital banks, it means staying ahead and keeping up with evolving cyber attacks. Microsoft Security equips you with deeper insights to help you pinpoint vulnerabilities, see around corners, and innovate confidently.

We scan trillions of signals daily, giving you the guidance, expertise, and tools to protect your business without sacrificing speed for safety. Security is your job, and it's also theirs. With Microsoft Security, you have a partner that looks deeper, keeps you ahead, and helps your business move forward securely. To learn more, visit Microsoft.com slash CISO. Let's finish with the lightning round. It's going to be a little more random and a little more about you, Michael.

Okay. What's one thing you learned when you hacked into the Pentagon as a 15-year-old boy? Oh, man. That's the reason that I talk to these criminals, and I sometimes have empathy to want to help them change what they're doing is because I got a second chance, and I remember that fear, and I want to try to help some of these young kids to change what they're doing and not continue down this road. What actually happened there? What?

What was it that happened? Yeah, so my stepfather worked for Colin Powell during the Iraq War. He was at the Pentagon, and he had a classified system in our basement. And I had a friend over, and I was really into computers and hacking and figuring things out. And I didn't do anything elaborate. I just figured out his credentials, and I logged in and was poking around. Nothing elaborate, but enough that it got attention and bad things happened. And the FBI showed up and things. The FBI showed up at your house? Yes.

Yeah, they did. It was not a good day for me. I'm glad it worked out in the end.

It did. It did. It only worked out, though, because of who he worked for, my stepfather, the connections that he had, and the fact that I had no prior record. That's the reason that it worked. And I had a summer where I had to go work at Fort Belvoir doing community service. But I did such a good job, they wanted to hire me to work there. So it was definitely a life-changing experience. And then I joined the Army and became a military police officer. So that was my story. But it worked out well for me. So

I understand that when you were a military police officer, you did undercover drug buys. I did. What's something you learned doing undercover drug buys as a military police officer? What I learned is it's not black and white. It's not just you're a bad guy or a good guy. There are there. There's still human beings. What's one thing you learned pushing carts at Home Depot?

That you should never have an ego because I did all that crazy work and I got out and I could not get a job in law enforcement because of my tattoos. At the time, you couldn't have visible tattoos, at least in Virginia. I tried to join the FBI because I smoked weed in high school. At the time, they had a zero tolerance. I couldn't get into that.

I couldn't get a job, and I had to start at the very bottom. I mean, working retail, I'm not even in the store. I'm in the parking lot, you know? I was living out of my truck for a couple weeks, and then I rented a room at a house. That house, they were selling drugs out of the house. The cops raided it, arrested everybody but me, but I couldn't even get in the house to get my stuff. I mean, it was a tough time in my life. I'm going to change gears to talk about something much more pedestrian now. Yeah.

What's your favorite depiction of hacking in a work of fiction? Corey, there's an author, Corey Doctro, brilliant guy. He's one of my favorite authors. And he does hacker fiction, if you will. And he's got probably 20 books now. But they're phenomenal, especially the Homeland series. That's one of my favorites. Okay, Homeland series. Who's your favorite cyber criminal in real life? Um...

I would probably say the hacker known as USDOD.

He is a hacker who's not Russian. He lives in Brazil. I became very good friends with him. I've never written about him. He wasn't a target of mine. He helped me actually when I was going after Ransom VC. And he gave me a lot of good inside information. And we just became friends for a long time. And we talked. And he was somebody who I really had wanted to help. He's in jail now. So you can figure out if I was able to help him or not.

Why? Why him? What was that relationship? He had issues like everybody, but he had a good side to him. There was a side to him. He was a decent person. And I really thought if he hadn't become a criminal, he's somebody that would have been in the cybersecurity field.

He did have empathy for people. He hated law enforcement and the government, but he did have empathy for people. And he was somebody who I could talk to and actually feel like I could make a difference with the conversations that we had. John DiMaggio is the chief security strategist at AnalystOne. Today's show was produced by Gabriel Hunter Chang. It was edited by Lydia Jean Cott and engineered by Sarah Bouguere.

I'm Jacob Goldstein, and we'll be back later this week with another episode of What's Your Problem? How is Microsoft Security helping customers stay ahead of 600 million attacks without slowing down business? From automakers to sports organizations and digital banks, Microsoft Security delivers deeper insights, scanning trillions of signals daily to help you see around corners and protect your business.

Security is your job, and it's theirs too. With Microsoft Security, you have a partner that helps your business move forward confidently. To learn more, visit microsoft.com slash CISO.