Pushkin. Just a quick note, this is a bonus episode of What's Your Problem, and it's sponsored by Microsoft. John Demaggio studies cybercrime for a living. It's his job. But when he wanted to understand an international cybercrime gang called lock Bit, he realized he couldn't learn everything he wanted to know from the outside, so he started trying to figure out how to get people on the inside to tell him what he needed to know.
So I spent a lot of time studying going back to World War Two when they started having all these documents about how to use the human trade craft to sort of recruit and convince people to do things that they don't necessarily know that they're doing to support your cause.
So were you telling me you started studying sort of World War two era spycraft.
Yes, that's correct.
What's something you learn from World War two era spycraft that helped you weasel your way into a ransomware gang?
Everything from their ego to understanding who their adversary is and making them feel that being friends with you will benefit them because you have a common enemy, or even even being adversarial towards them and saying certain things just to see what the reaction is to sometimes understand the truth.
There's also the sort.
Of the plan and prepare phase where you have to go and sort of stalk them and understand who their contacts are, who their friends are, who their enemies are, where they hang out online, all of that stuff.
So you have this set of strategic ideas in your mind, what do you actually do?
So what I did.
The first thing I did is I needed to figure out sort of their digital fingerprint, so I profiled them. I began looking across the dark web. Obviously started with the easy One, their data leak site, their own infrastructure, and I went from there and I eventually found the forums that they live on. And there's some very prominent Russian hacking forums that have been around for about twenty years, so it made sense to start there. And sure enough,
they were very prevalent on that website. They were very involved with conversations, They have friends, their enemies, and they do their business. So they actually would go there just to talk and sort of hang out with their buddies. And the drama, it was like it was like a soap opera. The drama these guys would getting these big arguments are the stupidest things. I just started profiling and visually mapping out who is who, who they were talking to,
what those other people's roles were. Again, then I would find the ones who are their friends, and I would try to approach them and the people who worked for them.
And did it work.
It did well, It sort of worked.
I'm Jacob Goldstein, and this is what's your problem. My guest today is John DiMaggio. John is the chief security strategist at a company called Analyst One, and I wanted to talk with John about Lockbit, this ransomware gang that was behind attacks that extorted over one hundred million dollars from companies around the world. John wrote this sort of book length series of online posts about Lockbit. It was
part of a thing John called the Ransomware Diaries. The story of Lockbit is a great window into the ransomware industry, and it is an industry with a lot of remarkable similarities to ordinary non criminal industries. Lockbitch tried to brand itself, It tried to attract talent and notch keywins, just like any software company. But then there's also the part that
is not like any software company. There is the crime part, and it was the crime part where Lockbit went too far and wound up drawing the ire of international law enforcement agencies that in fact have their own set of innovative strategies. And John watched all this happen up close. He told me his key contact on the inside had the user name lock bits up, short for Lockbit Support.
I didn't know it at the time when I first started talking to them, but what I found out as I began to talk more is there were two personalities behind the account.
One seemed to be much.
Younger, friendlier, more in tune with sort of pop culture, and the other one, who I gave a name mister grumpy Pants, because he was all business, always serious, and that was kind of how I differentiated.
Tell me about the sort of conversations you had with lockbits up, like, what was the nature of those exchanges.
Well, so you have.
To understand that when I did the initial part that was sort of cover pretending to be somebody else. I only got so far with that, and after I wrote The Ransomware Diaries Volume one, they knew who I was. The farthest I got was talking to them is myself, and they you know, it was just I started with with, Hey, do you guys know who I am? I want to have a conversation with you, And they were, you know,
said to me, yeah, your favorite researcher. We love you, okay, And they were very willing to talk, which is why I got so much farther talking to them as myself as I did pretending to be a hacker.
Uh Huh. What's the thing you learned from lock bits up? What's a what's a What's one detail of your understanding that was improved by that relationship?
Well, there were a lot of things, but one of the key things I had learned was information about uh. They prob internal problems that they had with affiliates. For example, they complained that they've got really good hackers, but some of these hackers are younger kids, and they're good at hacking, but they're really bad at negotiating, uh, And he was.
They were unhappy about the amount of money coming in, so they talked about that and coming up with a with a model of how much they would accept, and they created sort of a formula per company, and so just things like that, things around tech resources. They asked
me one time if I would buy them. They couldn't get a they they couldn't get a Domain tools account, and they wanted to know because they couldn't pay for it with crypto, they want to know if I would buy it for them, which, of course they're playing with me, you know. And it was sort of a cat and mouse fun relationship for a while of going back and forth. So it was friendly for most of our relationship until it wasn't.
So okay, So you're in this world and I just want to step back for a minute to talk about what's going on in a big way. Right, there's this phrase that's sort of central here, which is ransomware as a service. Ransomware is like straightforwards something a lot of people are familiar with. It's basically, some bad actor, some hacker, hacks into some companies' computers, locks them up and says we're not going to unlock them unless you pay us a ransom. That's ransomware.
Exactly.
What is ransomware as a service? What is I mean? We know about software as a service, right, it's basically you pay whatever amount of a month and you get to use software. What's ransomware as a service.
So ransomware is a service. There's more than just ransomware. So you have this two part model where you have a service provider. That service provider provides the actual ransomware code. They also provide infrastructure. So the provider provides these services, the hacker goes and does the dirty work of actual hacking, and together when a victim pays the extortion, they share
the profit from it. The benefit from using this model is you can have a lot higher volume than if it was just five guys in a group doing it themselves. By using this model, you can have many people doing attacks on your behalf. Much higher volume of attacks, much higher revenue.
So Lockbit is basically just a software company. They're like an enterprise software company. They write software and provide various tools for users. But in this case the users are criminals, are people who want to hack into various computer systems and steal data and extort money.
That's correct.
But the other piece to it is the service provider aspect. They're the ones that are sort of in charge, that run the show, that give direction, that step in whenever there's an issue, if there's a victim not paying, sometimes they'll come in and help with the negotiation or take over or give direction on how much you can you can accept as a payment, or even say this is what you can or cannot hack this company. So they're definitely in the leadership chair.
So I want to talk about how lockbit sort of grows and makes a name for itself. And one of the things that's really interesting is kind of how uninteresting it is. It's like, oh, it's this international criminal gang and they're acting like a boring software company, and it seems like a key early moment for them as they're trying to grow and differentiate themselves in the market. Is this summer paper contest in to tell me about that?
Yeah, it's it's pretty crazy.
So on this long running forum that I mentioned earlier, this Russian hacking forum, lockbit really wanted to to get their brand out there. So what they did is they sponsored this hacking paper contest, meaning hackers would submit these papers on different ways to hack and lockbit they would they would take part in this and they would help review. And there was five winners and the I think I don't remember what the what the what the I think was five thousand dollars maybe.
Uh, you put a screenshot in your report. And what's amazing is how banal. It looks it looks totally like some college software contest or just some boring enterprise software company. Like there's this little kind of clip art of just like a dude at a laptop with a little plant next to him, although there is also a skull and crossbones next to him. It's like, we're just coders, but we're bad. And as you said, first place is five thousand dollars,
which seems like not that much. Right, they're exploiting that. They're stealing tens of millions of dollars at this point, right. And then it says like accepted article topics, just like it would in a college contest, but under accepted article topics, it says hacks any methods for pouring shells, fixing, elevating rights, your story is and tricks interesting hack stories. It's such a fantastic combination of well banality and evil.
It is.
But here's what you have to think about. There's two benefits for this. One what I mentioned, sort of getting their name out and getting known with hackers. But two, they're looking for those upcoming rising stars, if you.
Will, recruitment. It's talents, right, and yeah.
That's right, and that's why Lackbit was different than most of these are the ransomware groups, because they approached it is a business and they thought out of the box and that's kind of what would set them ahead in a part at the time from other ransomware groups.
So does it work this strategy?
It absolutely worked.
I mean, there's a reason that people know their name and know who they are, and there's a reason that they have so many people that at the time in a way really wanted to work for them over other groups. It was propaganda and it worked.
And so it seems like by around twenty twenty one they've hit the big time. And there's this one hack in particular that you write about in the summer of twenty one of Accenture, the big international consulting company. Tell me about the Accenture hack.
So in the Accenture hack, you know, the affiliate had gone in compromised them, they locked down their data, and lock Bit, you know, put on their site that you know they were a victim. Reporter started to report about it, and you got a lot of buzz in the media. Now, the problem with the Accenture hack is that Accenture denied that the hack took place. Initially saying that it wasn't
real and it didn't happen. The issue with that is their customer's data was on their website and you could you could go see it and validate it and download samples of it.
The customer's data was on the lockbit website.
That's correct.
That's correct, and it was just a sampling, but you could see this information and it looked quite authentic.
So so does this accenture hack sort of put Lockbit on the map in a bigger way?
Oh? I mean the media surrounding that was was was very loud.
I mean it was across many organizations. Lots of of of well known journalists and organizations reported on it. All this feeds into the propaganda. Now the journalist shouldn't report on it. I'm just saying, you know, lockbit plays that to benefit him as them as well.
Yeah, So basically the press coverage is good for lockbit because hackers see it and go to lockbit and say, hey, I want to be an affiliate and do some hacking.
Essentially, that's right, and to be fair, the same thing from me from writing these reports. Yes, it helps researchers law enforcement, but it also helps them that that's the reason that they were friendly to me is because they were fans of a lot. I have probably just as many criminal hackers that are fans of the ransomware diaries as there are researchers and you know, right, regular people that are not criminals.
Well, I mean there's an ecosystem here, right, like the the job. There's a universe of people whose job is fighting criminals and a universe of people who are criminals who are trying to evade being caught. Right, And that's right, the kind of intellectual universe has got to be almost entirely overlapping. Everybody's trying to figure out what everybody else is doing. Everybody's sort of using the same tricks on
each other. It makes sense that the bad guys and the good guys would be reading the same.
Stuff it does.
And you know that's really where that uh that that that that human framework came in because his ego was was the main thing I was able to play on in order to get information. And even when there were lies in that information, you know, I talked to the people who work for them, So I would take those lies and I would present them in a different way to those people to get a response, and that would help me to validate what's real and what's not.
Is there some specific example of playing on his ego, something you said to flatter him or something.
Uh well, yeah, you know one of the one of the things that that was big for him was, you know, he wanted to be sort of the Darth Vader of ransomware of my words, not his, but you know, he he wanted to be this this top person. So you know when you would talk about him changing the game of ransomware and telling him, you know, you guys are are are on top? You know, how did you get there?
How did you how did you get ahead of other groups like like REvil and uh in in time, Black Matter, in groups like that, And you know he loved that. You know, it would just that was a thing that would get mister grumpy pants talking was sort of playing on his ego, you know, asking questions about how he got to be the top brand in ransomware and how he's better than all the other ones.
And he fed right into that.
Coming up after the break, what happens when lockbit is used to hack a hospital for children with cancer, So kind of early twenty twenties Lockbit is king of the ransomware world. And then it seems like in about twenty twenty three they sort of start going too far or their affiliates start going too far right, they start to get into trouble, and it seems like the back of hospital that is actually called Thick Kids, which is yeh, a children's cancer hospital in Canada, is kind of a
turning point. And like I do wonder, like you could hack anybody, why would you hack a cancer hospital for children? Like, is it because you want to be as evil as possible?
Yeah, it's because they see them as a as an easy target because a hospital has to be available and make their resources easily accessible by their patients, clients, medical organizations, and inherently the more accessible something is less secure it is. So it makes them an easy target. They have a lot of money, and they're more likely to pay because the data is so sensitive and the systems that are encrypted are so critical that it makes them a ripe
target and that's the reason that they'll go after them. Initially, the hospital was hacked, the systems were encrypted, data was stolen, and they didn't they weren't going to let them out of this. They were going to force them to pay or they weren't going to give them the key to decryptor systems, and didn't seem to care that these kids couldn't get the care that they needed and the treatments
that they needed. The only reason so what ended up happening was with all the media around it, it was such a bad look for Lockbit that the leadership of the group decided, after you know, about two weeks, they decided, Okay, we're going to go ahead and we're going to give them the cryption key, just because this was getting to
be too hot. And if you remember, like the whole Colonial Pipeline thing with the Dark Side ransomware group, you know that got that got so much attention that you know, government agencies got involved and went after them, and when
that happens, it's very bad for ransomware groups. So they essentially saw things could possibly go that direction with the amount of bad publicity they were getting, and decided it wasn't worth it the payment they were going to get, and they went ahead and provided the hospital with the decryption key so they could get those systems back online.
And and in fact, their concern about a backlash was justified. Right, it seems like international governments, kind of led by the UK, do start to go after Lockbit around this point. Right, What do you do if you're a government and you want to go after a Russian hecking gang?
Well, it's not easy. The things that you have to do is you have to use resources that people like me don't have available to try to figure out their their infrastructure, their hosting infrastructure, what what what where their servers live? Uh, and then which is very difficult when they're there the dark web.
It's hard to figure.
That out because there's this is the cat and mouse thing. They're like complicated smart systems. These people used to hide their location essentially.
That's that's right, and so that's one aspect is trying to figure out that infrastructure.
In some cases you.
Can use legal means to take it down, but with groups like Lockbit, often they will use service providers that are in countries that cater to criminal activity and won't
respond subpoenas. The other thing, though, that lawn that these governments and law enforcements try to get into is the infrastructure that is public, the panel that the bad guys use to log into with the graphical interface to control these attacks, and there's technical ways to do that, and then there's also the ways of infiltrating the people who work for the group to get their credentials access.
So they're basically hacking. They're basically hacking the hackers. So in February of twenty twenty four, this international coalition of law enforcement agencies actually takes over lockbit sort of publicly facing site, right Lockbit's dark websites tell me about that.
Yeah, So it was great when you went to the website that that day, it was no longer Lockbit's data leak site. Instead it was a mock site, so it looks just like it, except instead of having real victims within the site, the NCAA put the criminals as the victims, and they named affiliates with the victims, and they had a countdown timer for for lock bits up saying they were going to release his identity ha.
And the countdown timer is the kind of thing that the that the bad guys use when they hack a company, saying we're gonna.
That's rite yeah, uh huh, yeah, that's what they do.
A count down timer for traditional victims is how long they have to pay to the data's lead so in.
The same way that Lockbit was essentially marketing itself. Now the now the cops, now the law enforcement officials, are are doing that same kind of marketing. They're sort of doing this kind of propagandistic thing to attract attention, presumer what to scare off all the affiliates, like why why would they be doing it in this showy way just for attention to get good press.
No, it was it was a psychological operation. So prior to this, they didn't they never did this there. The way they took sites down were just to take it down and put a message up saying law enforcement took this down. This was psychological. It was meant to put stress on the people who worked for the organization and being concerned that they no longer had anonymity and that their names and information was now being reviewed and revealed
by law enforcement. And the whole goal of this was was to affect the lockbit brand and to make people not trust Lockbit.
Or want to work for the organization.
So it was very planned in, thought out and methodical. It wasn't just, you know, to get attention. It was specifically to hurt that brand and make affiliates afraid to
work for them. And in addition to that mock website on the back end that panel that I was mentioning that admin paneled that they would use now when that took place, when the takedown took place, when the affiliates logged into that panel, they had tailored messages with their username by law enforcement saying, hey, you're logging into the panel.
We know who you are.
We've been monitoring the activity you've been doing. We've got your wallets. We're going to be coming to talk to you soon. So it was it was very detrimental to criminals. That was a brilliant operation in my opinion.
And you mentioned that they had a countdown timer for when they were going to reveal the name of Lockbit, sup the person. Oh that you said, there's people, but at least one of the people behind this, behind Lockbit, one of the key Lockbit players. Did they in fact reveal the name of that person.
They didn't when the countdown time, or they didn't when they did they at that time they didn't, but there's a reason that they didn't. But they did not do that in February. The reason that they didn't is because Lockbit agreed to tell them information about some of his adversarial group. There was a group called black who he didn't like, and he agreed to try and get to give them information.
So use they used the threat of naming him as leverage and getting him to flip. Basically, that's correct. Do we know who he is now? Was he ever named?
Yeah? It was.
It was several months later. The site came back online, meaning the law enforcement version of the site came back online. There was a new timer, and once again they said they were going to reveal Lockfit's name, and the timer began again, and on May seventh, when that timer expired, they did. They released his name and his picture, Dmitry Koshewev. They put that out there, indicted him, wanted posters the whole nine yards.
Is that grumpy pants?
That's well my opinion.
My opinion is that that was the younger person and the other guy's still out there, but I think law enforcement might tell you otherwise, though they do agree with me that there's two people.
So he's been indicted but not arrested. Is that what you're saying?
That's correct because he's in Russia and there's protections there. The law enforcement just can't get their hands on them. Unfortunately, the criminals are protected when they're in Russia.
So is that the end of Lockbit?
It's not, you would think it is, But most almost every other group that this has happened to, that's the end of the story, or at least it causes them to take that operation down and they have to start from scratch somewhere else with a new operation, with a new name and a new brand. But Lockbit worked so hard on that brand. I don't think he'll ever take it away until he's till they actually arrest everybody. But no, they continued, but they continued at a much lower level.
They didn't have the equality of hackers still working for them. They started having to lie about attacks to try and stack the numbers and things of that nature.
Do you think they'll unforcement officials campaign the whole thing of like naming the people and doing all the stunts on the website. You think that worked? You think it was sort of like Lockbit rose on marketing and in a way fell on the marketing of the governments.
Yeah, well, was it one hundred percent effective, No, but it was about eighty percent effective. And prior to this, I would say that most of those operations were like forty percent effective. And what I mean by that is this actually affected the brand where people, the quality hackers, the quality affiliates. Why would they work for this organization with all this heat where they can't trust that they're going to be protected when they can go work for some other premier worgans.
Like any software company. Their biggest problem is finding and keeping good people.
That's right, That's exactly right.
And by good people, I guess in this case, it means bad people, right. So okay, so this is a year ago. Basically, this is early twenty twenty four. Lockbit gets mostly taken down, not knocked out, at least knocked down. Where are we today, Like, what is the state of the ransomware industry?
So it's changed a bit. I would say you have more groups, but you don't have sort of these. You don't have as many big organizations that sort of hold all the majority of attacks. You have smaller to medium sized groups that work more under the radar, meaning they're not doing the same volume of attacks. They're also not getting the same amount of money and ransom extortions as they did before. But they're still out there. They're just doing it, the model just changed a little bit.
And so as part of the idea that, oh, maybe trying to have a big name and be like a famous criminal gang is not a good long term strategy.
That's exactly correct.
I think that this is what really made them realize that people are sort of lower on the radar, just trying to get money and extort, but not necessarily have this voice that's heard across the world.
What's like, what's the big lesson to you from the Lockbit story.
The big lesson there is being voisterous. Having this ego is actually a downfall. Being loud, getting publicity, getting your name out there, well, that might help attract people to come work for you. There's the opposite side of that, where it also attracts a lot of attention from law enforcement, and if you're a criminal group, that's not a good thing. And I think bad guys have figured that out between mainly from twenty twenty four with both the black Cat
ransomware group and with Lockbit. Those were your prominent players, and those guys both got decimated by law enforcement, and that happened because of the attention that they drew to themselves. So I think That's the lesson that adversaries have learned is you have to be quieter about what you do.
Lively. Back in a minute with the lightning round. Let's finish with the lightning round. It's gonna be a little more random and a little more about you. Okay, what's one thing you learned when you hacked into the Pentagon as a fifteen year old boy?
Oh man, That's the reason that had I talked to these criminals and I sometimes have empathy to want to help them change what they're doing, is because I got a second chance, and I remember that fear, and I want to try to help some of these young kids to change what they're doing and not continue down this road.
What actually happened there? What was it that happened?
Yeah, So my stepfather worked for Colon Powell during the Iraq War. He was at the Pentagon and he had a classified system in our basement, and I had a friend over and I was really into computers and hacking figuring things out. And I didn't do anything elaborate. I just figured out his credentials and I logged in and was put looking around. Nothing elaborate, but enough that it got attention and bad things happened, and and the FBI showed.
Up and things.
The FBI showed up at your house.
Yeah they did. It was It was not a good day for me.
I'm glad it worked out in the end. It did.
It did.
It only worked out though, because of who he worked for, my stepfather, and the connections that he had, and the fact that I had no prior record. That's the reason that it worked. And I had a summer where I had to go work at Fort Belvoir doing community service, but I just do such a good job they wanted to hire me to work there. So it was definitely a life changing experience. And then I joined the army and became a military police officer. So that was my story. But it worked out well for him.
So I understand that when you were a military police officer, you did undercover drug bys I did. What's something you learned doing undercover drug byes as a military police officer?
What I learned is it's not black and white. It's not just you're a bad guy or a good guy. There are there there's still human beings.
What's one thing you learned pushing carts at home depot.
That you should never have an ego because I did all that crazy work and I got out and I could not get a job in law enforcement because of my tattoos. At the time, you couldn't have visible tattoos, at least in Virginia. Tried to join the FBI because I smoked weed in high school at the time, day at a zero tolerance.
I couldn't get into that. I didn't couldn't get.
A job, and I had to start at the very bottom. I've been working retail. I'm not even in the store. I'm in the parking lot, you know. That was I was living out of my truck for a couple of weeks, and then I rented a room at a house. That house, they were selling.
Drugs out of the house.
The cops raided it, rested everybody but me, but I couldn't even get in the house to get my stuff.
I mean, it was a tough time in my life.
I'm going to change gears to talk about something much more pedestrian. Now, what's your favorite depiction of hacking in a work of fiction? Uh?
Corey Uh, there's an author, Corey Doctro, brilliant guy. He's one of my favorite authors, and he does hacker fiction if you will, and he's got a probably twenty books now, but they're they're phenomenal, especially the Homeland series. That's one of my favorite.
Okay, Homeland series. Who's your favorite cyber criminal in real life?
I would probably say the hacker known as us D O D. He is a He is a hacker who's not Russian. Uh. He lives in Brazil. I became very good friends with him. I've never written about him. He wasn't a target of mine. He helped me actually when I was going after ransom VC and he gave me a lot of good insight information and we just became friends for a long time and we talked and he was somebody who I really had wanted to help. He's in jail now, so you can figure out if I was able to help him or not.
Why? Why him? What was what was that relationship?
You know, he had issues like like everybody, but you know, he was a he had a good side to him. There was a side to him. He was a decent person and I really thought if he hadn't become a criminal, he's somebody that would have been in the cybersecurity field.
He did have empathy for people. He hated law enforcement in the government, but he did have empathy for people, and he was somebody who I could talk to and and actually feel like I could I could make a difference with the conversations that we had.
John DiMaggio is the chief security strategist at Analyst One. Today's show was produced by Gabriel Hunter Chang. It was edited by Lydia Jean Kott and engineered.
By Sarah Buguer.
I'm Jacob Goldstein and we'll be back later this week with another episode of What's Your Problem. A port Asner SA