WEBVTT 1 00:00:00.240 --> 00:00:01.890 Mathew Schwartz: Hi, I'm Mathew Schwartz with Information 2 00:00:01.890 --> 00:00:05.550 Security Media Group and one of the most destructive and 3 00:00:05.550 --> 00:00:09.870 damaging ransomware groups in recent years has been LockBit. 4 00:00:10.950 --> 00:00:15.240 To discuss LockBit and tactics and techniques we might use to 5 00:00:15.240 --> 00:00:18.630 better disrupt not only LockBit but other ransomware groups, I 6 00:00:18.630 --> 00:00:22.950 am joined by Jon DiMaggio, chief security strategist at Analyst1. 7 00:00:23.040 --> 00:00:24.270 Jon, great to see you. 8 00:00:24.870 --> 00:00:26.670 Jon DiMaggio: Hi, Matt. Thank you. Great to see you, too. 9 00:00:26.700 --> 00:00:27.660 Thank you for having me. 10 00:00:28.350 --> 00:00:30.780 Mathew Schwartz: Jon, it's a pleasure to see you again. I 11 00:00:30.780 --> 00:00:34.530 know you've been spending a lot of time doing a deep dive into 12 00:00:34.530 --> 00:00:40.410 the LockBit ransomware gang, and I want to hear what you found. 13 00:00:40.530 --> 00:00:42.780 But also some of the challenges that you might have encountered, 14 00:00:42.780 --> 00:00:46.980 because so much of what we know about ransomware seems to be 15 00:00:46.980 --> 00:00:49.650 coming from the horse's mouth, which is obviously a problematic 16 00:00:49.650 --> 00:00:50.520 place to be. 17 00:00:51.630 --> 00:00:54.480 Jon DiMaggio: It really is, Matt, it is, and that's one of 18 00:00:54.480 --> 00:00:57.000 the reasons why I wanted to approach this research the way 19 00:00:57.000 --> 00:01:00.600 that I did. You know, there's sort of two parts to that. One, 20 00:01:01.170 --> 00:01:04.110 there's a ton of content out there about LockBit, but the 21 00:01:04.110 --> 00:01:08.100 majority of it is from the technical threat data 22 00:01:08.100 --> 00:01:12.060 perspective. And I think that with ransomware, that's a bit of 23 00:01:12.060 --> 00:01:17.100 a problem because while that model has worked for as long as 24 00:01:17.100 --> 00:01:20.460 cybersecurity has existed, you know, with ransomware attacks, 25 00:01:20.460 --> 00:01:23.580 it's very different because there's not another attack type 26 00:01:23.580 --> 00:01:27.120 where the victim has to speak directly with, or communicate 27 00:01:27.120 --> 00:01:31.470 directly with, their attacker besides this. So you know, the 28 00:01:31.470 --> 00:01:35.970 attacker has really changed the model of how they conduct these 29 00:01:35.970 --> 00:01:39.090 attacks. But we really haven't changed the way that we research 30 00:01:39.090 --> 00:01:42.780 profile defendant approach against it. So I felt like there 31 00:01:42.780 --> 00:01:48.030 was a lot of low-hanging fruit that was just a very different 32 00:01:48.030 --> 00:01:50.400 type of thinking and how to approach it in order to gain 33 00:01:50.400 --> 00:01:53.910 this information and turn it into intelligence. So that's 34 00:01:53.910 --> 00:01:58.050 sort of the reason that I decided to go in with a more 35 00:01:58.050 --> 00:02:01.650 human approach and sort of overlay that information on top 36 00:02:01.650 --> 00:02:05.850 of telling a good story with the known threat data and events 37 00:02:05.850 --> 00:02:09.450 sprinkled in and sort of add what the attacker thought from 38 00:02:09.450 --> 00:02:13.620 their point of view, even if it's not accurate, and it's 39 00:02:13.620 --> 00:02:16.140 coming from an attacker, meaning you can't always believe these 40 00:02:16.140 --> 00:02:18.630 folks. But even if that's the case, there's still an 41 00:02:18.630 --> 00:02:21.390 intelligence value. But by placing that over the events, as 42 00:02:21.390 --> 00:02:25.740 we know it, seeing how they either feel about it or want us 43 00:02:25.770 --> 00:02:29.100 to view it, there's a lot of room there for very good 44 00:02:29.100 --> 00:02:32.820 analysis to extract and understand the mindset of the 45 00:02:32.820 --> 00:02:33.420 attacker. 46 00:02:34.470 --> 00:02:36.120 Mathew Schwartz: That's a great point you make in terms of 47 00:02:36.150 --> 00:02:38.700 adding insult to injury - the fact that you get hit by these 48 00:02:38.700 --> 00:02:41.640 groups and then, as you say, you're oftentimes forced to 49 00:02:41.850 --> 00:02:44.760 negotiate with these groups. Just to step back for a second, 50 00:02:44.760 --> 00:02:47.880 just to set the context in case people aren't familiar with 51 00:02:47.910 --> 00:02:50.820 LockBit, fill me in a little bit from a high level. This is a 52 00:02:50.820 --> 00:02:53.070 ransomware-as-a-service group, correct? 53 00:02:53.430 --> 00:02:56.550 Jon DiMaggio: It is. It actually started out as a traditional 54 00:02:56.550 --> 00:02:59.250 ransomware gang where they did the attacks themselves. June of 55 00:02:59.250 --> 00:03:03.660 2019, they started out and back then, their ransomware would 56 00:03:03.660 --> 00:03:08.970 append the string .abcd to each file as it encrypted. And 57 00:03:08.970 --> 00:03:12.810 because of that, they got the name originally as the .abcd 58 00:03:12.840 --> 00:03:16.980 gang and LockBit just, they did not like that name. So after 59 00:03:16.980 --> 00:03:19.980 several months, they decided to update their ransomware and 60 00:03:19.980 --> 00:03:24.090 their note to append that LockBit and put that name in the 61 00:03:24.090 --> 00:03:28.890 know. So we began calling them that. And it was in early 2020, 62 00:03:28.890 --> 00:03:32.520 when they opened up their ransomware-as-a-service brand 63 00:03:33.330 --> 00:03:36.900 and started the model that they are today where they develop and 64 00:03:36.900 --> 00:03:39.780 have the infrastructure and have affiliates to actually conduct 65 00:03:39.780 --> 00:03:40.680 the attacks. 66 00:03:41.370 --> 00:03:44.070 Mathew Schwartz: And so that model gains popularity with a 67 00:03:44.070 --> 00:03:46.830 lot of groups that seemed to be a way for them to really get the 68 00:03:46.830 --> 00:03:51.180 profits rising quickly because they brought specialists in who 69 00:03:51.180 --> 00:03:55.140 had different skills and help them work their way into more 70 00:03:55.140 --> 00:03:55.830 victims. 71 00:03:56.310 --> 00:03:58.410 Jon DiMaggio: Well, it's all about volume. If you think about 72 00:03:58.410 --> 00:04:00.330 it, here's what we need to do. We need to think about it for 73 00:04:00.330 --> 00:04:02.790 business model, because that is how the adversary thinks of it. 74 00:04:02.970 --> 00:04:05.790 And it's not illegal in Russia. You know, they're protected. 75 00:04:05.790 --> 00:04:08.070 There's no laws saying, "Hey, we're going to come arrest you." 76 00:04:08.400 --> 00:04:11.070 It was literally a business to them. And they treat it that 77 00:04:11.070 --> 00:04:15.540 way. So for them, it's hiring people, outsourcing the work, 78 00:04:15.810 --> 00:04:19.080 higher number of people, and they can conduct far more tax 79 00:04:19.110 --> 00:04:22.500 and generate more revenue. And that's exactly why they use this 80 00:04:22.500 --> 00:04:26.550 model to conduct these ransomware attacks. 81 00:04:27.450 --> 00:04:30.870 Mathew Schwartz: So you've been gathering human intelligence 82 00:04:31.080 --> 00:04:37.110 online. Maybe describe for me a little bit to the extent that 83 00:04:37.110 --> 00:04:40.260 you can. How one goes about this? Don't have to dive too 84 00:04:40.260 --> 00:04:43.860 deep into that just yet, but also some of the findings. 85 00:04:44.370 --> 00:04:49.980 Jon DiMaggio: Yeah, absolutely. So, it kind of started - and I 86 00:04:49.980 --> 00:04:53.100 won't go too deep with this. When I was at Symantec for seven 87 00:04:53.100 --> 00:04:55.920 years, and they had a massive amount of data. So when I left 88 00:04:55.920 --> 00:04:59.370 and I didn't have that huge data lake, I needed to find new ways 89 00:04:59.370 --> 00:05:01.590 to facilitate, finding interesting stories and 90 00:05:01.590 --> 00:05:04.410 interesting research. So, I really started to explore the 91 00:05:04.410 --> 00:05:09.450 dark web, something that I used to do as a hobby years ago. And, 92 00:05:09.780 --> 00:05:12.270 you know, developing fake personas is something that I did 93 00:05:12.270 --> 00:05:15.480 with the government. So I had a lot of background for that. And 94 00:05:15.480 --> 00:05:19.080 I just started looking for ransomware gangs, and it wasn't 95 00:05:19.080 --> 00:05:22.050 hard to find them. Once identified, where they sort of 96 00:05:22.050 --> 00:05:26.310 lived, I just started to use multiple different personas that 97 00:05:26.310 --> 00:05:29.490 I would develop to sort of get closer to them, get into the 98 00:05:29.490 --> 00:05:34.230 right forums, get into the right chat rooms, and whether - it 99 00:05:34.230 --> 00:05:36.390 wasn't in this case - but whether it's a telegram channel, 100 00:05:36.420 --> 00:05:39.420 what they call tox, which is just the encrypted communication 101 00:05:39.420 --> 00:05:42.870 channel, or whether it's a forum. There's different things 102 00:05:42.870 --> 00:05:45.210 that are said there. So being able to - even if you're just 103 00:05:45.210 --> 00:05:48.480 going to observe, you're going to gain information, let alone 104 00:05:48.480 --> 00:05:52.140 then interact and actually get direct answers to your questions 105 00:05:52.140 --> 00:05:56.280 is beneficial. But as you said earlier, these guys are very 106 00:05:56.820 --> 00:06:00.450 boisterous and they like to talk. So, it made the job very 107 00:06:00.450 --> 00:06:02.100 easy to do. 108 00:06:03.360 --> 00:06:06.750 Mathew Schwartz: So, in terms of boisterousness self-promotion, 109 00:06:06.780 --> 00:06:12.210 PR savvy, I'd say LockBit is pretty well known because of the 110 00:06:12.270 --> 00:06:16.380 LockBitSupp persona. And you've got some fascinating research 111 00:06:16.380 --> 00:06:18.630 into that individual or individuals. 112 00:06:18.870 --> 00:06:22.530 Jon DiMaggio: Yes. So that's a great point. So the LockBitSupp 113 00:06:22.530 --> 00:06:25.110 persona, so that is, let's just say for folks who don't know, 114 00:06:25.230 --> 00:06:29.940 that is the name, alias brand, if you will, that they use to 115 00:06:29.940 --> 00:06:33.300 facilitate communication with other criminals for recruiting 116 00:06:33.750 --> 00:06:37.320 purposes for gaining notoriety, for talking with journalists, 117 00:06:37.320 --> 00:06:41.520 researchers, that's the account persona that they use. There's 118 00:06:41.520 --> 00:06:44.280 been a lot of speculation. Is that really, because they say 119 00:06:44.280 --> 00:06:47.850 it's the leader of the group. Is it really LockBit's leader or is 120 00:06:47.850 --> 00:06:50.580 it multiple accounts? There's criminals, they claim the whole 121 00:06:50.580 --> 00:06:53.670 thing is, they say, a 17-year-old sitting at a 122 00:06:53.670 --> 00:06:56.610 terminal doing PR. I don't believe any of that's true. And 123 00:06:56.610 --> 00:06:59.220 I spent a lot of time in analysis. I do think that there 124 00:06:59.220 --> 00:07:03.060 is more than one person. But I think it's definitely no more 125 00:07:03.060 --> 00:07:05.850 than three. And the reason I say that is I look for 126 00:07:05.850 --> 00:07:09.690 inconsistencies over not just the five months that I 127 00:07:09.720 --> 00:07:13.560 interacted, but I looked a rearview mirror look going back 128 00:07:13.560 --> 00:07:16.230 for as long as they were on the forums, and I only found a few 129 00:07:16.230 --> 00:07:19.170 contradictions in their storyline. And as you know, if 130 00:07:19.170 --> 00:07:21.540 you make up lies, you have to do to keep up with them. So when 131 00:07:21.540 --> 00:07:23.910 you have multiple people doing that, there's more opportunity 132 00:07:23.910 --> 00:07:27.600 to make mistakes. And I did find a few mistakes, but not many. So 133 00:07:27.600 --> 00:07:29.610 I do believe there is occasions where there is somebody 134 00:07:29.610 --> 00:07:32.220 different, but for the majority of it, and especially for what 135 00:07:32.220 --> 00:07:34.560 we'll call the high-value PR where they're doing interviews 136 00:07:34.560 --> 00:07:37.920 and they're talking to higher-level criminals, I do 137 00:07:37.920 --> 00:07:39.960 believe that is the leader of the group itself. 138 00:07:41.610 --> 00:07:43.290 Mathew Schwartz: One of the fascinating things from your 139 00:07:43.290 --> 00:07:47.430 research that I took away was the extent to which these groups 140 00:07:47.460 --> 00:07:50.190 appear to know each other. I mean, because they had 141 00:07:50.190 --> 00:07:53.760 information on each other. I think you said it had been 142 00:07:53.760 --> 00:07:56.760 validated technically, but they were providing more of almost a 143 00:07:56.760 --> 00:08:00.270 human interest version that seemed to be valid, that 144 00:08:00.270 --> 00:08:03.210 suggested that somehow they knew each other. I would have thought 145 00:08:03.210 --> 00:08:05.880 there would have been more silos perhaps. What do you think is 146 00:08:05.880 --> 00:08:09.840 going on with the ransomware underground primarily focused on 147 00:08:09.840 --> 00:08:10.560 Russia here? 148 00:08:10.950 --> 00:08:13.170 Jon DiMaggio: That was probably the most interesting aspect of 149 00:08:13.170 --> 00:08:17.100 this for me is seeing those relationships. And, you know, as 150 00:08:17.130 --> 00:08:19.380 the cybersecurity community, there were certain events that 151 00:08:19.380 --> 00:08:25.200 we knew - for just a real brief example, there was black matter 152 00:08:25.200 --> 00:08:28.620 ransomware code found in LockBit's newest ransomware, 153 00:08:28.620 --> 00:08:33.150 called LockBit 3.0. So we knew that to have that unique code in 154 00:08:33.150 --> 00:08:36.090 it in some of that unique functionality, obviously, they 155 00:08:36.090 --> 00:08:38.760 attain that source code somehow. But then when you hear from the 156 00:08:38.760 --> 00:08:42.300 adversaries' mouth, we'd all assumed that when the other 157 00:08:42.300 --> 00:08:44.910 group black matter went away, that LockBit just bought the 158 00:08:44.910 --> 00:08:47.790 source code in and that's not what happened. Instead, they 159 00:08:47.790 --> 00:08:50.700 stole their high-level developer, they stole one of 160 00:08:50.700 --> 00:08:55.260 their employees. And when he came over, it is a human being, 161 00:08:55.740 --> 00:08:58.380 you don't want to have to rework everything from scratch. So, he 162 00:08:58.380 --> 00:09:01.080 naturally used some of the code that he had already worked and 163 00:09:01.080 --> 00:09:04.290 implemented into the new LockBit ransomware, so just little 164 00:09:04.290 --> 00:09:07.170 things like that. They don't change anything, but it's very 165 00:09:07.200 --> 00:09:10.080 interesting. You know, it's not that we got it wrong, but 166 00:09:10.080 --> 00:09:13.860 actually getting the story, the way that it most likely did 167 00:09:13.860 --> 00:09:16.020 happen, because there's not a reason really to lie about that. 168 00:09:16.740 --> 00:09:18.240 I thought that was very intriguing. 169 00:09:19.140 --> 00:09:21.360 Mathew Schwartz: So we have this connection that you've 170 00:09:21.360 --> 00:09:24.450 established between these two groups. What about the other big 171 00:09:24.450 --> 00:09:25.170 players? 172 00:09:25.710 --> 00:09:28.140 Jon DiMaggio: Yes. So, all of that sort of stemmed. 173 00:09:28.140 --> 00:09:30.900 Originally, I thought it was just with a developer, but it's 174 00:09:30.900 --> 00:09:36.780 beyond that. So LockBit actually knew for one, the reason I got 175 00:09:36.780 --> 00:09:39.690 on LockBit was his relationship with the leader or previous 176 00:09:39.690 --> 00:09:45.090 leader of REvil. And I found that then he also had this 177 00:09:45.090 --> 00:09:48.090 relationship with the senior leaders of DarkSide behind the 178 00:09:48.090 --> 00:09:51.630 Colonial Pipeline attack, and who eventually transitioned into 179 00:09:51.660 --> 00:09:55.380 BlackMatter. And then now today, there's members from that group 180 00:09:55.380 --> 00:09:58.830 that are in Black Hat. And then this key developer - he used to 181 00:09:58.830 --> 00:10:02.940 work for a group called FIN7. So as you can see, there's a human 182 00:10:04.350 --> 00:10:07.020 association with all of these groups. And then I would 183 00:10:07.020 --> 00:10:09.930 literally see the key leaders of these groups, they would have 184 00:10:09.930 --> 00:10:13.260 these conversations and events, they were friendly at one point, 185 00:10:13.260 --> 00:10:15.210 and then they became adversarial. And they get into 186 00:10:15.210 --> 00:10:18.690 these big dramatic arguments, and I just would get my popcorn 187 00:10:18.930 --> 00:10:21.900 and watch. But, you know, it was really interesting to learn of 188 00:10:21.900 --> 00:10:24.960 these relationships outside of just technical means. 189 00:10:25.860 --> 00:10:28.170 Mathew Schwartz: It so often seems like an adolescent-level 190 00:10:28.170 --> 00:10:32.070 soap opera, in terms of spice they're having, the language 191 00:10:32.070 --> 00:10:36.480 they're choosing to use, the threats they're making. It's 192 00:10:36.480 --> 00:10:39.990 pretty insane. Speaking of insanity, you were mentioning 193 00:10:39.990 --> 00:10:44.670 this developer who seems to have been hired away by LockBit, thus 194 00:10:44.790 --> 00:10:48.570 giving them some intellectual property from one of their 195 00:10:48.690 --> 00:10:53.520 rivals, friendly or otherwise. Now, did this lead to - again 196 00:10:53.520 --> 00:10:56.130 with the soap opera - did this lead to some fallout, though, 197 00:10:56.160 --> 00:10:58.140 with the developer in question? 198 00:10:59.190 --> 00:11:04.350 Jon DiMaggio: Yes. So that was a big problem. And the developer 199 00:11:04.380 --> 00:11:09.750 had a lot of concerns about what would happen, because he left 200 00:11:09.750 --> 00:11:12.870 that at the root. And it was very important to him that he 201 00:11:12.900 --> 00:11:16.590 had some level of protection. And you would think because the 202 00:11:16.590 --> 00:11:19.080 developer and LockBit had a fallout, and you would think it 203 00:11:19.080 --> 00:11:22.890 was related to that, and that was sort of the seed was that 204 00:11:22.890 --> 00:11:26.580 fear of the other group having retaliation - that developer - 205 00:11:26.580 --> 00:11:30.180 one of the storyline publicly to go a certain way and LockBit did 206 00:11:30.180 --> 00:11:33.540 not tell it that way. They told their version of the truth about 207 00:11:33.540 --> 00:11:36.810 stealing the developer away and giving them the source code and 208 00:11:36.810 --> 00:11:40.290 everything. And what eventually happened is that source code had 209 00:11:40.290 --> 00:11:44.550 a vulnerability in it that the developer hadn't fixed and 210 00:11:44.580 --> 00:11:48.060 LockBit had agreed to pay publicly a bug bounty program 211 00:11:48.060 --> 00:11:51.360 that they put on their website. And they offered to pay $50,000 212 00:11:51.390 --> 00:11:54.510 to anybody who found a bug. So, when someone did, and he had to 213 00:11:54.510 --> 00:11:57.660 pay them that, he took that out of the developer salary, and the 214 00:11:57.660 --> 00:12:00.180 developer was unhappy, because that's not the agreement that 215 00:12:00.180 --> 00:12:04.740 they had. So long story short, the developer was upset, he left 216 00:12:04.800 --> 00:12:08.040 and to sort of send a message for being upset, he leaked some 217 00:12:08.040 --> 00:12:10.560 of their source code. And he did a horrible job doing it, he 218 00:12:10.560 --> 00:12:13.560 presented this fake persona that he created that afternoon, 219 00:12:13.710 --> 00:12:16.890 claimed to have been someone who hacked LockBit and stole it. And 220 00:12:16.890 --> 00:12:19.020 of course, from LockBit's perspective, it was very clear 221 00:12:19.020 --> 00:12:24.210 what happened. So that developer has his own sort of 222 00:12:24.210 --> 00:12:27.090 infrastructure website on tour, where he markets himself, and he 223 00:12:27.090 --> 00:12:30.870 still does work, but he is no longer working for LockBit. And 224 00:12:30.870 --> 00:12:35.040 it was a very dramatic exit. It involved sort of an arbitration 225 00:12:35.040 --> 00:12:37.590 where one of the senior administrators from the forum 226 00:12:37.590 --> 00:12:41.550 had to get involved. And then both LockBit and the developer 227 00:12:41.550 --> 00:12:44.220 sort of told their story in their testimonial. The 228 00:12:44.220 --> 00:12:46.980 testimonial actually include the developer word for word, his 229 00:12:46.980 --> 00:12:50.190 story is actually in the report - I put in the appendix, it was 230 00:12:50.190 --> 00:12:52.170 kind of long - but I think it's really interesting, though, to 231 00:12:52.170 --> 00:12:55.680 get it from their words, even if it's not completely accurate. 232 00:12:56.040 --> 00:12:59.280 Just to see and understand these conversations, I thought it was 233 00:12:59.280 --> 00:13:01.830 really interesting. And I want to sort of share that with the 234 00:13:01.830 --> 00:13:02.730 research community. 235 00:13:03.720 --> 00:13:05.400 Mathew Schwartz: It further highlights that these are day 236 00:13:05.400 --> 00:13:07.860 jobs for people, they've got lives, they've got 237 00:13:07.860 --> 00:13:11.910 relationships, they need to be able to pay bills, they have 238 00:13:11.940 --> 00:13:14.790 managers, maybe who aren't very good at managing. And then you 239 00:13:14.790 --> 00:13:17.040 have this whole, I guess, criminal overlay over the whole 240 00:13:17.040 --> 00:13:21.060 thing as well. So yeah, I guess as messy as the real world can 241 00:13:21.060 --> 00:13:21.480 be. 242 00:13:22.380 --> 00:13:25.140 Jon DiMaggio: It absolutely is. And, it's essentially, like I 243 00:13:25.140 --> 00:13:30.750 said, it's a business that's run by a ego-driven CEO that has 244 00:13:30.750 --> 00:13:34.050 massive insecurities. And the end result, while they have 245 00:13:34.050 --> 00:13:38.190 unfortunately, they have a great criminal product. But I think 246 00:13:38.190 --> 00:13:42.840 that what will eventually lead to their demise is that sort of 247 00:13:42.870 --> 00:13:46.320 ego and the constant overreacting because of their 248 00:13:46.320 --> 00:13:49.050 insecurities, the things that happen, such as the developer 249 00:13:49.050 --> 00:13:50.550 leaking their code and things like that. 250 00:13:51.420 --> 00:13:54.390 Mathew Schwartz: But LockBit, I believe, is continuing to still 251 00:13:54.390 --> 00:13:58.170 be a threat, not just a nuisance to the hit organizations? 252 00:13:58.590 --> 00:14:00.810 Jon DiMaggio: Yeah, they're the worst right now. If you were to 253 00:14:00.810 --> 00:14:04.350 measure ransomware gangs by the volume of attack and the revenue 254 00:14:04.350 --> 00:14:09.450 they bring in, factually LockBit is number one. They have more 255 00:14:09.450 --> 00:14:12.720 attacks than any other ransom gang has ever had, more than 256 00:14:12.720 --> 00:14:15.870 REvil, more than Conti, more than all of them by a lot, which 257 00:14:15.870 --> 00:14:18.660 is just crazy. But it's because they have made their software 258 00:14:19.170 --> 00:14:22.050 the administrative panel, which the bad guys used to control 259 00:14:22.050 --> 00:14:25.410 attacks, they've basically made a point and click. You'd used to 260 00:14:25.470 --> 00:14:30.810 have a trained hacker that had to manually numerate all these 261 00:14:30.810 --> 00:14:33.240 networks and do all these things, where now it's point and 262 00:14:33.240 --> 00:14:37.710 click radio dial button, enter this domain group, and it goes. 263 00:14:37.740 --> 00:14:40.440 Now granted, it doesn't always work that smoothly, but even 264 00:14:40.440 --> 00:14:43.560 when certain components fail, there's still way more work that 265 00:14:43.560 --> 00:14:47.040 would have been manual work. And what happens then is the attacks 266 00:14:47.040 --> 00:14:49.980 are quicker and you have a higher volume of them and that 267 00:14:49.980 --> 00:14:52.650 is the reason that there are more LockBit attacks than anyone 268 00:14:52.650 --> 00:14:57.120 else is exactly that high volume of easy-to-conduct quicker 269 00:14:57.120 --> 00:15:01.890 attacks. And I have written about this. About two years ago, 270 00:15:01.890 --> 00:15:04.380 I'd written about this that they could see that LockBit was 271 00:15:04.380 --> 00:15:07.050 starting to test new features and this is what they're going 272 00:15:07.050 --> 00:15:09.450 to do. They're looking to automate and rely less on 273 00:15:09.450 --> 00:15:12.540 affiliates. And that's exactly what we're seeing is high 274 00:15:12.540 --> 00:15:16.650 volume, easier, less-technical experience necessary and it's 275 00:15:16.650 --> 00:15:18.120 bad for us, it's good for them. 276 00:15:19.350 --> 00:15:21.840 Mathew Schwartz: Remove as much of the complexity as they can, 277 00:15:21.840 --> 00:15:25.560 automate as much as they can, as you say. So we've got this 278 00:15:25.560 --> 00:15:28.980 fascinating research you've done in the LockBit. Looking at how 279 00:15:28.980 --> 00:15:32.280 it's evolved some of the internal tensions in the group, 280 00:15:32.760 --> 00:15:37.170 its modus operandi, how do we use this against them? 281 00:15:38.010 --> 00:15:42.780 Jon DiMaggio: Yeah, so one of the things that the issues that 282 00:15:42.780 --> 00:15:45.180 we have with ransomware - I don't think anybody can deny we 283 00:15:45.180 --> 00:15:48.030 are not winning the war on ransomware. And if you disagree, 284 00:15:48.030 --> 00:15:50.430 just go look at the headlines. Every day, we're having these 285 00:15:50.430 --> 00:15:55.050 large tax against governments, educational organizations, large 286 00:15:55.920 --> 00:16:00.300 fortune 500 companies, and regardless of how good our 287 00:16:00.300 --> 00:16:05.550 defenses seem to be, they find a way to defeat them often. And I 288 00:16:05.550 --> 00:16:07.800 think part of that is the approach that we're taking to 289 00:16:07.800 --> 00:16:10.950 defeat them in this whole analogy reminds me of the 1980s 290 00:16:11.130 --> 00:16:15.300 approach to the war on drugs - we were putting up a good fight, 291 00:16:15.300 --> 00:16:18.450 but we were doing things in the wrong way. And what we did is we 292 00:16:18.450 --> 00:16:20.400 just spun our wheels. Well, that's what's happening with 293 00:16:20.400 --> 00:16:23.010 this, we're treating these ransomware attacks with all the 294 00:16:23.010 --> 00:16:26.730 traditional means, approaches, theories and methods to defeat 295 00:16:26.730 --> 00:16:29.700 it that we did with our struggle, previous cyberthreats. 296 00:16:29.700 --> 00:16:30.780 But these guys are different. So we need to look at it and 297 00:16:30.780 --> 00:16:31.950 approach it differently. We're putting out indictments to 298 00:16:31.950 --> 00:16:32.940 arrest these organizations, though, they're in a country 299 00:16:32.940 --> 00:16:38.790 where they are protected, we're never going to arrest them, the 300 00:16:38.790 --> 00:16:43.050 indictments aren't going to work. So well, I love 301 00:16:43.230 --> 00:16:50.760 indictments because they're full of inside information, we're 302 00:16:50.760 --> 00:16:52.980 never going to actually prosecute. So we need to do 303 00:16:52.980 --> 00:16:56.550 things differently. And one of the things that I think we need 304 00:16:56.550 --> 00:16:59.820 to do is look at where we can make a difference. And clearly 305 00:16:59.820 --> 00:17:02.820 if somebody like myself can get in, and there's other 306 00:17:02.820 --> 00:17:05.220 researchers that have gotten in as well with them, you know, you 307 00:17:05.220 --> 00:17:07.740 can get in, get close to them, with all the insecurities that 308 00:17:07.740 --> 00:17:10.830 they have, and with all of the other criminals that that either 309 00:17:10.830 --> 00:17:14.190 dislike them or are jealous of them, u can play on that 310 00:17:14.190 --> 00:17:18.180 insecurity and hurt or tarnish their reputation and make it so 311 00:17:18.180 --> 00:17:22.170 that they're not successful, and other criminals and affiliates 312 00:17:22.170 --> 00:17:25.410 don't want to necessarily work on them, or suspect that law 313 00:17:25.410 --> 00:17:28.110 enforcement has infiltrated them. I can go on and on with 314 00:17:28.110 --> 00:17:31.560 different ideas that I have. But the psychological aspect of it 315 00:17:31.560 --> 00:17:35.010 is one way in the propaganda that we could use to sort of 316 00:17:35.010 --> 00:17:38.430 steer the criminal mentality to not want to work with them. I 317 00:17:38.430 --> 00:17:41.970 know it works, because we saw it, this happened to REvil. And 318 00:17:41.970 --> 00:17:46.110 we need to do that with LockBit. But on top of that, when 319 00:17:46.110 --> 00:17:49.170 Entrust, the cybersecurity organization, and they got 320 00:17:49.170 --> 00:17:52.470 compromised by LockBit and LockBit was going to publish all 321 00:17:52.470 --> 00:17:55.980 their data, and I'm not going to put words in their mouth, but 322 00:17:55.980 --> 00:17:58.350 there was a distributed denial-of-service attack that 323 00:17:58.350 --> 00:18:00.930 took place shortly after LockBit threatened to publish their 324 00:18:00.930 --> 00:18:03.480 data. And their infrastructure went down, LockBit's 325 00:18:03.480 --> 00:18:05.730 infrastructure. So he couldn't publish their data to their 326 00:18:05.730 --> 00:18:07.860 sites, and they literally stopped them, or at least slowed 327 00:18:07.860 --> 00:18:10.980 him down. And in the meantime, if you wouldn't do that and 328 00:18:10.980 --> 00:18:13.710 psychological operations, you would have criminal customers 329 00:18:13.920 --> 00:18:18.060 who won, there's all this drama and things playing on about the 330 00:18:18.060 --> 00:18:20.760 reputation and fear of them being infiltrated by law 331 00:18:20.760 --> 00:18:23.550 enforcement and governments and then to their infrastructures 332 00:18:23.550 --> 00:18:26.070 constantly not available, indicating things may be going 333 00:18:26.070 --> 00:18:31.260 on. And it might validate those accusations. I think we could 334 00:18:31.260 --> 00:18:33.870 really start to make a dent. And even if we didn't, when these 335 00:18:33.870 --> 00:18:36.330 things are not available, it's much harder for them to continue 336 00:18:36.330 --> 00:18:38.670 operations, because they usually do their negotiations and 337 00:18:38.670 --> 00:18:41.790 everything else through these portals. So I think that we 338 00:18:41.790 --> 00:18:45.780 really need to move in that direction. But that takes - a 339 00:18:45.780 --> 00:18:48.060 regular company, you know, there's laws that prevent them 340 00:18:48.060 --> 00:18:50.670 from sort of hacking back, if you will, or doing a distributed 341 00:18:50.700 --> 00:18:53.310 denial-of-service. But that doesn't prevent governments and 342 00:18:53.310 --> 00:18:55.200 law enforcement. And I don't just mean the U.S., there's 343 00:18:55.200 --> 00:18:57.690 governments all over the world that are being targeted. If we 344 00:18:57.690 --> 00:19:01.620 all sort of work together to do a joint operation against these 345 00:19:01.620 --> 00:19:04.410 large ransomware groups, I think we'd be far more effective than 346 00:19:04.620 --> 00:19:08.280 indictments and the whack-a-mole effect that we're trying to do 347 00:19:08.280 --> 00:19:08.700 now. 348 00:19:10.140 --> 00:19:12.870 Mathew Schwartz: So combat them, not just technically, but also 349 00:19:12.870 --> 00:19:17.100 psychologically, it sounds like a great strategy. So chaos and 350 00:19:17.460 --> 00:19:19.290 help them hopefully tear themselves apart. 351 00:19:19.920 --> 00:19:22.050 Jon DiMaggio: Absolutely. Just a different approach. What we're 352 00:19:22.050 --> 00:19:24.630 doing is not working, that I don't think anyone can disagree 353 00:19:24.630 --> 00:19:27.180 with. So we have to try something different. So I'm 354 00:19:27.180 --> 00:19:30.210 hoping that with this research and things that I'm putting out, 355 00:19:30.210 --> 00:19:34.590 that's going to sort of grow and put a seed to implement some of 356 00:19:34.590 --> 00:19:36.720 these new ideas. And that's why I want to talk about those 357 00:19:36.720 --> 00:19:40.650 things and get that out there. I'm hoping that there'll be more 358 00:19:40.650 --> 00:19:43.920 to that. And, you know, I'd be happy and I try now, you know, 359 00:19:43.920 --> 00:19:45.960 talk with different organizations. I do work with 360 00:19:45.960 --> 00:19:48.000 federal law enforcement when I find this stuff and things of 361 00:19:48.000 --> 00:19:50.670 that nature. But there's a difference between me talking 362 00:19:50.670 --> 00:19:54.060 and writing the stuff to actually being an operational 363 00:19:54.090 --> 00:19:58.620 methodology that we use resources to do on a consistent 364 00:19:58.620 --> 00:20:02.790 level and that's where we need to do. Consistently approach it 365 00:20:02.940 --> 00:20:06.960 differently and in this manner in order to have an effect, 366 00:20:07.140 --> 00:20:10.980 other than what we have right now, which seems to be falling 367 00:20:10.980 --> 00:20:13.320 on our face a lot, just being honest. 368 00:20:14.370 --> 00:20:16.170 Mathew Schwartz: Well, Jon, I appreciate the honesty, I 369 00:20:16.170 --> 00:20:20.910 appreciate the insights and the analysis of what you have been 370 00:20:20.910 --> 00:20:24.900 doing and sharing with us here. So, I don't think the next time 371 00:20:24.900 --> 00:20:27.360 we speak, ransomware will have been conquered, but hopefully 372 00:20:27.360 --> 00:20:30.660 we'll be a few more steps down the line. So thank you so much 373 00:20:30.660 --> 00:20:31.740 for your insights today. 374 00:20:32.250 --> 00:20:33.810 Jon DiMaggio: Thank you, Matt. I appreciate it. 375 00:20:34.500 --> 00:20:36.330 Mathew Schwartz: I've been speaking with Jon DiMaggio, 376 00:20:36.330 --> 00:20:39.180 chief security strategist Analyst1. I'm Mathew Schwartz at 377 00:20:39.180 --> 00:20:41.370 ISMG. Thanks for joining us.