LockBit Ransomware Group's Big Liability: 'Ego-Driven CEO'Ransomware Researcher Jon DiMaggio Probes LockBit's Business Operation and Behavior Mathew J. Schwartz (euroinfosec) • January 17, 2023
The notorious LockBit 3.0 ransomware group runs just like a business, with a relentless focus on recruiting top talent and maintaining an advanced product - which has led to the group's longevity, says ransomware-tracking researcher Jon DiMaggio.
But that doesn't mean everything runs smoothly in LockBit land. Take the ex-BlackMatter developer it recruited who quit LockBit and leaked its source code after the organization docked his pay by $50,000 to recoup a bug bounty award after a programmer spotted an error in his code. In response, the group branded him as being "a deranged psycho," as DiMaggio documents in a new report analyzing LockBit's behavior.
A major takeaway and a way to potentially disrupt LockBit: It's "a business that is run by an ego-driven CEO that has massive insecurities," says DiMaggio, chief security strategist at threat intelligence firm Analyst1. So, "while unfortunately they have a great criminal product … what will eventually lead to their demise is that sort of ego and the constant over-reacting because of their insecurities to things that happen, such as the developer leaking their code."
In this video interview with Information Security Media Group, DiMaggio details:
- Direct connections between the leadership of LockBit and sometime rivals such as DarkMatter and REvil;
- Why the LockBitSupp persona appears to be operated by at least two individuals, including the group's leader;
- The inside story of the developer who leaked LockBit's code and may be in hiding - and why he should be a top target for law enforcement recruitment.
DiMaggio has over 15 years of experience hunting, researching and documenting advanced cyberthreats. As a specialist in enterprise ransomware attacks and nation-state intrusions, he has exposed the criminal cartels behind major ransomware attacks, aided law enforcement agencies in federal indictments of nation-state attacks and shared his work at conferences such as RSA and Black Hat. In 2022, he authored "The Art of Cyberwarfare: An Investigator's Guide to Espionage, Ransomware and Organized Cybercrime," which was awarded the SANS Difference Makers Award for cybersecurity book of the year.
Mathew Schwartz: Hi, I'm Mathew Schwartz with Information Security Media Group and one of the most destructive and damaging ransomware groups in recent years has been LockBit. To discuss LockBit and tactics and techniques we might use to better disrupt not only LockBit but other ransomware groups, I am joined by Jon DiMaggio, chief security strategist at Analyst1. Jon, great to see you.
Jon DiMaggio: Hi, Matt. Thank you. Great to see you, too. Thank you for having me.
Schwartz: Jon, it's a pleasure to see you again. I know you've been spending a lot of time doing a deep dive into the LockBit ransomware gang, and I want to hear what you found. But also some of the challenges that you might have encountered, because so much of what we know about ransomware seems to be coming from the horse's mouth, which is obviously a problematic place to be.
DiMaggio: It really is, Matt, it is, and that's one of the reasons why I wanted to approach this research the way that I did. You know, there's sort of two parts to that. One, there's a ton of content out there about LockBit, but the majority of it is from the technical threat data perspective. And I think that with ransomware, that's a bit of a problem because while that model has worked for as long as cybersecurity has existed, you know, with ransomware attacks, it's very different because there's not another attack type where the victim has to speak directly with, or communicate directly with, their attacker besides this. So you know, the attacker has really changed the model of how they conduct these attacks. But we really haven't changed the way that we research profile defendant approach against it. So I felt like there was a lot of low-hanging fruit that was just a very different type of thinking and how to approach it in order to gain this information and turn it into intelligence. So that's sort of the reason that I decided to go in with a more human approach and sort of overlay that information on top of telling a good story with the known threat data and events sprinkled in and sort of add what the attacker thought from their point of view, even if it's not accurate, and it's coming from an attacker, meaning you can't always believe these folks. But even if that's the case, there's still an intelligence value. But by placing that over the events, as we know it, seeing how they either feel about it or want us to view it, there's a lot of room there for very good analysis to extract and understand the mindset of the attacker.
Schwartz: That's a great point you make in terms of adding insult to injury - the fact that you get hit by these groups and then, as you say, you're oftentimes forced to negotiate with these groups. Just to step back for a second, just to set the context in case people aren't familiar with LockBit, fill me in a little bit from a high level. This is a ransomware-as-a-service group, correct?
DiMaggio: It is. It actually started out as a traditional ransomware gang where they did the attacks themselves. June of 2019, they started out and back then, their ransomware would append the string .abcd to each file as it encrypted. And because of that, they got the name originally as the .abcd gang and LockBit just, they did not like that name. So after several months, they decided to update their ransomware and their note to append that LockBit and put that name in the know. So we began calling them that. And it was in early 2020, when they opened up their ransomware-as-a-service brand and started the model that they are today where they develop and have the infrastructure and have affiliates to actually conduct the attacks.
Schwartz: And so that model gains popularity with a lot of groups that seemed to be a way for them to really get the profits rising quickly because they brought specialists in who had different skills and help them work their way into more victims.
DiMaggio: Well, it's all about volume. If you think about it, here's what we need to do. We need to think about it for business model, because that is how the adversary thinks of it. And it's not illegal in Russia. You know, they're protected. There's no laws saying, "Hey, we're going to come arrest you." It was literally a business to them. And they treat it that way. So for them, it's hiring people, outsourcing the work, higher number of people, and they can conduct far more tax and generate more revenue. And that's exactly why they use this model to conduct these ransomware attacks.
Schwartz: So you've been gathering human intelligence online. Maybe describe for me a little bit to the extent that you can. How one goes about this? Don't have to dive too deep into that just yet, but also some of the findings.
DiMaggio: Yeah, absolutely. So, it kind of started - and I won't go too deep with this. When I was at Symantec for seven years, and they had a massive amount of data. So when I left and I didn't have that huge data lake, I needed to find new ways to facilitate, finding interesting stories and interesting research. So, I really started to explore the dark web, something that I used to do as a hobby years ago. And, you know, developing fake personas is something that I did with the government. So I had a lot of background for that. And I just started looking for ransomware gangs, and it wasn't hard to find them. Once identified, where they sort of lived, I just started to use multiple different personas that I would develop to sort of get closer to them, get into the right forums, get into the right chat rooms, and whether - it wasn't in this case - but whether it's a telegram channel, what they call tox, which is just the encrypted communication channel, or whether it's a forum. There's different things that are said there. So being able to - even if you're just going to observe, you're going to gain information, let alone then interact and actually get direct answers to your questions is beneficial. But as you said earlier, these guys are very boisterous and they like to talk. So, it made the job very easy to do.
Schwartz: So, in terms of boisterousness self-promotion, PR savvy, I'd say LockBit is pretty well known because of the LockBitSupp persona. And you've got some fascinating research into that individual or individuals.
DiMaggio: Yes. So that's a great point. So the LockBitSupp persona, so that is, let's just say for folks who don't know, that is the name, alias brand, if you will, that they use to facilitate communication with other criminals for recruiting purposes for gaining notoriety, for talking with journalists, researchers, that's the account persona that they use. There's been a lot of speculation. Is that really, because they say it's the leader of the group. Is it really LockBit's leader or is it multiple accounts? There's criminals, they claim the whole thing is, they say, a 17-year-old sitting at a terminal doing PR. I don't believe any of that's true. And I spent a lot of time in analysis. I do think that there is more than one person. But I think it's definitely no more than three. And the reason I say that is I look for inconsistencies over not just the five months that I interacted, but I looked a rearview mirror look going back for as long as they were on the forums, and I only found a few contradictions in their storyline. And as you know, if you make up lies, you have to do to keep up with them. So when you have multiple people doing that, there's more opportunity to make mistakes. And I did find a few mistakes, but not many. So I do believe there is occasions where there is somebody different, but for the majority of it, and especially for what we'll call the high-value PR where they're doing interviews and they're talking to higher-level criminals, I do believe that is the leader of the group itself.
Schwartz: One of the fascinating things from your research that I took away was the extent to which these groups appear to know each other. I mean, because they had information on each other. I think you said it had been validated technically, but they were providing more of almost a human interest version that seemed to be valid, that suggested that somehow they knew each other. I would have thought there would have been more silos perhaps. What do you think is going on with the ransomware underground primarily focused on Russia here?
DiMaggio: That was probably the most interesting aspect of this for me is seeing those relationships. And, you know, as the cybersecurity community, there were certain events that we knew - for just a real brief example, there was BlackMatter ransomware code found in LockBit's newest ransomware, called LockBit 3.0. So we knew that to have that unique code in it in some of that unique functionality, obviously, they attain that source code somehow. But then when you hear from the adversaries' mouth, we'd all assumed that when the other group BlackMatter went away, that LockBit just bought the source code in and that's not what happened. Instead, they stole their high-level developer, they stole one of their employees. And when he came over, it is a human being, you don't want to have to rework everything from scratch. So, he naturally used some of the code that he had already worked and implemented into the new LockBit ransomware, so just little things like that. They don't change anything, but it's very interesting. You know, it's not that we got it wrong, but actually getting the story, the way that it most likely did happen, because there's not a reason really to lie about that. I thought that was very intriguing.
Schwartz: So we have this connection that you've established between these two groups. What about the other big players?
DiMaggio: Yes. So, all of that sort of stemmed. Originally, I thought it was just with a developer, but it's beyond that. So LockBit actually knew for one, the reason I got on LockBit was his relationship with the leader or previous leader of REvil. And I found that then he also had this relationship with the senior leaders of DarkSide behind the Colonial Pipeline attack, and who eventually transitioned into BlackMatter. And then now today, there's members from that group that are in Black Hat. And then this key developer - he used to work for a group called FIN7. So as you can see, there's a human association with all of these groups. And then I would literally see the key leaders of these groups, they would have these conversations and events, they were friendly at one point, and then they became adversarial. And they get into these big dramatic arguments, and I just would get my popcorn and watch. But, you know, it was really interesting to learn of these relationships outside of just technical means.
Schwartz: It so often seems like an adolescent-level soap opera, in terms of spice they're having, the language they're choosing to use, the threats they're making. It's pretty insane. Speaking of insanity, you were mentioning this developer who seems to have been hired away by LockBit, thus giving them some intellectual property from one of their rivals, friendly or otherwise. Now, did this lead to - again with the soap opera - did this lead to some fallout, though, with the developer in question?
DiMaggio: Yes. So that was a big problem. And the developer had a lot of concerns about what would happen, because he left that at the root. And it was very important to him that he had some level of protection. And you would think because the developer and LockBit had a fallout, and you would think it was related to that, and that was sort of the seed was that fear of the other group having retaliation - that developer - one of the storyline publicly to go a certain way and LockBit did not tell it that way. They told their version of the truth about stealing the developer away and giving them the source code and everything. And what eventually happened is that source code had a vulnerability in it that the developer hadn't fixed and LockBit had agreed to pay publicly a bug bounty program that they put on their website. And they offered to pay $50,000 to anybody who found a bug. So, when someone did, and he had to pay them that, he took that out of the developer salary, and the developer was unhappy, because that's not the agreement that they had. So long story short, the developer was upset, he left and to sort of send a message for being upset, he leaked some of their source code. And he did a horrible job doing it, he presented this fake persona that he created that afternoon, claimed to have been someone who hacked LockBit and stole it. And of course, from LockBit's perspective, it was very clear what happened. So that developer has his own sort of infrastructure website on tour, where he markets himself, and he still does work, but he is no longer working for LockBit. And it was a very dramatic exit. It involved sort of an arbitration where one of the senior administrators from the forum had to get involved. And then both LockBit and the developer sort of told their story in their testimonial. The testimonial actually include the developer word for word, his story is actually in the report - I put in the appendix, it was kind of long - but I think it's really interesting, though, to get it from their words, even if it's not completely accurate. Just to see and understand these conversations, I thought it was really interesting. And I want to sort of share that with the research community.
Schwartz: It further highlights that these are day jobs for people, they've got lives, they've got relationships, they need to be able to pay bills, they have managers, maybe who aren't very good at managing. And then you have this whole, I guess, criminal overlay over the whole thing as well. So yeah, I guess as messy as the real world can be.
DiMaggio: It absolutely is. And, it's essentially, like I said, it's a business that's run by a ego-driven CEO that has massive insecurities. And the end result, while they have unfortunately, they have a great criminal product. But I think that what will eventually lead to their demise is that sort of ego and the constant overreacting because of their insecurities, the things that happen, such as the developer leaking their code and things like that.
Schwartz: But LockBit, I believe, is continuing to still be a threat, not just a nuisance to the hit organizations?
DiMaggio: Yeah, they're the worst right now. If you were to measure ransomware gangs by the volume of attack and the revenue they bring in, factually LockBit is number one. They have more attacks than any other ransom gang has ever had, more than REvil, more than Conti, more than all of them by a lot, which is just crazy. But it's because they have made their software the administrative panel, which the bad guys used to control attacks, they've basically made a point and click. You'd used to have a trained hacker that had to manually numerate all these networks and do all these things, where now it's point and click radio dial button, enter this domain group, and it goes. Now granted, it doesn't always work that smoothly, but even when certain components fail, there's still way more work that would have been manual work. And what happens then is the attacks are quicker and you have a higher volume of them and that is the reason that there are more LockBit attacks than anyone else is exactly that high volume of easy-to-conduct quicker attacks. And I have written about this. About two years ago, I'd written about this that they could see that LockBit was starting to test new features and this is what they're going to do. They're looking to automate and rely less on affiliates. And that's exactly what we're seeing is high volume, easier, less-technical experience necessary and it's bad for us, it's good for them.
Schwartz: Remove as much of the complexity as they can, automate as much as they can, as you say. So we've got this fascinating research you've done in the LockBit. Looking at how it's evolved some of the internal tensions in the group, its modus operandi, how do we use this against them?
DiMaggio: Yeah, so one of the things that the issues that we have with ransomware - I don't think anybody can deny we are not winning the war on ransomware. And if you disagree, just go look at the headlines. Every day, we're having these large tax against governments, educational organizations, large fortune 500 companies, and regardless of how good our defenses seem to be, they find a way to defeat them often. And I think part of that is the approach that we're taking to defeat them in this whole analogy reminds me of the 1980s approach to the war on drugs - we were putting up a good fight, but we were doing things in the wrong way. And what we did is we just spun our wheels. Well, that's what's happening with this, we're treating these ransomware attacks with all the traditional means, approaches, theories and methods to defeat it that we did with our struggle, previous cyberthreats. But these guys are different. So we need to look at it and approach it differently. We're putting out indictments to arrest these organizations, though, they're in a country where they are protected, we're never going to arrest them, the indictments aren't going to work. So well, I love indictments because they're full of inside information, we're never going to actually prosecute. So we need to do things differently. And one of the things that I think we need to do is look at where we can make a difference. And clearly if somebody like myself can get in, and there's other researchers that have gotten in as well with them, you know, you can get in, get close to them, with all the insecurities that they have, and with all of the other criminals that that either dislike them or are jealous of them, u can play on that insecurity and hurt or tarnish their reputation and make it so that they're not successful, and other criminals and affiliates don't want to necessarily work on them, or suspect that law enforcement has infiltrated them. I can go on and on with different ideas that I have. But the psychological aspect of it is one way in the propaganda that we could use to sort of steer the criminal mentality to not want to work with them. I know it works, because we saw it, this happened to REvil. And we need to do that with LockBit. But on top of that, when Entrust, the cybersecurity organization, and they got compromised by LockBit and LockBit was going to publish all their data, and I'm not going to put words in their mouth, but there was a distributed denial-of-service attack that took place shortly after LockBit threatened to publish their data. And their infrastructure went down, LockBit's infrastructure. So he couldn't publish their data to their sites, and they literally stopped them, or at least slowed him down. And in the meantime, if you wouldn't do that and psychological operations, you would have criminal customers who won, there's all this drama and things playing on about the reputation and fear of them being infiltrated by law enforcement and governments and then to their infrastructures constantly not available, indicating things may be going on. And it might validate those accusations. I think we could really start to make a dent. And even if we didn't, when these things are not available, it's much harder for them to continue operations, because they usually do their negotiations and everything else through these portals. So I think that we really need to move in that direction. But that takes - a regular company, you know, there's laws that prevent them from sort of hacking back, if you will, or doing a distributed denial-of-service. But that doesn't prevent governments and law enforcement. And I don't just mean the U.S., there's governments all over the world that are being targeted. If we all sort of work together to do a joint operation against these large ransomware groups, I think we'd be far more effective than indictments and the whack-a-mole effect that we're trying to do now.
Schwartz: So combat them, not just technically, but also psychologically, it sounds like a great strategy. So chaos and help them hopefully tear themselves apart.
DiMaggio: Absolutely. Just a different approach. What we're doing is not working, that I don't think anyone can disagree with. So we have to try something different. So I'm hoping that with this research and things that I'm putting out, that's going to sort of grow and put a seed to implement some of these new ideas. And that's why I want to talk about those things and get that out there. I'm hoping that there'll be more to that. And, you know, I'd be happy and I try now, you know, talk with different organizations. I do work with federal law enforcement when I find this stuff and things of that nature. But there's a difference between me talking and writing the stuff to actually being an operational methodology that we use resources to do on a consistent level and that's where we need to do. Consistently approach it differently and in this manner in order to have an effect, other than what we have right now, which seems to be falling on our face a lot, just being honest.
Schwartz: Well, Jon, I appreciate the honesty, I appreciate the insights and the analysis of what you have been doing and sharing with us here. So, I don't think the next time we speak, ransomware will have been conquered, but hopefully we'll be a few more steps down the line. So thank you so much for your insights today.
DiMaggio:Thank you, Matt. I appreciate it.
Schwartz:I've been speaking with Jon DiMaggio, chief security strategist Analyst1. I'm Mathew Schwartz at ISMG. Thanks for joining us.