Undercover In a Cyber Crime Gang. Shocking LOCKBIT Reveal.

Show Notes

Legendary Security Researcher Jon Dimaggio takes Cyber Crime Junkies undercover in a cyber crime gang. Exposing Inside a cyber crime gang LOCKBIT 3.0 and its leaders. Covering how intelligence gathering is critical to security, how to expose secrets of cyber crime gangs, Latest insight on cyber crime gangs, his newest findings on ransomware cyber crime gangs, how stolen data is sold by cyber criminals, under cover investigation ransomware, undercover findings on ransomware cyber crime gangs, undercover in cyber crime gangs, undercover inside ransomware cyber crime gangs, understanding the people behind ransomware groups, what its like undercover inside cyber crime gang, what to know about going undercover with ransomware crime gang, why it's important to understand the hacker mindset

 We discuss his role in the recent Hit TV Show TRAFFICKED, streaming everywhere (National Geogrphic channel)

And his blockbuster new publication, Ransomware Diaries: https://analyst1.com/ransomware-diaries-volume-1/

VIDEO Episode Link: 👩‍💻 https://youtu.be/m9YRaYGZY74https://youtu.be/m9YRaYGZY74

Thanks for Listening and Watching. Many watch/listen but don't subscribe. Help us out please by Subscribing Today. Thanks. 

 PLEASE CONSIDER SUBSCRIBING. It's FREE and it will help us to help others. 

Our Video Channel @Cybercrimejunkiespodcast https://www.youtube.com/channel/UCNrU8kX3b4M8ZiQ-GW7Z1yg 

Connect with us.  

 DAVID MAURO Linkedin: https://www.linkedin.com/in/daviddmauro/  

 Cyber Crime Junkies Linkedin: https://www.linkedin.com/in/cybercrimejunkies/

 Cyber Crime Junkies Instagram: https://www.instagram.com/cybercrimejunkies/

Cyber Crime Junkies Facebook: https://www.facebook.com/CyberCrimeJunkies

Podcast Cyber Crime Junkies: https://cybercrimejunkies.buzzsprout.com   

Site, Research and Marketplace: https://cybercrimejunkies.com     

 Want  EXCLUSIVE Content? For only $4  SUBSCRIBE to Cyber Crime Junkies PRIME  https://www.buzzsprout.com/2014652/supporters/new  

Try KiteWorks today at www.KiteWorks.com

Don't Miss our Video on this Exciting KiteWorks Offer!

Try KiteWorks today at www.KiteWorks.com

Don't miss this Video on it!

The Most Secure Managed File Transfer System. 

• Watch Video Episodes! And Please...Subscribe to our YouTube Channel.
  • Want to help us out? Leave us a 5-Star review on Apple Podcast Reviews.
  • Submit Your Questions Direct and Find out more www.CyberCrimeJunkies.com
  • Stay up-to-date on Cybersecurity with VIGILANCE Newsletter.
• Want Gear? We love our Small Business Sponsor, BlushingIntrovert.com. has it all. Women’s clothing, cool accessories supporting Mental Health Research. https://blushingintrovert.com

Transcript

Undercover In A Cyber Crime Gang. LOCKBIT. Jon DiMaggio.

Jon Dimaggio takes Cyber Crime Junkies undercover in a cyber crime gang. Exposing Inside a cyber crime gang LOCKBIT 3.0 and its leaders. Covering how intelligence gathering is critical to security, how to expose secrets of cyber crime gangs, Latest insight on cyber crime gangs, his newest findings on ransomware cyber crime gangs, how stolen data is sold by cyber criminals, under cover investigation ransomware, undercover findings on ransomware cyber crime gangs, undercover in cyber crime gangs, undercover inside ransomware cyber crime gangs, understanding the people behind ransomware groups, what its like undercover inside cyber crime gang, what to know about going undercover with ransomware crime gang, why it's important to understand the hacker mindset

We discuss his role in the recent Hit TV Show TRAFFICKED, streaming everywhere (Nat Geo channel)

And his blockbuster new publication, Ransomware Diaries: https://analyst1.com/ransomware-diaries-volume-1/

 

[00:00:00] It's always in the news. Cyber criminals attacking great organizations wreaking havoc on the trust of their brand. We socialized cybersecurity for you to raise awareness. Interviewing leaders who built and protect great brands. We help talented people enter into this incredible field and we share our research in Blockbuster true cyber crime stories.

This is Cyber Crime junkies, and now the show.

All right, well, welcome everybody to Cybercrime Junkies. I'm your host, David Mauro and in the studio today we are joined by our illustrious co-host, mark Mosher, this time. Mark, how are you today? ? Doing wonderful, David. Thank you. Thank you. This is gonna be an exciting episode. I'm really, , it is. [00:01:00] I have the man himself back on.

We have been wanting to, , speak with our special guest, Jon DiMaggio security researcher, well-known author with, analyst one. Phenomenal research that you've done. And John. Thank you. Thanks guys for having me back. You know, I feel like we're family here. We gotta, we gotta do like once a month thing here.

You know? I missed you. Absolutely. I love that idea. . You keep breaking stories and I keep seeing you on tv. You'll be, you'll be on every week so. It'll be more coming up. It's ridiculous. . Yeah. Thank you. Well, let's get into it. Let's find out. So last time we met, we talked about notorious cyber crime gang specializing in ransomware.

And as the listeners will understand, these ransomware gangs, they, they get known by the code that they, that they develop, right? They get known by their brand, and their brand is often named after the ransomware code that they develop, right? In the case of lock bit, there was lock bit and there [00:02:00] was lock bit 2.0, and now there's lock bit 3.0 and the code that they developed, the, the methods, the operations wrapped around the code, how they executed, how.

launder money, et cetera. It's, it's, it's all a big, it's a, it's a, it's a pretty up, well-developed criminal organization, right? Yes. Very mature. Correct. So you were recently on on National Geographic traffic. Congratulations. Thank you. That was a gr. It was a really, it was a great episode. It was a really wild show.

And because they started off the episode I love the show generally, but I your part, they, they started off the episode with the, like the Crips and the Bloods and how they're getting into account takeovers, and I was like, holy cow. . I was like, where is this going? Like was the show ? That's kinda the way I felt when it aired.

I'm like, I'm watching the right one. Well, I was like, well, and when you had said you had gone undercover and been interviewed for the [00:03:00] episode, I was, I was thinking, I'm like, is he gonna like pop out of the corner? Is he like, , like, are they having 'em deal heroin too? Like what are they having them do? Like, what is going on?

Right. and then, and then it, yeah. And then for, for those, we'll, we'll have a link to the episode in the show notes. Check it out. Really, really impactful episode. Like, shocking. It was, it, it blew my mind how the criminal gangs are getting into. Cybercrime because as they explained, right? Why face, you know, if I deal fentanyl, if I'm a gang member right?

And I deal fentanyl, I can go away for murder when somebody ods on it, right? And, and that's happening. Whereas cybercrime, they might go away for five years or so if they get caught and it's federal prison as opposed to state prison. Right? So, you know, I really picked up from that is the fact. It really shows the separation of having to have some type of basic skillset or knowledge [00:04:00] to become a cyber criminal now, like these guys are through, they're street thugs, common criminals.

Yeah. But yet they're able to go and my data off the dark web and, and start producing these scam cards and other things. You know, that's, that was kind of my takeaway is it's almost like, look, people, these are actual criminals now that are doing this type of behavior and coming after you and your.

Yeah, it's, yeah. That's scary. So, so first tell us about, tell us about what it was like to be on the show first. How's that? Let's, let's, let's start there. Sure. So they, they, they approached you after you, after your paper on lock Bit came out, or how did it, how did it go down? Yeah. So actually they approached me originally, I, I put out that, that paper on ral mm-hmm.

mm-hmm. , which where, you know, this arguments and the, the, the dramatic fights that were taking place in the criminal forums. So when I finished the RAL research, I kind of transitioned in the lock bit. At the time. So when the show, the show [00:05:00] contacted me they were, they were looking for cyber researchers that had an expertise in, in tracking that particular group.

At the time, I couldn't tell them the stuff that I was doing with fake personas and on the criminal forums and, and pretending to be other people and things like that because I was right in the middle of the research. Oh, cover. Yeah. It was your cover. Yes. So there was a lot of things going on behind the scenes in the background.

You know, I couldn't, couldn't share with them. But for, you know, the, as far as the, the show went, we, regardless of that, I think it would've been a lot more interesting if I could have shared that. But regardless of that, I felt like they did a really good job. But, but when they approached me, you know, Somebody to reach out until we're a meeting and we, you know, we're, we're hoping that there's someone that can, can, can look at, at what, you know, files we're gonna ask 'em for, for, for aspects of, of their of their ransomware.

And, and we're gonna, you know, do an interview, but we wanna know if we, if we get any files or if we get anything back from them, you know, is that something that you could look at for us? And, you know, [00:06:00] while that's scary for them, that's Christmas for. So I was like, yes, . Yeah. And and, and, and so I think it was, you know, they had they had ba essentially if I, if I had, I think I have this correctly.

VX underground broke, brokered the, the deal for them, or he made the connections to brokered the deal. VX Underground is a very well known it's sort of a, a staple in the, in the hacking community. They're nothing malicious. They're not, they're, maybe they once were, but they're, they're, you know, they're, they're more like just a, a well connected historical place.

They have a lot of data on both good and bad things that they store. And researchers real can use that as a, as a, as a resource. And so anyway, so they, I believe they set up the actual. Background. I was, I started working kind of like a, almost as like a consultant on lock bit. And then after they talked to me enough, they were like, you know, you explained things really well.

It's not overly technical. It, it's, you kind of tell a story when you do it. Do, do you wanna participate in the show? And I was like, absolutely. And then, you know, originally we were gonna meet in DC and actually, you know, do like a live filming [00:07:00] there. I, I, I. I think there was a lot to share, but while there wasn't all in that show, the report that I re, that I released a couple if, if that could have been public bef before I did the interview, I think there would've been a lot more, a lot more discussion points.

Oh yeah, that's right. Because that's the timeline, right? You, you, yeah. You, you recorded your, your portion of the show, then you released, then you, then you released your report and then the show. Okay. Yes. Makes perfect sense. Yes. Yes. So for those that might have missed your first episode with us and we'll have links to that in the show notes or it's on our YouTube channel.

Check that out cuz it'll blow your mind. But explain to everybody kind of your, your role with Analyst one and what it is that you guys do. Because it's Sure. It's really cool. It's like the coolest job there is. . It is a cool job. Thank you. Yeah. So, so analyst one. We are basically, we, we, the company itself actually makes makes software for analysts like myself.

So when we do threat investigations a way to take all of those, [00:08:00] the threat data, threat feeds, and all this, this computer threat related information, and they, they make it

So you have security operations, research teams and folks like that, that sort of, that use this to make sense of all of it and and make decisions when you're under an attack. And for my part in, in the company. So you know, I, I am, I am sort of. In my threat intelligence analyst role. I am, I'm a one man team for that.

So all the stuff that I, that I write and I do that's, you know, the, my, my own research. But, and then as you know, far as the company goes, I'm the chief security strategist for the organization. But the, you know, the, the writing and the research is, is, you know, where that's really what my heart goes into.

You know, I love, I love that. I love what I do. It was a hobby before it was, was my job, you know? Yeah. And I just really enjoy. . That's so cool. So lock bit. So let's talk about lock bit. Sure. You know, I've seen a lot of criminal gangs out there. I've seen a lot of criminal cyber gangs. These guys kind of go [00:09:00] over the top.

I mean, can you explain, and not to rehash what we covered in the first episode, but because part of that was, was about how, how the recruiting and everything else, but this gang operates over in Eastern Europe. and they launch massive ransomware attacks that have been all over the news. Right? Yeah. And they are by far the, if not one of the very top, most prolific, most dangerous ransomware gangs today.

Is that fair? Fair? That is definitely fair. So let's talk about their, their recruiting methods, like the, you know, on the dark web, they wanna get people with some. Skills to, to join them. Right? And they go through a series of tests to make sure that they can trust the person and that the person's got the right skillsets, right?

Yeah. It's not just a, a, you know, a technical assessment that's done. But [00:10:00] the more important part of that is, is sort of, you know, your, your reputation, who you've worked for what compromises you've been a part in, who can validate or vouch for you. You know, they, they generally. Want to make sure that they have very but you know, it's kind of funny cuz they want the best hackers in the world to work for them, but they've made their, their ransomware you know, so easy to, to manage and distribute during an attack.

You really don't have to be an expert to do it. But right. You know, they, your skill, your skill is getting people to click on the link or to download the attachment in order to. Right. Well, even not now. With, with their software, you don't even have to do, do that. You can actually put in a domain and it'll scan it, look for vulnerabilities, and if it finds one, it'll, it'll exploit it in real time on their public facing their internet facing infrastructure.

Yeah, obviously. Yes. That's also one of the methods that you use is spearfishing. That's correct. Yes. And. You know, the, the same with once you're on the network with, you know, collecting information such as trying to, you know, enumerate the, the infrastructure, find share [00:11:00] drives spread you know, gain administrative privileges.

Even with the stealing of, of, of data, now you can, you can put in a document type or a directory name or an extension type that you want, and it'll automatically go out, grab it. Up into, into the internet and pop it back out on Lock Bit's infrastructure. You know, previously they had to use like legitimate tools like our clone that were designed for legitimate purposes and then they'd have to store it on a legitimate cloud providers service.

And you know, the problem with that for them was, although it would take, was either law enforcement or the provider shutting that down and they lose access. So that's why you're seeing gangs like, like lock bit that now host all of that. Own infrastructure to prevent that from happening. So yeah, when they, they basically just, like I said, they made it point and click.

You put in the domain, you click some radio dial buttons you put in the parameters of what you want and you click go and lit. Well, actually, it's like you put, you know, let's, I think it's like, let's get lock bit black or something like that at the bottom, [00:12:00] you. Click it and it goes out and it, it attempts to do all this.

But think about it, even if, if everything's not successful, cause I mean it's probably, you know, most, more of the times than not, it probably isn't a hundred percent perfectly run where it does everything for you. But even if it's 60 to 80% that used, you know, used to take. Attackers, you know, like three to 21 days in an operational network to, to conduct an attack.

These guys now can do it hours to days because of this. So, so even if part of it's successful, yeah. It, it saves them so much time and, and everything's managed from this one central console. You can manage your victims. You can do the chat negotiation. You deploy the attack, you steal and collect the data.

Everything is done for there. It it, that is in my opinion. So successful is the ease of use that they've used to develop their software and or their ransomware, but as they call it, their software, you know, it's a legitimate tool for them. And because of their profit sharing model most ransomware groups, their ransomware provider, the, the, the sort of the core gang controls all the money.

And [00:13:00] after an attack, then they pay the a. And with lock bit, he lets them control the money and then pay him his percentage when he is done. And because of that, there is an inherent trust in this sort of like cult following that they have with with affiliate hackers, unfortunately. Okay. So many questions.

so, so, okay. So let's, can we back up just a second? Sure. Absolutely. So this new, so there's lock bit, lock bit 2.0, lock bit 3.0. Now lock bit black is this kind of automated enhancement to lock the 3.0. Right, and it automatically. Can you, can you kind of elaborate on that for us? Yeah, yeah. So it's confusing because there's different, so there's the internal names and there is the public names and Right, so the internal names, when I was doing all this stuff, you had so first it was Lock bit Red, which is publicly known, is lock bit two.

Publicly known as Lock bit 3.0. And now there's lock bit [00:14:00] green which doesn't have a number, but is actually a stolen. They stole the source code that was leaked. They, I didn't steal it. It was leaked, and then they, they used it and they altered it from, from Conti when Conti went, went was leaked, and, and, and some of their code got leaked.

They obtained that. They altered it, and they're calling it lock bit green. And, you know, that's, that's one of the new things that they're doing is they're, they're, they, it looks like they're, they're going out and trying to get other versions of ransomware. So that if an affiliate's conducting an attack and they're using Lock Bits, management console and lock bit, let's just say that Lock Bits, ransomware, payload gets detected.

By security software. Well now they haven't wasted all their time. They have multiple other payloads from other competing ransomware gangs, and they've just altered them to change it so that the payment and negotiations come back to lock bitt and now they're facilitating that attack. So it's basically a way to keep.

More affiliates working for them and, and happy, you know what, what they do kind of reminds me of, you know, when you have, you know, a really [00:15:00] good resource, you know, whether it's a website or whether it's an app on your phone or, or software. And each how they really focused on that. Well, from in the criminal world.

That's exactly what this is. So let, let me ask you this, the. Cult following that they have of these affiliates that are very loyal to them and they're building up their, their army. You said that what's unique about Lock Bitt is they let them manage the money and pay, pay the core lock Bitt group. Yes.

Their cut of it. What, in your research, and we're gonna get into this in just a second now, in your research, like what happens if they. Like, like do they these, like what? That's good question. I mean, I mean, let's, I mean, I know there's honor, they're criminals, right? Yeah. I, I know there's honor among thieves, but Okay, what happens?

I'm sure there are these It does happenstances it absolutely. Yeah. I know for a fact that it happens. But here's the thing. Most criminals do pay, and the reason that they do is they're so, sounds strange, [00:16:00] but they're so happy with not just the development of, of using the, the, the ransomware and the admin panel on all those resources, but.

You know, lock bit's, constantly asking them for feedback on improvements and what they wanna see in the next version. They wanna be able to use it again. They wanna be able to use it, continue to use it. And they're Well, yeah, and they're the customer. They're the customer of Lock Bit. So Lock bit's providing these, these hack criminal hackers with it.

They, with a, with a service and he is apparently doing it well cuz they keep coming back to him. But that's how they look at it. That's the reason they're willing to pay is. if they don't, and then they have to go to a competitor that's not gonna have the same level of, you know, customer service and development in their software, their job's harder.

So it has happened and it does happen, but for the most part, they do pay and, and it works out for him. But, you know, with, since they came out with Lock Bitt Black and the differences from the other, I'm, I lock the three, I unlock the black. Same thing. But the difference is from the [00:17:00] previous versions is each iteration they add.

Functionality and they make it easier to use. So once, so more automation. More automation, less so. So we've talked in the past about iab ABS internet or like initial access brokers, people that are just out there, the thousands of hackers that find a vulnerability or former employees who have a grudge against the company.

Whatever it is. And they go and they sell access. Like I, you know, we've talked to in the past about initial access brokers and how they have all this access to a b ABC company, right? And they sell that for a couple grand on the dark web and then they're not involved. in the ransomware attack, the extortion, the money launder, et cetera.

How does lock bit Black, this kind of almost complete automation that will scan for vulnerabilities and find them and then launch it, how does that affect the relationship with IAB Abs in initial access brokers? Yeah. Well, they still, they still use them.[00:18:00] 

Locke been providing the service and the resources to make the attack as easy as possible, but it's still up to the. It's to actually do the breach and the compromise. So, like I said, it doesn't always wor work because you know, you're not gonna always have vulnerable infrastructure or have a person click on a spearfishing email.

And so in those instances, you know, affiliate hackers still go and, and, and purchase access from those brokers in, in order to facilitate an attack at the end of the day, whether they obtained that access from something that lock bit has helped 'em to do or whether they've done it on their. If they don't get in, they don't get paid.

Right. So it's commissioned based to them, it's, it's fully commissioned based. It is, they'll spend six grand to get access and they'll, you know, make millions of dollars. I mean, you know, it's, it's, it's, it's literally crazy. But it's that, it's, it's that simple sometimes. And that's exactly what they do.

So, so those brokers are, are still, it does, you know, they're, they're probably getting more business because the attacks are easier to facilitate, you know, cause once you have access, you [00:19:00] still use their tool on their panel. You know, you're not having. Manually go in and, and run commands and, and write scripts and do all this other stuff.

You know, you still just use their software once you're inside and it still makes your, your life easier as a criminal. So you mentioned that lock bit calls it a software, right? They don't call it a ransomware tool or an extortion mechanism, right? Correct. They call themselves pen testers. . Right? Is it easy to, and they're providing a pen testing service, a pen testing service, an UN unres testing service,

Right. And you're paying for that. You're not paying Yeah. A ransom for their service of making your network safer. That is how they, they look at it. Interesting, interesting. So let me ask you this. In, in the countries that they operate, is it because, Essentially, there really is no, there might be laws on the books, but there's nothing, and I don't even know that there are, I mean, it depends on which person and, and the specific segment of the crime, but Right.

In [00:20:00] particularly, it's it they're really operating without any legal ramifications. Correct. You know, as long as, as they're not doing an attack against, you know, Russian organizations, Russian infrastructure, you know, they're, they're, they're not gonna be looked at by law enforcement. They're not gonna get arrested.

You know, the only arrest we ever saw was with Regal, and that was right because you. You know so yeah, they're not facing arrest. The what? They, they don't fear or, or I mean, I Sure it is a fear, but that's not their main fear for arrest is not their main fear. Their main fear is having their money seized and then being forced to support the Russian government.

And, and work for, you know, them to do, you know, stuff with the war against the Ukraine or other adversaries of Russia. And you know, obviously if you're working for the fsb you're not making the kind of money you're making as a criminal hacker. So I think that that is, or I don't think, I know that is the, the larger fear.

But cuz you just don't see the arrest. The rest that you see, the arrests that you hear [00:21:00] about and you read about and you see have always been affiliates. Right. I can't think of people low down on the totem. Yeah. Yeah. I can't think of an instance where the core gang has been arrested. I mean, they've, they said that it was withal, but.

I don't know that that, I believe that was, was a RO who was arrested. But, but different conversation. But, but yeah, really there's, there's no arrest to be made unless they leave and they go to somewhere that is a, is a, a US or US allied country or, or any, I guess, a country where they have laws that are enforced with, with those sort of computer crimes.

But for the most part, if they stay in Russia or in any of the c i s states, they, they, they're. Yep. And the risk we all have is every time we get online, we enter their world. Right? Correct. Yes. So let's, so let's talk about, you've mentioned Lock Bitt, and you said he, it's like Mr. Lock, bitt, Mr. Lock. Bitt.

Yeah. Can you elaborate? And, and maybe even [00:22:00] before, let's talk about who, who the head person is or head. Couple people are there, but then I want to go into how did you find that? Like, did you dawn like a ninja outfit and like scale down, like I wanna know how you went undercover as much as you're allowed to, to You're right.

As much as you could say. Yeah. No, it wasn't a ninja outfit. It was a black rubber Batman soup, but, but pretty close. Excellent. Excellent. I'm kidding. No, so, so yeah. So lock bit I say he so they use a persona on, on the criminal forum. So there's, there's a couple different aspects of lock bit. Let me just explain that real quick.

There's their own infrastructure. There's criminal forums, and then on a few occasions there's markets to sell data. The criminal forums, they're associating, you know, with criminals. So that persona's interaction is, is different than it would be if you're talking to a victim. So that persona is the actual gang members themselves.

And my opinion, there are, there are two people that, that man that account there's some other [00:23:00] researchers that, that feel that there's three. But regard, It's, it's not one person. And you know, those, those people though is the leader and there are different ways to tell which one you're talking to cuz their personalities are, are a little bit different.

There's been an occasion where I've actually. We found one, it's the same account, but one will tell you one thing and the other will tell you another. It's rare, but it does happen. And then there are, and this is, this is not my, this is secondhand knowledge cause I'm not an expert on the dialect, but there has been some.

some people looked at the language and actually said that there is times where the slang and the, the way that they write that it's probably someone from a different area than the other primary account I is, is used. The person behind the account is used. So different regional locations use different slang, different talk.

So yeah, there's evidence that there's more than one person. But again, my opinion, there's, there's two and I think one is, is is probably a little bit younger. And the other one is, More mature senior in, in the gang, the leader of the [00:24:00] gang, things like that. But the way Tan. I find them you know, it really starts with just figuring out their, sort of, their footprint on the dark web, what resources they use, what criminal forms they live in, and then how do you get into those forums?

What are the requirements? Does someone have to vouch for you? Can anyone access it? Do you have to buy your way in? And each forum has different report requirements, but really once you get that access then there's, there's two ways to do it. Just getting access. You can see some things. But you have to build credibility and you're almost ranked by your experience and things of that nature.

So you have to build that up and, you know, as, as you do that, you know, you'll gain more access. And then the third place is actually going directly into the chat rooms with lock bit and some of their criminal element directly. And you know, that's obviously the harder part to do, cuz cuz now you're, you're literally one-on-one talking.[00:25:00] 

Around him. You know, and a lot of their You were, you were speaking, I'm sorry to interrupt cuz there was a little glitch on the technology. You were speaking one-on-one with the head people at lock when you were undercover. Yes, correct. That's how I got all the information. Like I don't think anybody doubts that after they read the report.

When I told it, when I would tell people that at the right before I launched the report, people. Yeah, yeah. Okay. But then when you, when you read the report, you're like, oh, wow. Cause, cause it explains, we know all this stuff publicly and now I'm showing like the screenshots, explaining and connecting all these dots of what happened behind the scenes in reality from the human aspect.

And when you overlay that on top of the, the technical threat evidence, it just makes for an awesome. . Yeah, exactly. So did you, did you have to take tests in order to get access or did they have to vo, like who did they vouch for you? Like how did they verify that you were legit as a Yeah, as an undercover person?[00:26:00] 

So, well there's, there's, there's sort of a, a two-part answer. So for the forum part, I would use.

You know, you sort of use one to build up another and to vouch for you and to get credibility, and it's sort of a, a long-term development role where you're always developing stuff in the background and then you kind of have two that you use proactive. Actively. One is your main and one is your backup, and they sort of support each other.

And then, you know, believe it or not, there's other security researchers that do similar type of work that are out there and, you know, we'll, we'll help each other sometimes too. But, you know, once, once you do do that, you know, you get access, access to these forms, you can see a lot of these conversations and, and there's a wealth of knowledge there.

The next step though is, you know, if you wanna actually try and become an affiliate and gain access to tools and resources, , you know, they have, you know, basically that they, they would have like openings for, so it's like a job advertisement where mm-hmm. where, you know, they're actually recruiting and, and they have a set of rules of, of what you have to [00:27:00] meet in order to, to get this job.

And you can apply to it. And it's through this private it's, it's software. It's called Talks, and it's basically just an encryption software that, that's client. It's, it doesn't sit on a server, it sits on each endpoint, communicates and, you know, encrypts and then communicates with one another. And they use that.

So you have to have their id. And when you, you go in and, you know, you apply, basically you say, you know, you wanna work with them, they want to, they'll start, you know, asking who you know, what you've done, who you've participated with in a tax before. These are all things they can validate pretty easily because what a lot of people don't realize, Is most of these gangs know one another and can communicate with another and access each other, and, and they can validate a lot of this.

The second piece, which is where I probably feel miserably, is the, the technical assessment. Cause I'm not a hacker, you know, I understand how everything works, the principles and the things behind it, but I personally, I don't hack things. So, you know, I didn't, I didn't pass that, so I didn't become an affiliate.

But, you [00:28:00] know I, I. Still had all the, the access to that one-on-one and to the, to the talk channel. And, and to talk to them and to, to, to, you know, hear the conversations and see the things that they were saying. And I don't know if, if they just forgot about me or if. You know, I, I, I don't, they just like me enough to keep me around or, or what, but so were you able to in your conversations with them, identify some of the criteria they have for, for recruiting?

Like last time we spoke, they have, like this culture, they have this this mission statement for like their code of conduct, which is a weird concept. Yes. Can you, can you explain that to. . Yeah. Well, it, it's sort of it's matured over time and it actually the, the, the reason that it matured actually started with, with different ransomware gangs.

So ral sort of re really, they weren't the first to do this, but they were probably the, the most prolific at it. And, and they had their ads out there. And originally, like for example, they would only [00:29:00] take hackers that were in Russia. You, you had to be a Russian nationalist. and I had applied back in the day with them to fill that also.

But they, I didn't get very far with that one because they asked me questions about Russian folklore, which Hmm. So I didn't get very far with, so time as they grew, they realized they need more than just people living in Russia to help them to facilitate worldwide attacks, that they wanted to be a big player.

So I think Locket saw that. So they never had that requirement that you had to be in Russia. And I think they were smarter at that approach. , you know, because they, they hired affiliate hackers from all over the world. Mm-hmm. , and that's that. And their software are one of the reasons that they have such a high volume of attacks compared to most other ransomware groups.

So in your communications with them, was it mostly in Russian? Did you have a translator with you? Do you speak Russian? Yeah, I don't speak Russian. Yeah. Okay. Yeah, that's how I was like, how did it happen? So, yeah, [00:30:00] I didn't wanna have to deal with you know, having the translator to help me with, with all this stuff.

I didn't have to. So what I did this time, it was a, it was actually an ide an idea from a colleague, but you know, it was high probability that that lock bitt didn't speak German. And so we just, we just started out as that we were German hackers and started speaking German and almost immediately they're like, yeah, if we don't speak German, and, but I knew, you know, they all speak a little bit of English cuz that's most targets are English speaking countries or are a lot target.

So, and that was one of the things that Weakers was in the, it was in the recruitment ad. So it was, it was just like, okay, well they probably speak English too. So then you just start speaking in broken English and say, Hey, let's communicate this way. And you just have to make sure that you don't do it too well to give yourself away.

And that made it much easier to, to communicate. And because I wasn't like a core affiliate cause I didn't get that far you know, it, there wasn't a lot of scrutiny. But like I said, I, I never really underst. Why I kept having the access that I did, but even if I'd lost that [00:31:00] access, to be honest with you, the, the best part of the story, you know, really came from the forums and watching the, the drama between Lock BA and some of the other gangs, and then the things that they would divulge during these, these heated, you know, arguments and stuff that was, that was what were they arguing about?

Yeah. Well, okay. That I wanted to ask is, is there's some type of rivalry in these that they're all in, they, I mean, filled with a lot of affiliates from other. y. Yeah. A lot. Affiliates and other criminal gangs, they all live there's a couple foreign, but there's one particular that they, that they, they spend their time on and lock bit is one of their ec One of their things they're really good at is what I'm gonna call PR and propaganda.

Mm-hmm. . And I'm gonna just, cuz I've used them as an example cause there's different ones, but let's. When RAL was the top gang Locke Bit started this propaganda campaign. And if you remember there was a hospital in Alabama that came under a ransomware attack and a baby died that made, you know, [00:32:00] worldwide headlines and, you know, lock Bit took that headline and went to the forums and was basically like, look what RAL did.

Like, you know, they're mm-hmm. , they go after children, you know? Cause that's, that's the one thing that even criminals, you know, draw the line. Or, or at least some of them is things that hurt criminals. And they just went in this big smear campaign just bashing, rebel, and you know, rebel was, was got upset and started arguing back with them.

And they're just, you know, they're, they're going back and forth with this thing. And in reality, you know, cause there's, there's court paperwork on this and the, the ransom note and the ransomware that was used when you actually go look at the court paperwork was. Which is, was ran by the same people who did the Conti ransomware operation.

Mm-hmm. and, you know, so, so there was never any evidence that it was them, but early on they used that as propaganda to make people think that it was them. And, you know, and it worked, their, their reputation started to become tarnished and many other things happened to Tars Rebel's reputation after that.

But my point is, there's, they do this regularly. There's been multiple other [00:33:00] competing ransomware gangs where they have done this. Working with the FBI or they've been infiltrated, or they'll claim that someone is actually, you know, working with the FSB as well. And that takes away from them being able to treat their, their, their service or their business with a, with a level that, that they can and things like that.

So there's lots of different things that have happened. Even trying to steal the most recent, trying to steal ransomware from another gang trying to get the source code stealing a developer, they stole the primary developer from. The, so if you guys remember the Colonial pipeline, the, the person who developed course The Ransom.

Yeah, yeah. You know, for the, for the Colonial Pipeline hack. You know, they dark, they were called Dark Side and they went away and came back as black matter. It's not a far leap from dark side to black matter. But anyway, hold on. That's a different conversation as well on their creativity with their names.

But he developed lock, lock bit, lock bit poached the talent from black. Yeah. And, and they, they had been friendly up until that point, and [00:34:00] once, once that happened that developer went over there. You know, that caused a big rivalry there. And it all played again. It all played out on the criminal forums and and in it, you know, it, it just went south and lots of of details were divulged about.

And not only was dark side matter, but then black matter went away and then they became Black Cat, also known as Alpha V, and you got the leader of lock bit. , basically putting this all out there. And as well as the developer also worked for another crime group called Fin seven back in the day. And so anyway, I'm just taking notes and making drawings and diagrams and connecting all this and, you know, it's, it's, it was just, it was awesome.

A lot of similar players. Oh yeah. I, we, we followed that whole evolution between dark side to, yeah, dark side to, to, to black matter. And now alpha seven. And they were just in the news for, for a pretty big. Pretty big breach. Ransomware attack holy Cow, which was, was, was lock bit.

Let me ask you, there was one that was [00:35:00] involved, one of these gangs that was involved in the Children's hospital up in Canada, and then they. They fired the and severed ties with, with, with the affiliate. Wasn't that lock bit because I saw the, it was locked PR around it. Yeah, that's what I thought. Because the PR around it was like, we don't do that.

It's in our code of conduct. We don't do that. We have severed ties with, with the affiliate. This, this affiliate went rogue. Basically committed a criminal act in our opinion. Well, so a lot of that was, was pr. Mm-hmm. for the public to see behind the scenes. It. Not considered as big of a deal until it became a.

Right. You know, they do to, to attack hospitals, but they still do it all the time and you don't see them giving the decryption key for free every time they do that. They did it in this case. Right. You know, I mean, maybe because it was with children. Maybe they, they didn't like that legitimately, but.

What I'm saying is it wasn't made like this. Oh, we don't stamp them. We're fire. You know, we're, we're severing [00:36:00] ties. We're not doing this. You know, that, that didn't get to that level until that the public perception came down on them. Cause here, here's the thing, they don't want the government coming after them.

I mean, obviously governments come after them, but not in the level like they did with Dark Side when they attack Colonial Pipeline or like with evil pork, when they press sanctions against them, everything, that's, that's what they wanna see. They don't want. Yes, just like any criminal organization, they don't want heat.

They don't want the attention, they want to go about their daily business. Everybody kind of knows that they're there, but they don't want the attention to be drawn right on them. Interesting stuff. What, what are your thoughts, mark? You know well, Whether or not these rival gangs are aware of each other's development of either recruiting or code or techniques or tactics.

You know, if they try and almost gather intel on the other ones. Yeah. You know, that's, yeah. John, how about that? Do, do the gangs, are they aware of each other's? [00:37:00] Development of their business model, whether it be in recruiting or in code and exploits that are being used or ransom collected or targets collect.

Are they aware of what the others are doing? Maybe to help even grow their own, you know? Yeah. Not, not only. Not only are they a aware of, of what they do. Many, like I said, many of them know one another. The affiliates, you know, the good affiliates work for multiple ransomware groups at the same time. Often they know a lot of same key.

Yeah. Wow. So the different with one another. Yeah, so the different, so one single affiliate can work for. Black matter Alpha seven and lock bid, right? And, and carry out dif execute different, different campaigns. Y that, that's correct. And you know, there was, maybe it was like a month ago, six, no, maybe it's two months ago, but somebody called me and they were like, Hey it was before the Hive takedown, but they were like, Hey you know, have you [00:38:00] ever seen LBE working with Hive or some sort of joint association?

And I was like, no, I haven't. But that, that's what it was. Is, is they deployed one of those payloads. It was detect. So they deployed another one cause it was affiliate that worked for both. And again, that goes back to what I originally said of why Lock Bitt wants to bring all that in house. But it, it didn't mean that it was a relate direct relationship.

Where you would see a direct relationship would be if, okay, well I'm seeing the same source code used in both of these. Or, and, or, Hey, I'm seeing the, the leader of, of, of the group claim that they, they worked with this other group or I see them talking and collaborating. But again, Go get that access to figure that part out.

But, but yeah, many of them know, like I said, no one another work with each other. Share resources. They don't necessarily like each other, but it's just, it's such a small community and really it's very, very small and well connected. Unbelievable. So what, what is on the horizon for you, John? What's, what's coming up next?

Are we, well, are we going down to do this? Are we [00:39:00] doubling down on lock bid? Are we, are we targeting somebody else? What can you share? So I am working on the Rinse More Diaries, volume two right now. It's what I, what I'll say is, let me, let me just explain what happened after I wrote the report.

And this, this, this is part of it, you know, after I wrote this report a coup like a week after I mean, it was the day after, actually. It was the day after. Yeah, it was January 17th. Lock bit on one of the forums that they're on. They changed their avatar and they took my face from either Twitter or from LinkedIn, and they put that as their avatar.

So Good. So, yeah, so I knew at that point that, you know, that they, they were definitely paying attention. To me. So, so I thought that was interesting. And, and, and then, you know, and, and one of the things that I, that I saw was with my face on this forum, they're getting. With one of the former leaders of Conti, if you remember Conti Leaks, one of the key, right?

Leaders of that was a guy named Womb by the [00:40:00] moniker. Batty. Well he batty and lock bit supp were in this heated argument cause Batty realized that Lock Bitt was trying to steal his source code. And, you know, that's really, that's how I connected the dots of what they're actually doing. He's got Conti source code now.

He's going after this. And, and, and lockup was like saying, Hey, I just wanna prove that. My ransomware is, is faster and better than yours. And if I, if I, I need it. And I don't like to just say things, so I wanna test it and show those metrics on our site. Of course that that's not true. He wanted to steal it.

Right. Wow. Because he had the big, he had a big blowout with his developer who let the one that he had stolen from black I don't look at the leader of her. I look at him as a business person and Right. The reason I say that is because he, you know, he's not making his own code, he's not doing the hacks.

He's bringing in resources, the software development, making sure that his clients are happy and things like that. So yeah, it's, it's a, it's a different model than most of their ransomware groups for sure. But yeah, so they were getting this argument with my face. So, anyway, to answer your w [00:41:00] where it, it, the next ver the next element of, of the ransomware diaries, the volume two.

It kind of starts where you left off and gets into that. And there are, there's, there's a whole other piece, but I, that part I can't, I can't get into right now, but there's a, there, there's, there's some big aspects to it that'll, that'll be pretty interesting. I don't know if you can ever beat the volume one, but, but this'll be, be close.

Well, we're excited about seeing that. Is it, is it, yes. Is it primarily focused on. Lock bit or is it gonna be about a couple of the different gangs? Because there seems to be blending between several of them. From there,

I mean, is, is ran, is the next ransomware diaries going to be focused solely on lock bit or is it gonna be kind of a blend in the evolution of several of these? Yeah. So it, it definitely is not, it, it, it's gonna start with where I left off and sort of lead with lock bit and it's gonna go a little bit in a different direction.

[00:42:00] I, I, for reasons there that would affect what I'm doing right now, I can't say exactly what that is. It, it definitely is gonna still have lock bit as a core player, but it's gonna have this, it's gonna center around some other. . Excellent. As soon as that comes, the ball really high. Yes. . Yeah. As soon as that comes out, we're gonna have you back so that we can Yeah, we're gotta talk all about that one.

We can get the inside scoop. It's gonna be a good, for sure. Before we wrap up, let me ask you, the us cybersecurity strategy was released a couple weeks ago on Thursday about two, two weeks ago. This coming Thursday or three weeks ago, this coming Thursday. Do you see any. In, in your role at either analyst one or with the people that you talk to are you, are you seeing this time.

it's, it looks different than, than in the past. I mean, I know that the language is stronger and they're talking about being going on the offensive, which is all good, but in the past they've issued these and a lot of people in [00:43:00] the community are like, yeah, but what's really gonna happen? Like until the legislation comes in and the laws change what all can happen, and.

I'm a eternal optimist, so I kind of want it to happen or, or things to change. What, what, what are you thinking? What's your sense, what's your gut telling you? What are you hearing? Yeah. What, what, what I think is at least the end, end goal here is to, the changes that we're seeing is to sort of Provide the government organizations with the right authorities to, to go after ransomware gangs.

So you gotta remember, before ransomware, it was just such a different game, you know? One, you never talked to the attacker, they never talked to you. . And two, there was never this volume of attacks that were successful. So, so if, if you recall with like, like with, I think it was with with Dark Side the fbi, you know, went after them and was able to obtain their wallet and get a bunch of that money back and a judge had to sign off on that before they could go do it.

And that's on public record. You can go see that and but withal, when stuff [00:44:00] happened, there was no judge signing off on it. And that told me that that must have been an intelligence agency and I don't think I got those backwards, but anyway. Right. You know, and, and so what I think. Is sort of a learning point from that is, you know, is when there is certain high profile ransomware gangs that are affecting national security, you know intelligence organizations need to have the authorities where they can act immediately.

And so while it didn't directly say that in, in, in that that policy update or word by verbiages, it seems to me like that was underlying the direction that we seemed to be heading in. And I do think that's a good. . Excellent. Excellent. Well, hope, hopefully, yeah. Time will tell. And we will we're gonna stay in touch with you along the way, if you don't mind.

Like we, we, we love your work. We're honored to have you on as a guest, so thank you so much. Lovely. Thank you so much, John. So we, we, we will talk soon and we'll have links to your ransomware diaries, volume one and the show trafficked on national Geographic, which you've streamed [00:45:00] from every device possible.

So thank you so much. Oh, of course. Right. Well, the book that I have on my shelf, this is The One Behind You? Yeah, the one Behind You right there. Yeah. The one Right Behind Me, which is a phenomenal book. We will have that linked. I do apologize for not, I just figured everybody had it by now, and we just assume everybody already had the book.

I just figured you, I just figured you have a. Winner chale in Russia by now. Like where you can go and, and, and meet them for, for, for coffee or something. Hey, thanks so much, John. Yes sir. Thanks. So thanks John. Appreciate it. Great, great discussion as well. Thanks.

Well, that's a wrap. Thank you for listening. Our next episode starts, right. Please be sure to subscribe to our YouTube channel. It's free, and download the podcast episodes available everywhere you get podcasts. To support our show and get exclusive [00:46:00] pre-release episodes and bonus content, please subscribe to Cybercrime Junkies Prime Lincoln, the description and showmans.

And thanks for being a cyber crime junkie.