Ransomware is coming.
Dave Bittner: Hello, everyone, and welcome to CyberWire's "Research Saturday". I am Dave Bittner. And this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us. [ Music ]
Jon DiMaggio: When the Ransomware Diaries 3 had come out, I was looking at one of the Russian forums, and this person who had just created an account the day before started chiming in, and then their signature block it said, "Honoring creator of RansomedVC."
Dave Bittner: That's Jon DiMaggio, Chief Security Strategist for Analyst1. The research we're discussing today is titled "Ransomware Diaries Volume 4, Ransomed and Exposed - the Story of RansomedVC." [ Music ]
Jon DiMaggio: Of course, at the time, I didn't know who that was because it was like a day after their operation had started. But I just started looking into it from there. And as the following month went on, I started to hear more and more about them. So, I figured if they had an interest in my work, maybe I could leverage that to gain access to them and see what I can figure out. And that's basically where it started.
Dave Bittner: Before we dig into the specifics here, can you paint a little picture for us of what it's like to be on these types of forums?
Jon DiMaggio: Well, you know, being on the forums themselves, you know, gaining access sometimes can be difficult. But once you're there, I would not say that in comparison to doing engagements directly with threat actors that just being on the forums is a scary place. It's a great source for intelligence, especially for cybersecurity researchers. But, you know, if you're doing any sort of interaction where you're communicating with the threat actor, even with a fake persona, any time you're directly reaching out that's a little unnerving. And obviously doing that brings greater risk. But, you know, there's two methods to that. One is, you know, to have an account just to watch and observe. And then there's, you know, another technique where you're actually building up a fake persona and getting people to believe that you're someone else and to gain credibility so that you can actually talk and communicate with your real target. That's much more difficult. And yes, that's very unnerving and takes a lot more risk when you do that.
Dave Bittner: Yeah. Well, let's walk through this specific example here. I mean, how do you begin your interaction with this person who's saying that they're the proprietor of RansomedVC?
Jon DiMaggio: Yeah, so this one was a little bit different because normally, you know, there is only a few ways to communicate with the threat actor. And RansomedVC, one of the things that caught my attention was, you know, their footprint was so much broader. They had, you know, social media accounts on several platforms. They even had an account -- two accounts actually on TikTok. They were on Twitter. They were on, you know, several, several different types of social media. So, that in itself made them much more accessible. When I did decide to reach out to them, I reached out to them both publicly on Twitter and said, "Hey, I want to talk to you." And I also sent them a message on an application that many threat actors use to communicate that's called Tox, T-O-X. And it's just -- it's an encrypted communication platform that you run on a local system. It's not social media. But I sent the message on both. They responded on Twitter and then they asked me to transition and talk to them on Telegram. So, we ended up doing most of our conversations there on Telegram over the course of about two and a half months.
Dave Bittner: Second platform, Jon. Second platform. Never move to a second platform.
Jon DiMaggio: I think they were more comfortable with Telegram than Twitter just from a monitoring perspective. Whether they're correct or not is another story. But because, you know, Telegram was supposedly designed for privacy and it incorporates encryption, I think they feel safer using that to get away sort of from the monitoring of law enforcement or government eyes type of thing.
Dave Bittner: So, now that you've established contact here, what's your strategy?
Jon DiMaggio: Yeah. So, that's something that has become -- that's something I've spent a lot of time doing. So, if I can just take one step back. At Symantec, you know, I spent seven years there and my entire career prior to that was always in the government. And there you're dealing with zeros and ones, you're going through data to make these assessments. You're not actually doing direct engagements. So, when it came to Analyst1, I don't have access to customer data here, so I had to get, you know, creative. And I literally just started to read everything I can on human behavior, profiling, reading things, academic papers, things -- I've read stuff from the FBI's Behavioral Analysis Unit. I even reached out to them. I read about different techniques. But at the end of the day, what it comes down to is just sort of trial and error, which can be scary. And using fake personas was a little bit easier because I wasn't myself. But with the popularity of the Ransomware Diaries, I found that I get farther just communicating as myself. And so, in doing that, you have to be very careful. And I've taken the approach of just being straightforward, you know, right off the bat telling them what my intent is, why I'm talking to them, if I plan to write research, if they have -- I always ask them if they've read my previous research so they understand the type of thing that's going to come from an engagement with me. And if they're still willing to talk to me, then we move forward. One of the things though that I have to do is even though it's myself, they'll say lots of things that I don't agree with or I don't like or I think that are outrageous. But I have to remember that even though I'm presenting myself as me, I need to get information. So I still have to say things and do things that I wouldn't do in real life. And there's more of a risk there because, you know, they could dump all of our chat logs and, to the untrained eye, people might think that, okay, well, this guy is buddies with them or he's stroking their ego, or he's telling them the things, you know, that he shouldn't say to get them to like him. But at the end of the day, you know, it's the end result that matters. And I think anybody who looks at my research will get that because I am able to get people comfortable enough to talk to me and share details about attacks and about the things that that they do in their attacks that are not public and no one else would know if it wasn't for that human engagement. So, it takes a lot of work. Honestly, sometimes after like with this one, I spent months talking to these guys. And it's not just one person, I talked to about four different people that were involved with the gang. But by the time it's done, you know, it's like -- it takes the toll on you emotionally, it affects your personal life. You know, there's no vacation when you're doing this because, you know, if you're doing engagement with a threat actor, it could be a Saturday, if they, you know, pop up and want to talk to you, then that's an opportunity to get information. It's kind of hard to say no. So, you know, you can get burned out easily. There's a lot of risk. There's -- you know, you have to live a very paranoid life, things of that nature. So, it's not been easy. But I've had a lot of success for it. And I feel like the good that comes from the research is greater than the bad. You know, the bad side being shining a light on them. They want to talk to me because they want to be famous in the criminal world. But I know my research is making a difference because usually after I write, I have both -- I previously have had, you know, law enforcement and government agencies from all over the world reach out to me and asking me questions about it. So, that tells me that it's good information if those type of organizations are finding things that I am publishing to have new and unknown information in it. So, I keep the fight as long as I feel like I'm making a difference. But, yeah, it's tough.
Dave Bittner: Help me understand the kind of balance that I feel like you must take here between folks like this being flattered by your interest but also I would imagine that they're kind of circumspect about sharing too much with you.
Jon DiMaggio: Yes, yes. And that's -- so, that definitely happens. And so, that balance is why I have to do things like, for example, if they say something extremely racist or they make a terrible joke, you know, not saying why would you say that, that's awful. You know, I don't appreciate that. Don't say that sort of thing. You know, while you don't encourage it, you have to kind of bite your tongue and just sort of, you know, move on with the conversation in a way that doesn't necessarily alienate them. But you don't -- and also, you know, you can't encourage that either. So, it is a tight walk. But here is the thing, it's not just one little thing like that, it's trust that's built up. I don't do just one engagement. This isn't like a 30-minute interview with them. I do this, you know, for four or five days at a time over a course of anywhere from one to three months usually when I do this type of research if the goal is to build and establish a relationship with that threat actor. As an example, just today, you know, I had a conversation with the LockBit threat actor. And, you know, I was talking to them because they had just popped a hospital that is in Chicago where they -- you know, they have a children's cancer ward, they specialize in helping homeless people and other people that can't afford treatment. And so, I reached out to LockBit, you know, trying to -- because I talked to this person's relationship being like, "Hey, man, you've made all this money. Remember you're a human. Just give these people their decryption key and move on." I don't know whether he is -- told me he has to think about it. But my point is that it's months of building these relationships and getting them to have some trust as they feel like they get to know who I am. And I don't lie to them. I tell them right off the bat what I'm doing. And there are certain things that they've shared with me where they say, "I'll tell you this but it has to be off the record." And while I put everything in my research that I find, if they do tell me something off the record, I have to abide by that because that's -- when you're talking to criminals, that's all you have as a reputation. And I think I've built a pretty good reputation of being straightforward with them. So, it is difficult. They say horrible things. They say -- like, for example, a lot of Russian bad guys like to use the N-word a lot. And that is not -- that's a word that I would never use in my vocabulary that they use. So, it makes me uncomfortable but I also can't show them that I'm uncomfortable. So, again, it all comes down to risk. Because like I said, all of these things wouldn't make me look great. But the fact that I'm not standing up and saying, "Hey, don't do that." But whatever be you just remember is it's the end game. I am trying to get them trust me. I'm building that trust. It's just weird now because I do it as myself. When I was using fake personas, it was much easier. But it's all about the end game of getting that intel and being able to fill in gaps that will help defenders and law enforcement better protect and apprehend these type of criminals. [ Music ]
Dave Bittner: We'll be right back. Are you typically communicating in English?
Jon DiMaggio: It depends. So, with RansomedVC, everything was in English because all of the people I spoke to could either write or speak coherently in English. So, I was able to do that and communicate much easier. With LockBit, they talk in broken English so it's a little bit harder but I do have, you know, colleagues at Analyst1 that are Russian, can speak the language. So, I do have the ability to do both. But obviously, when I can communicate without speaking a language that I don't know myself, we get a lot farther and I don't have to wait on other people and things of that nature.
Dave Bittner: Well, let's go into some of the details of what you learned about RansomedVC. I mean, what are some of the highlights of your research that you can share with us?
Jon DiMaggio: Yeah. So, I would say, you know, there's a number of things. I think the most significant aspect of my research was I talked to this hacker who goes by the handle USDOD. He was a very interesting person because this past September, Brian Krebs, who wrote a blog about him, apparently this individual had hacked this network called InfraGard, which contained a bunch of information on the FBI -- people who work for the FBI, so employees of the FBI, and released that. And he also targeted NATO and these other organizations. And he released it all on September 11th and was sort of labeled as a terrorist. Well, he's not -- I'm going to go on record and say he is not a terrorist, he's a person who made some poor decisions in what he did. But he does not have this, you know, strong anti-US sentiment about him. But he did some dumb things, made some poor choices. But he had also joined RansomedVC. So, when I talked to him, you know, he was giving me bits and pieces of information. And he seemed very straightforward with me as opposed to when I talked to the person who runs the operation who goes by the name Ransom Support. You know, he outright admitted that he lies a lot and admitted some of the things that he's publicly done that have been lies. And, you know, he told me a lot of things that I knew were -- that were untruthful. So, I had one individual who -- again, I'm going on my gut feeling here, which isn't always right but is pretty good. One individual who I believe is being truthful or at least believes he's being truthful of me. This other individual who half the things that he's telling me are lies. Well, I sort of compared the information, and then I used the information that one gives me to try and see if I can -- I don't want to say catch the other off guard but like get them to give me a comment by the way I present it that would fill in the gap and find the truth of what really happened. So, with that, the Ransom Support, the leader of RansomedVC, had been saying some bad things about this guy and this was like, you know, one of the top hackers, you know, in the world who works for him, and he's trash talking him. So, when we were talking and I shared some of the things that were said about him and asked him if he still worked for them or if he had any concerns about them, you know, he told me no, he had stopped working with them. And to speed up the story here, at the end of the day, by being able to show that that other person did not actually care about them and wasn't in their best interest to protect them, USDOD became comfortable and shared information with me that led me to identify that the person who created RansomedVC was previously associated with the Ragnar Locker ransomware gang who had just been arrested in October, October 30th exactly. And that was very relevant because RansomedVC had started a new forum only seven days prior. And it was a ransomware-based forum. Now, starting a forum takes money and resources. And that shows they were expanding their operation, not ending it. So, seven days later -- I'm sorry. It was October 22nd when they started this forum, on October 23rd, there was some arrests for Ragnar Locker. On October 30th, RansomedVC announced they were selling the forum. So, they showed they were expanding, they spent time and money. A day later, there was arrests for a completely unrelated ransomware group. And seven days after that, RansomedVC makes an announcement that they're shutting down. But here is the key, they made the announcement that they were shutting down because he said six people that were associated with him, Ransom Support, the leader of the group, had been arrested or he believed that they had been arrested. And at the time, everybody discounted this as another lie because there were just no news of anyone from RansomedVC being arrested. Well, no one including me connected the dots. He was not talking about RansomedVC, he was talking about Ragnar Locker, those men that had been arrested were part of Ragnar Locker, and he was associated with them and he was concerned that they would give information that could possibly lead to him. Then USDOD told me that they had had -- Ransom Support from RansomedVC and Ragnar Locker had had some sort of falling out and claimed that Ransom Support actually leaked information to Europol that helped lead to their arrests out of spite. Now, that is sort of a sin even amongst criminals. I don't know if that's true or if that's just a story based on the crazy things Ransom Support may have said to USDOD. But again, I believe that what the guy told me he actually believed was true. And that's pretty crazy. One, from a cybersecurity perspective, you know, no one was aware that he did any sort of business with this other ransomware group. But the fact that he may have actually had something to do with taking them down is just -- that's unheard of. But again, I want to be careful with that because I don't have evidence that he did that. I have two people's claims that differ. But I felt that that was a really significant finding in my report.
Dave Bittner: I'm curious, you know, having the kind of access that you have, and the experience that you have with these folks, how does that inform your attitude? How has that changed your thoughts on approaching day-to-day cybersecurity?
Jon DiMaggio: It's changed it a lot because I never saw the actual human side behind it. And when you spend all day, you know, defending against attacks or trying to chase, you know, live attackers out of your network, it's still all at, you know, a binary level if you will. And you don't really see the side, you sort of forget that this is a human being just like me. So, what's changed about it is I've really learned that there is a human side to this. And while some of these people might be completely crazy, well, others are not, and just have had poor life circumstances and made some poor ethical decisions. But there is a difference. There are people that are really bad and will always do bad things. And then there's others that I have found that have done bad things, that's like USDOD, who I think do have good in them and, you know, I hope that the relationship that I end up having on them, you know, persuades them or helps persuade them to change their ways. I may never be successful in that but it's something that I just strive to do when I do find someone that I think has good in them. But to answer your question, it's made me take a step back and whenever I hear about these, about attacks, while most people are looking at it from the perspective of how I used to look at it, which was only how do we defend, how do we mitigate, and how do we protect ourselves moving forward. And I look at it differently like how do we permanently stop this sort of attack? And getting to know these people and reaching out, getting this information, it only takes one slip up for somebody to give away too much information that might be the one key that, you know, could be used by law enforcement to find these people. And I think that when you add that, the sort of human intelligence part on top of the ones and zeros from the cyber perspective, it just really increases the value of that intelligence product. Now, the stuff that I write is exactly what I just said. It's cyber -- cybersecurity-related information, you know, coupled with the human aspects. But now I've gotten to a point because I love to write and I'm getting these people's stories, I like to really tell a story and try to make it entertaining in addition to simply being, you know, just an intelligence report that can be used, you know, for defensive purposes. I want people to enjoy reading it. I want to increase the knowledge base on this. I want people who don't typically read this or understand this to read it and be interested in it. So, I've sort of taken it to this other level. And not everybody loves that I do but I really enjoy making interesting stories and sharing the human side of this, whether it's good or bad, and providing context to the ones and zeros of cyberattacks.
Dave Bittner: Yeah. To what degree do these folks tend to consider themselves invincible or are they looking over their shoulders? Do they feel like they're, you know, any day that knock on the door could be law enforcement?
Jon DiMaggio: Yeah. Well, you know, it does differ. But let me give you a couple of examples. With LockBit, for example, the leader of that group is extremely paranoid and careful. He's probably one of the most careful people that I've ever dealt with when it comes to his operational security. According to him, you know, he spends a lot of time, and especially before he began this operation really learning about OpSec and making sure that everything he did provided minimal risk that would make it difficult to identify or catch him. And every decision he makes, you know, he -- you can see the things that he's doing to incorporate keeping him a few steps away from anyone finding him or there's a reason that we haven't seen law enforcement take down their infrastructure. There's a reason we don't have the names of the people directly in that management ring of that gang because they're so careful. And then you have groups -- I'll just use RansomedVC since we're talking about them as an example -- where, you know, they definitely worry much more about their door being kicked in. You know, other researchers and criminals have doxed them and, you know, made claims about their identities. I don't know if they're right because I don't get into doxing. That's a headache I don't want to deal with. But the point is that, you know, they're very concerned that there's going to be a knock at the door. So, I really think that it depends on, not just the person and the group itself but it also depends on how comfortable they are that they have done everything possible to make it difficult to find them and they believe that they don't make mistakes because they're careful. And those people are also -- they're more difficult to talk to. You know, it's like LockBit used to talk to me and we would have a watercooler talk. And now, it's I call him Mr. Grumpy Pants because whenever we talk to him now, it's all business. He doesn't want to share anything else. And I get it. I wrote a ton of research on them. I understand. But it's a very different relationship now. So, each one is a little bit different but I feel like that's why it's important to sort of profile them so you know how to approach them and you don't scare them away. [ Music ]
Dave Bittner: Our thanks to Jon DiMaggio from Analyst1 for joining us. The research is titled "Ransomware Diaries Volume 4, Ransomed and Exposed - the Story of RansomedVC". We'll have a link in the show notes. [ Music ] The CyberWire "Research Saturday" podcast is a production of N2K Networks. N2K strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Stokes. Our mixer is Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our Executive Editor is Peter Kilpe. And I am Dave Bittner. Thanks for listening. [ Music ]