Research Saturday 5.25.24
Ep 331 | 5.25.24

International effort dismantles LockBit.

Transcript

David Bittner: Hello, everyone, and welcome to The Cyberwire's Research Saturday. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts, tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us. [ Music ]

Jon DiMaggio: So about two years ago, before LockBit was really known who they are today, I started researching them after I got done with REvil, and you know, I somehow just got on the inside.

David Bittner: That's John DiMaggio, Chief Security Strategist at Analyst1. Today we're discussing his research, "Ransomware Diaries Volume 5, Unmasking LockBit." [ Music ]

Jon DiMaggio: After I published the Ransomware Diaries Volume 1, they knew who I was, began using my face as their avatar on the dark web. So I started talking to them from there as myself, developed a relationship, which led to a lot of the findings in my volumes of the Ransomware Diaries after the first one. And, you know, at times we were friendly. I mean, you can't talk to somebody that much and not grow a relationship, but I've always been out to get them. I've always been honest about what my, you know, intent was. So fast forward sort of to where we are now. You know, I wasn't planning to publish research, but, you know, we got to a point where, you know, I always do deconfliction before I publish, and with this one when I did deconfliction they were like do not publish, and I said, okay. Well, let me know when I can, law enforcement that is, and they told me, you know, basically, a day before, you know, the site was resurrected that law enforcement had seized with this countdown timer that they were going to release an identity. So, you know, long story short I had to write in like three days and put everything I had in. I really wasn't ready, but I did what I had to do, and the day of, I held my breath and was like please be the same person, and if it was going to be the same person, I was going to move forward and publish, and if it wasn't then, obviously, we wouldn't be talking right now because I never would have came up with a report. But yeah, so I published about 45 minutes after the indictment came out, and, you know, it was fairly obvious to everyone that I had been working on this for a while. But yeah, so it's been a big splash and a lot of attention because of that.

David Bittner: Before we dig in here, there's something a little unusual about this particular publication from you. You start out here with a warning about engaging with ransomware criminals. Can you unpack that for us?

Jon DiMaggio: Yeah, so that actually started out, I did it in one of my volumes. It was sort of a joke. You know, my kids like to watch wrestling, and they have some sort of similar warning at the beginning. So it started out as a joke, and then, you know, my editors and handlers at Analyst1 liked it and, obviously, there's not any legal aspect from it, but they thought it was a good way to let people know, you know, don't read this and decide to go out and try and talk to ransomware criminals or any type of cybercriminal on the dark web because, I mean, I can certainly tell you there's a lot of negative, negative things that can happen from that, and it can certainly be dangerous and getting threatened by, you know, organized ransomware criminals is never fun. So it's sort of a light-hearted way to let people know, you know, don't do this unless you know what you're doing.

David Bittner: Yeah, it's interesting because I, you know, I often hear people say that -- how much fun it would be to lead scammers along. You know, when you're talking about social engineering and things like that, but it is a tricky game.

Jon DiMaggio: It is, and there's a big difference from having fun with scammers versus, you know, talking to long-running cybercriminals that you know like last year alone they made $100 million you know on the dark web. You know, the resources they have are infinite and, you know, I live in all the same spaces as they do, and I see all the bad things you can buy with money that if you wanted it to do something to someone. So you're always putting yourself at risk when you get out there, and it's very different than having some fun with scammers. The repercussions can be significant, and so, yeah, people just need to be careful when they -- if they decide to try to do something like this, and only do it if they have legal blessing as well as they're skilled and comfortable with what they're doing.

David Bittner: Well, let's walk through this together I mean we this is a fascinating tale of your own journey here and your own sort of unmasking of the person behind LockBit. Where should we begin?

Jon DiMaggio: Yeah, why don't we begin with -- we can go earlier than this but three days before the announcement of who I was. That's sort of the trigger that put all of this into fast-forward to where we are today. Is that early enough, or would you like to go farther back?

David Bittner: Yeah, let's begin there. That sounds good.

Jon DiMaggio: Okay, well let me take one step back further. About, I don't know, a month ago, three weeks ago, I had received a tip. I often get tips from people, criminals, researchers, and things of that nature. Sometimes they are people I know. Sometimes they're from accounts that were just created. In this case, it was from an account that was just created so I wasn't sure how much validity I should put into it, but it gave me some information on an email address and told me it was related to an account that was controlled by the person behind LockBitSupp. That email address is in my report. It's sitedev5@yandex.ru. So as I began to look at that, you know, I figured I might as well do what bad guys do and look through stolen, leaked data that's out there and see what I can find on this account, and I found quite a bit of information. There were some legitimate businesses. There was legitimate businesses and then sort of IOCs related to it, and then they're what I'll call secondary IOCs, which were not affiliated with this person's legitimate life but were clearly more suspicious, and as I dug on those, they started to lead back to some of these Russian forums where a lot of ransomware criminals talk. So I didn't know that -- if it was LockBitSupp, and honestly, if the indictment hadn't come out, I would not have published this until I had something more concrete, but so, I just began to collect and look at this person and they had this very strong legitimate presence and they had this very smaller footprint that was suspicious and had linkage to some of the places where these criminals live. So having said that, you know, I sort of built all this out, you know, both in technical, like with using a tool called MultiGo where I could visually see all the links and everything, and then also through probing and asking questions of LockBitSupp without giving away what I was doing trying, just trying to sort of find something I could link him to. Now we're at three days prior to the release of the indictment, and in this person's name. I mentioned I was a de-confliction, so I did that. I said, hey, this is what I'm working on. I don't know if I'm going to publish, but before I put too much time into it, I want to know if this is going to cause any issues, and so I was asked to not publish, which with -- that alone gave me all the information I needed to know is that I need to keep digging on this person. I was like, okay. Well, I do want to publish, so don't catch me off guard and release something and I have no time. I was like, you know, I threw you guys bone you know with not publishing. Please let me know. So I think it was a Friday. You know, law enforcement was like, yeah, we can't give you any details but just keep an eye out on, you know, LockBit, all things LockBit this weekend. To me, it made the most sense that their mechanism to release information the last time was through the LockBit infrastructure that they seized. So I have different tools and resources to monitor those, and I just, you know, it was -- every hour I was checking those resources, and it was -- and I began writing my research with the assumption that I was going to have, you know, something that would be similar and would pair to what they were going to release. And so Sunday, yeah, Sunday, at 3 p.m. I saw the light on my little status thing for that, for some of the old -- three of the old LockBit websites turned green. So I immediately went to it. I saw that it was a new site also from the NCA, which is the National Crime Agency made up of some different law enforcement and government-related entities, and in it they had what victim posts, just like you'd see on the real LockBit page, except all the posts were for criminals. The most relevant one being a countdown timer that they had for LockBitSupp to reveal his identity. So then I literally went three days without sleep just working through the night, put off my -- it sucked. I had to put off my kids' sports and have somebody else take them, and I couldn't be there but there's certain times in your career where you just have to go, and this was definitely go time. So I wrote 22 pages over the next three days, and came I had to travel to RSA. So I had to fly out there, and of course the plane is filled with security people so I couldn't work on it on the plane in case somebody saw me looking. So I finished 1:47 in the in the -- I guess in the morning of the release in it in San Francisco. Where I was with the time zone, it was 7 a.m. when they were going to actually release the information. So I just remember getting those four hours of sleep and waking up and being like, oh, I just don't even want to get out of bed, but I did, and you know, sure enough, the release came out, and it was it was Dimitri, the same exact person I had profiled, and what was what I really was happy about is I had way more information than was what was originally released in that indictment that morning. So I felt really good about releasing this information. Having been a former, you know, I worked for a government intelligence agency, I was a signals intelligence analyst for a long time. I've got a lot of background on things I can't talk about but I know a lot of the tools and resources that go into validating these people. So while the general public is like, hey, there's no evidence for this, I also understand if you go and look back, there's no ransomware indictment that we've had where there's evidence in the indictments. That stuff is held closely for the day, if it ever comes, where we actually arrest someone. You -- law enforcement can't show their hands, so that made it difficult for me because I didn't have evidence besides the coincidence that we were both looking at the same person, and I have this tip that led me there. But I felt strong that if they're doing not just an indictment but sanctions against this person, there is evidence out there. It's just somewhere either I'm never going to find because of the resources they used to get it, or two, it's information that's really well hidden that I have not found. Since then, there's been a lot of talk about, oh, there's no evidence. This isn't LockBit, and he's even gone -- I've done interviews now. LockBit stopped saying, oh, no. This isn't me. There's no evidence of it being me, and that kind of, you know, that bothers me from one aspect because we're, you know, giving him a platform. I mean I've taken part in some of these platforms where he gets in the interview so I can try and put in my piece that, hey, you know, just because he says it's not him, let's not everybody believe criminal here, but he is correct. There is not public evidence, and I'm working very hard to try and find some. I don't know if I'm going to get it. If I do, I'm going to update what I put out, but I do feel strongly that the government would not put out sanctions and an indictment against an individual unless they did have a solid attribution. It's just that at the end of the day what the public thinks isn't as important as what a judge will think if that a day ever comes where he is facing those charges. [ Music ]

David Bittner: We'll be right back. [ Music ] So in terms of evidence, would you have -- let's say the indictment didn't come from the government, from NCA. Were you on the path to the same conclusion in terms of it being the same person?

Jon DiMaggio: I honestly was still at an unknown.

David Bittner: Okay.

Jon DiMaggio: The links to the Russian forums I thought were really interesting, and Brian Krebs [assumed spelling] put something out today where he found some -- I haven't gotten to really dig into the forums yet, and he did find some content in the forums that, again, aren't a hard link but do make it a little bit stronger than what I had found in my reporting, but still, there is not a smoking gun for this individual, and that brings me back to my point. With him saying it's not him, everybody, you know, saying, oh, there's no evidence it's him, and there are people who are saying, well, his operational security was so poorly -- meaning this person, Dimitri, was so poor there's no way this is LockBit, but here's the thing: These are all people that are going to look for him after knowing this person's name, and his personal life might have not have had the best op sec, but clearly he did have strong op sec because myself and some of the best researchers and researchers in the world have not yet linked him. So he did have good op sec. It's just that he separated his criminal life from his personal life, which is why we're not finding that link, and the op sec in his personal life being poor does not mean that his op sec is poor. It just means he was smart enough to make a diversion and put enough out there that he would look like a regular person, so he could have an argument that it's not him.

David Bittner: Right, kind of hiding in plain sight.

Jon DiMaggio: Exactly, exactly.

David Bittner: No, that's an interesting insight. Can you talk some about the relationship that you had with this person? I should mention also that we're using the phrase LockBitSupp. That's the handle that this person used online, and this is the presumed leader of the LockBit organization.

Jon DiMaggio: That's right. That's right he used it on multiple criminal -- Russian underground criminal forums that are primarily based in the dark web, and he also used that name to communicate with myself as well as the other criminals in his program. So when there were issues, they wanted to discuss an attack, or even if he had to talk to a victim, that's the moniker that this person used. And you know, there was a time where I do believe that there was someone else that also helped out with this moniker, and that makes sense because think about it. If it's support for a criminal program, you can't have one person monitor it 24/7, but at some point in time, you know, LockBitSupp decided that I couldn't talk to the other people anymore because it went from getting almost immediate responses to sometimes taking hours to a day, and the obvious reason why is whatever they told me, I would then use to dig and find more and then report publicly, and I think he wanted to control that.

David Bittner: I see. Can you give us some insights onto that relationship? I mean it strikes me as it must be a little bit odd. The two of you know that you are at odds with each other. There's a tension between the two of you, and yet, you stay in touch.

Jon DiMaggio: Yeah, it's the strangest relationship that I think I've ever had with a threat actor, and certainly not the only relationship, but it's the longest running, and it's the most unique because we both sort of had this common respect for one another, but we had this cat-and-mouse game, and because of that, yeah, up front, I expressed my intent, and then time and time again I doubled down on that by putting out information where I did not hold back or let off on the guy, but he always came back to talk to me. Now there were times he would definitely be upset and talk less, but overall, he got it that it wasn't personal, and I think he enjoyed that I was spending all my time chasing him and almost got a thrill out of trying to evade me. He would say often like you and the FBI are too dumb to find me, you know, things like that. And, you know, it was just this sort of unique love-hate relationship that we had, but it was never down to -- it was never -- there was never name-calling. There was never crazy unprofessional things said. You know, it was always, like I said, a level of respect between us, you know, that we had, and that's what made this so great is that, you know, it just lasted. And it was this back-and-forth, me chasing and him evading and him, you know, doing these different, crazy things and -- but it was it was never threatening or anything like that. Now that could change after what I just put out, but historically, that's how it's been.

David Bittner: Yeah. It's interesting to me, too, that the amount of swagger that we were seeing here from the NCA, the FBI, the partners involved with this. You know, like the FBI is using the -- I think the email address is like FBI Sup. You know, they're not holding back in sort of puffing up their chests and, you know, letting the bad guys know, I guess, who's boss here.

Jon DiMaggio: Yeah, well this this particular takedown operation, Operation Cronos, was -- is the most successful, and that is because they started using different tactics, very out-of-the-box tactics if you compare them to many of the other takedowns, and what I mean by that is they started using psychological tactics in addition to just, you know, traditional cyber, you know, tactics that are used to take down infrastructure. So that's the reason why, normally, you just see a takedown and then an indictment the same day, and that's it. As where this one, you know, they did the first takedown on February 19th, and, you know, when affiliates went to log in, they each had a personalized note to them, you know, saying we have your information, your logs, your communication. We'll be seeing you soon type of a thing, and then they made, you know, the victim posts for members of LockBit and put a countdown timer for him, for LockBitSupp himself, and you know, on the -- a few days later when that timer ended, you know, we were all disappointed that they didn't name who it was, but now the indictment is out. We know the reason why is because, and this is crazy to me, LockBitSupp offered to give up names of some of his competitors and who they were in exchange for his anonymity. And, you know, that's just one of those unspoken sins you don't do. So I was surprised to see that, but it makes sense. If he was going to give information, you know, that that's -- he's a solid source for that, so I think that it was worth delaying this, and clearly that relationship soured because, you know, here we are again, just a couple months later, and they, essentially, began the operation again with a countdown timer. But making him wait and have it in his head, I think, is the real success here. Damaging his reputation, affecting the people around him, and making them question whether or not they're safe using his platform and their anonymity is protected, and it literally made the bad guys feel like the victims, and no one should take that away from law enforcement because this has been the most successful operation against ransomware that I've seen.

David Bittner: Well, and you can imagine that that could be motivation for him to also say, hey, this isn't me because I would imagine, you know, a lot of his colleagues in the cybercrime underground world, he may have a target on his back. If he was willing to give them up to save his own skin, his local reputation is probably not so great right now.

Jon DiMaggio: That's true, but he has such a strong ego, he may not be able to see that. You know, that vision might be a little bit blurred, or he may see it and think he's untouchable and not care. I'm not sure, but he, at least publicly, is acting like it doesn't bother him, but the public version of LockBitSupp is completely different than the person I know. That public version is like, you know, Tony Montana from Scarface. You know, this very loud, arrogant gangster, and the person that I have got to know is a much more minimalistic, you know, down-to-earth. Doesn't get upset. Is always the same sort of tone type of person, and I don't believe that he's out there, you know? Well, I know he's not now but out there with when he said it before Lamborghinis, yachts, and you know, women in bikinis and partying, like that's not the guy I got to know, and that's not the guy who could evade law enforcement for four years. So he's very different from his public perception that we see with all these media engagements and things versus the actual person that's Dimitri who's sitting behind it.

David Bittner: Can you try to give us some perspective here of what this takedown means for the larger ecosystem here? How do you suppose things are going to look going forward?

Jon DiMaggio: Well, you know, we -- the way I assess it is every time there's a takedown, I look at it and I try to figure out what worked and what didn't work, and I think that with, you know, with this, we just see these small improvements, but this one was a massive improvement, and when this first happened you know the media jumped on and said, okay, well, the takedown was February 19th. February 25th, LockBit stood up new infrastructure. Clearly, it was ineffective, and you know, I just explained to you why it was so effective, but what this means going forward is it's sort of a new day when it comes to how law enforcement looks at this. They're no longer just doing these traditional, oh, this is how we take down you know malicious websites. This is how we try to take down an actor. I think they know that indictments aren't going to have a person arrested but indictments and sanctions have a massive impact on ransomware groups because now, at least in the U.S., you can no longer pay a LockBit ransom payment. That is, essentially, going to shut this organization down whether LockBit wants it or not, and what I think we'll see in the future are similar tactics. I hope that they'll continue to progress, but we made a huge step, or they made a huge step, in this particular takedown with all these new -- this new out-of-the-box thinking and doing things that we just never saw before from law enforcement, and you know, the proof is in the pudding. Clearly, this was effective.

David Bittner: How about your own feelings personally here? I mean, is this a sigh of relief, or are you going to, you know, miss having this one to chase down?

Jon DiMaggio: It sounds crazy, but I am going to miss it. You know, it's impossible to not, you know, feel a certain way when you've talked to somebody for so long. It never stops me from doing my job. The person does horrible things, but that doesn't mean that's still not a person and a personality behind it. And, you know, I think my days of talking to LockBit are probably done outside of if I find some evidence to publish. I don't think there'll be a lot more that I do with LockBit. So yeah, after two years of this consuming my life, you know, this is the first time where I've been sitting here and I'm like I don't know what I'm going to do next. And I'll be honest, it's also a huge sigh of relief because that's so much pressure constantly. I can't even go on vacation and not have to respond and talk to bad guys involved with this because it's your life. You can't just turn it off while you go, and it's a lot of weight off my shoulders to know that I have, you know, a clear canvas in front of me, and I can do whatever I want with it, and the first thing I'm going to do is take a nice break this summer and do some lower-key stuff but I'll definitely be back I just don't know when it's going to be next. [ Music ]

David Bittner: Our thanks to Jon DiMaggio from Analyst1 for joining us. The research is titled "Ransomware Diaries Volume 5, Unmasking LockBit." You can find a link and additional resources in the show notes. [ Music ] And that's research Saturday brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com. We're privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment -- your people. We make you smarter about your teams while making your teams smarter. Learn how at N2K.com. this episode was produced by Liz Stokes. We're mixed by Elliot Peltzman and Tre Hester. Our executive producer is Jennifer Eibin. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilby is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here next time. [ Music ]