1 00:00:15,356 --> 00:00:22,596 Speaker 1: Pushkin. Just a quick note, this is a bonus episode 2 00:00:22,596 --> 00:00:26,476 Speaker 1: of What's Your Problem, and it's sponsored by Microsoft. John 3 00:00:26,516 --> 00:00:30,756 Speaker 1: Demaggio studies cybercrime for a living. It's his job. But 4 00:00:30,956 --> 00:00:34,636 Speaker 1: when he wanted to understand an international cybercrime gang called 5 00:00:34,676 --> 00:00:38,036 Speaker 1: lock Bit, he realized he couldn't learn everything he wanted 6 00:00:38,036 --> 00:00:40,516 Speaker 1: to know from the outside, so he started trying to 7 00:00:40,516 --> 00:00:42,796 Speaker 1: figure out how to get people on the inside to 8 00:00:42,876 --> 00:00:44,036 Speaker 1: tell him what he needed to know. 9 00:00:44,236 --> 00:00:46,796 Speaker 2: So I spent a lot of time studying going back 10 00:00:46,836 --> 00:00:50,956 Speaker 2: to World War Two when they started having all these 11 00:00:50,996 --> 00:00:54,316 Speaker 2: documents about how to use the human trade craft to 12 00:00:55,156 --> 00:00:58,236 Speaker 2: sort of recruit and convince people to do things that 13 00:00:58,276 --> 00:01:02,076 Speaker 2: they don't necessarily know that they're doing to support your cause. 14 00:01:02,356 --> 00:01:04,316 Speaker 1: So were you telling me you started studying sort of 15 00:01:04,636 --> 00:01:06,636 Speaker 1: World War two era spycraft. 16 00:01:07,276 --> 00:01:08,276 Speaker 3: Yes, that's correct. 17 00:01:08,396 --> 00:01:11,476 Speaker 1: What's something you learn from World War two era spycraft 18 00:01:11,556 --> 00:01:15,236 Speaker 1: that helped you weasel your way into a ransomware gang? 19 00:01:15,596 --> 00:01:20,876 Speaker 2: Everything from their ego to understanding who their adversary is 20 00:01:21,556 --> 00:01:25,156 Speaker 2: and making them feel that being friends with you will 21 00:01:25,196 --> 00:01:29,036 Speaker 2: benefit them because you have a common enemy, or even 22 00:01:29,196 --> 00:01:33,996 Speaker 2: even being adversarial towards them and saying certain things just 23 00:01:34,036 --> 00:01:37,196 Speaker 2: to see what the reaction is to sometimes understand the truth. 24 00:01:37,676 --> 00:01:38,796 Speaker 3: There's also the sort. 25 00:01:38,596 --> 00:01:40,476 Speaker 2: Of the plan and prepare phase where you have to 26 00:01:40,476 --> 00:01:43,476 Speaker 2: go and sort of stalk them and understand who their 27 00:01:43,516 --> 00:01:46,476 Speaker 2: contacts are, who their friends are, who their enemies are, 28 00:01:46,876 --> 00:01:49,276 Speaker 2: where they hang out online, all of that stuff. 29 00:01:49,556 --> 00:01:54,996 Speaker 1: So you have this set of strategic ideas in your mind, 30 00:01:56,396 --> 00:01:57,356 Speaker 1: what do you actually do? 31 00:01:59,356 --> 00:01:59,996 Speaker 3: So what I did. 32 00:02:00,116 --> 00:02:01,836 Speaker 2: The first thing I did is I needed to figure 33 00:02:01,836 --> 00:02:05,756 Speaker 2: out sort of their digital fingerprint, so I profiled them. 34 00:02:05,916 --> 00:02:09,556 Speaker 2: I began looking across the dark web. Obviously started with 35 00:02:09,596 --> 00:02:12,396 Speaker 2: the easy One, their data leak site, their own infrastructure, 36 00:02:13,236 --> 00:02:15,516 Speaker 2: and I went from there and I eventually found the 37 00:02:15,556 --> 00:02:18,756 Speaker 2: forums that they live on. And there's some very prominent 38 00:02:18,876 --> 00:02:21,756 Speaker 2: Russian hacking forums that have been around for about twenty years, 39 00:02:21,876 --> 00:02:24,996 Speaker 2: so it made sense to start there. And sure enough, 40 00:02:25,076 --> 00:02:28,836 Speaker 2: they were very prevalent on that website. They were very 41 00:02:28,836 --> 00:02:32,716 Speaker 2: involved with conversations, They have friends, their enemies, and they 42 00:02:32,716 --> 00:02:35,396 Speaker 2: do their business. So they actually would go there just 43 00:02:35,436 --> 00:02:38,236 Speaker 2: to talk and sort of hang out with their buddies. 44 00:02:38,276 --> 00:02:40,676 Speaker 2: And the drama, it was like it was like a 45 00:02:40,716 --> 00:02:43,196 Speaker 2: soap opera. The drama these guys would getting these big 46 00:02:43,316 --> 00:02:47,196 Speaker 2: arguments are the stupidest things. I just started profiling and 47 00:02:47,316 --> 00:02:50,476 Speaker 2: visually mapping out who is who, who they were talking to, 48 00:02:50,636 --> 00:02:54,356 Speaker 2: what those other people's roles were. Again, then I would 49 00:02:54,356 --> 00:02:55,796 Speaker 2: find the ones who are their friends, and I would 50 00:02:55,836 --> 00:02:59,676 Speaker 2: try to approach them and the people who worked for them. 51 00:02:59,876 --> 00:03:01,396 Speaker 1: And did it work. 52 00:03:02,396 --> 00:03:04,396 Speaker 3: It did well, It sort of worked. 53 00:03:10,436 --> 00:03:13,276 Speaker 1: I'm Jacob Goldstein, and this is what's your problem. My 54 00:03:13,356 --> 00:03:17,196 Speaker 1: guest today is John DiMaggio. John is the chief security 55 00:03:17,236 --> 00:03:20,676 Speaker 1: strategist at a company called Analyst One, and I wanted 56 00:03:20,676 --> 00:03:24,676 Speaker 1: to talk with John about Lockbit, this ransomware gang that 57 00:03:24,836 --> 00:03:28,196 Speaker 1: was behind attacks that extorted over one hundred million dollars 58 00:03:28,236 --> 00:03:31,116 Speaker 1: from companies around the world. John wrote this sort of 59 00:03:31,516 --> 00:03:34,996 Speaker 1: book length series of online posts about Lockbit. It was 60 00:03:35,036 --> 00:03:38,876 Speaker 1: part of a thing John called the Ransomware Diaries. The 61 00:03:38,916 --> 00:03:42,756 Speaker 1: story of Lockbit is a great window into the ransomware industry, 62 00:03:43,236 --> 00:03:46,396 Speaker 1: and it is an industry with a lot of remarkable 63 00:03:46,396 --> 00:03:51,116 Speaker 1: similarities to ordinary non criminal industries. Lockbitch tried to brand itself, 64 00:03:51,156 --> 00:03:54,276 Speaker 1: It tried to attract talent and notch keywins, just like 65 00:03:54,476 --> 00:03:57,916 Speaker 1: any software company. But then there's also the part that 66 00:03:58,036 --> 00:04:01,756 Speaker 1: is not like any software company. There is the crime part, 67 00:04:02,196 --> 00:04:04,516 Speaker 1: and it was the crime part where Lockbit went too 68 00:04:04,636 --> 00:04:07,596 Speaker 1: far and wound up drawing the ire of international law 69 00:04:07,636 --> 00:04:10,916 Speaker 1: enforcement agencies that in fact have their own set of 70 00:04:10,956 --> 00:04:14,916 Speaker 1: innovative strategies. And John watched all this happen up close. 71 00:04:15,236 --> 00:04:17,356 Speaker 1: He told me his key contact on the inside had 72 00:04:17,356 --> 00:04:21,276 Speaker 1: the user name lock bits up, short for Lockbit Support. 73 00:04:21,796 --> 00:04:24,236 Speaker 2: I didn't know it at the time when I first 74 00:04:24,236 --> 00:04:26,636 Speaker 2: started talking to them, but what I found out as 75 00:04:26,636 --> 00:04:29,436 Speaker 2: I began to talk more is there were two personalities 76 00:04:29,476 --> 00:04:30,316 Speaker 2: behind the account. 77 00:04:30,596 --> 00:04:31,876 Speaker 3: One seemed to be much. 78 00:04:31,756 --> 00:04:35,756 Speaker 2: Younger, friendlier, more in tune with sort of pop culture, 79 00:04:36,196 --> 00:04:39,876 Speaker 2: and the other one, who I gave a name mister 80 00:04:39,916 --> 00:04:43,836 Speaker 2: grumpy Pants, because he was all business, always serious, and 81 00:04:43,876 --> 00:04:45,356 Speaker 2: that was kind of how I differentiated. 82 00:04:45,596 --> 00:04:49,836 Speaker 1: Tell me about the sort of conversations you had with 83 00:04:49,916 --> 00:04:53,036 Speaker 1: lockbits up, like, what was the nature of those exchanges. 84 00:04:53,876 --> 00:04:55,076 Speaker 3: Well, so you have. 85 00:04:54,996 --> 00:04:57,356 Speaker 2: To understand that when I did the initial part that 86 00:04:57,436 --> 00:04:59,476 Speaker 2: was sort of cover pretending to be somebody else. I 87 00:04:59,476 --> 00:05:02,436 Speaker 2: only got so far with that, and after I wrote 88 00:05:02,436 --> 00:05:05,316 Speaker 2: The Ransomware Diaries Volume one, they knew who I was. 89 00:05:05,836 --> 00:05:08,196 Speaker 2: The farthest I got was talking to them is myself, 90 00:05:08,396 --> 00:05:11,636 Speaker 2: and they you know, it was just I started with with, Hey, 91 00:05:11,676 --> 00:05:13,636 Speaker 2: do you guys know who I am? I want to 92 00:05:13,636 --> 00:05:16,116 Speaker 2: have a conversation with you, And they were, you know, 93 00:05:16,196 --> 00:05:20,116 Speaker 2: said to me, yeah, your favorite researcher. We love you, okay, 94 00:05:20,356 --> 00:05:22,356 Speaker 2: And they were very willing to talk, which is why 95 00:05:22,396 --> 00:05:24,636 Speaker 2: I got so much farther talking to them as myself 96 00:05:24,796 --> 00:05:26,516 Speaker 2: as I did pretending to be a hacker. 97 00:05:26,596 --> 00:05:30,636 Speaker 1: Uh Huh. What's the thing you learned from lock bits up? 98 00:05:30,756 --> 00:05:33,556 Speaker 1: What's a what's a What's one detail of your understanding 99 00:05:33,556 --> 00:05:35,356 Speaker 1: that was improved by that relationship? 100 00:05:36,596 --> 00:05:38,676 Speaker 2: Well, there were a lot of things, but one of 101 00:05:38,716 --> 00:05:41,916 Speaker 2: the key things I had learned was information about uh. 102 00:05:42,636 --> 00:05:46,236 Speaker 2: They prob internal problems that they had with affiliates. For example, 103 00:05:46,596 --> 00:05:49,516 Speaker 2: they complained that they've got really good hackers, but some 104 00:05:49,556 --> 00:05:52,676 Speaker 2: of these hackers are younger kids, and they're good at hacking, 105 00:05:52,716 --> 00:05:56,036 Speaker 2: but they're really bad at negotiating, uh, And he was. 106 00:05:56,116 --> 00:05:58,676 Speaker 2: They were unhappy about the amount of money coming in, 107 00:05:59,636 --> 00:06:01,716 Speaker 2: so they talked about that and coming up with a 108 00:06:01,876 --> 00:06:04,356 Speaker 2: with a model of how much they would accept, and 109 00:06:04,436 --> 00:06:07,476 Speaker 2: they created sort of a formula per company, and so 110 00:06:07,836 --> 00:06:10,556 Speaker 2: just things like that, things around tech resources. They asked 111 00:06:10,596 --> 00:06:13,036 Speaker 2: me one time if I would buy them. They couldn't 112 00:06:13,076 --> 00:06:15,556 Speaker 2: get a they they couldn't get a Domain tools account, 113 00:06:15,596 --> 00:06:17,276 Speaker 2: and they wanted to know because they couldn't pay for 114 00:06:17,276 --> 00:06:18,676 Speaker 2: it with crypto, they want to know if I would 115 00:06:18,676 --> 00:06:20,956 Speaker 2: buy it for them, which, of course they're playing with me, 116 00:06:21,196 --> 00:06:23,036 Speaker 2: you know. And it was sort of a cat and 117 00:06:23,076 --> 00:06:26,316 Speaker 2: mouse fun relationship for a while of going back and forth. 118 00:06:26,396 --> 00:06:31,196 Speaker 2: So it was friendly for most of our relationship until 119 00:06:31,196 --> 00:06:31,676 Speaker 2: it wasn't. 120 00:06:31,836 --> 00:06:34,076 Speaker 1: So okay, So you're in this world and I just 121 00:06:34,116 --> 00:06:37,876 Speaker 1: want to step back for a minute to talk about 122 00:06:37,876 --> 00:06:39,756 Speaker 1: what's going on in a big way. Right, there's this 123 00:06:39,916 --> 00:06:43,436 Speaker 1: phrase that's sort of central here, which is ransomware as 124 00:06:43,476 --> 00:06:48,556 Speaker 1: a service. Ransomware is like straightforwards something a lot of 125 00:06:48,556 --> 00:06:52,756 Speaker 1: people are familiar with. It's basically, some bad actor, some hacker, 126 00:06:53,116 --> 00:06:56,876 Speaker 1: hacks into some companies' computers, locks them up and says 127 00:06:57,236 --> 00:06:59,836 Speaker 1: we're not going to unlock them unless you pay us 128 00:06:59,916 --> 00:07:02,036 Speaker 1: a ransom. That's ransomware. 129 00:07:02,476 --> 00:07:02,996 Speaker 3: Exactly. 130 00:07:03,436 --> 00:07:06,116 Speaker 1: What is ransomware as a service? What is I mean? 131 00:07:06,116 --> 00:07:08,556 Speaker 1: We know about software as a service, right, it's basically 132 00:07:08,756 --> 00:07:10,516 Speaker 1: you pay whatever amount of a month and you get to 133 00:07:10,596 --> 00:07:12,396 Speaker 1: use software. What's ransomware as a service. 134 00:07:12,876 --> 00:07:17,476 Speaker 2: So ransomware is a service. There's more than just ransomware. 135 00:07:17,556 --> 00:07:20,356 Speaker 2: So you have this two part model where you have 136 00:07:20,676 --> 00:07:25,396 Speaker 2: a service provider. That service provider provides the actual ransomware code. 137 00:07:25,956 --> 00:07:30,116 Speaker 2: They also provide infrastructure. So the provider provides these services, 138 00:07:30,476 --> 00:07:33,236 Speaker 2: the hacker goes and does the dirty work of actual hacking, 139 00:07:33,636 --> 00:07:37,276 Speaker 2: and together when a victim pays the extortion, they share 140 00:07:37,316 --> 00:07:40,436 Speaker 2: the profit from it. The benefit from using this model 141 00:07:40,636 --> 00:07:43,036 Speaker 2: is you can have a lot higher volume than if 142 00:07:43,076 --> 00:07:46,036 Speaker 2: it was just five guys in a group doing it themselves. 143 00:07:46,356 --> 00:07:49,436 Speaker 2: By using this model, you can have many people doing 144 00:07:49,916 --> 00:07:53,476 Speaker 2: attacks on your behalf. Much higher volume of attacks, much 145 00:07:53,516 --> 00:07:54,596 Speaker 2: higher revenue. 146 00:07:54,836 --> 00:08:00,876 Speaker 1: So Lockbit is basically just a software company. They're like 147 00:08:00,916 --> 00:08:03,996 Speaker 1: an enterprise software company. They write software and provide various 148 00:08:04,036 --> 00:08:08,316 Speaker 1: tools for users. But in this case the users are criminals, 149 00:08:08,396 --> 00:08:11,636 Speaker 1: are people who want to hack into various computer systems 150 00:08:11,796 --> 00:08:13,596 Speaker 1: and steal data and extort money. 151 00:08:14,396 --> 00:08:15,076 Speaker 3: That's correct. 152 00:08:15,596 --> 00:08:18,996 Speaker 2: But the other piece to it is the service provider aspect. 153 00:08:19,156 --> 00:08:21,156 Speaker 2: They're the ones that are sort of in charge, that 154 00:08:21,236 --> 00:08:24,876 Speaker 2: run the show, that give direction, that step in whenever 155 00:08:24,916 --> 00:08:28,436 Speaker 2: there's an issue, if there's a victim not paying, sometimes 156 00:08:28,436 --> 00:08:30,676 Speaker 2: they'll come in and help with the negotiation or take 157 00:08:30,716 --> 00:08:33,476 Speaker 2: over or give direction on how much you can you 158 00:08:33,516 --> 00:08:36,956 Speaker 2: can accept as a payment, or even say this is 159 00:08:36,956 --> 00:08:40,516 Speaker 2: what you can or cannot hack this company. So they're 160 00:08:40,876 --> 00:08:42,476 Speaker 2: definitely in the leadership chair. 161 00:08:42,716 --> 00:08:44,876 Speaker 1: So I want to talk about how lockbit sort of 162 00:08:44,996 --> 00:08:47,676 Speaker 1: grows and makes a name for itself. And one of 163 00:08:47,676 --> 00:08:51,836 Speaker 1: the things that's really interesting is kind of how uninteresting 164 00:08:51,836 --> 00:08:54,396 Speaker 1: it is. It's like, oh, it's this international criminal gang 165 00:08:54,836 --> 00:08:57,876 Speaker 1: and they're acting like a boring software company, and it 166 00:08:57,996 --> 00:09:01,676 Speaker 1: seems like a key early moment for them as they're 167 00:09:01,676 --> 00:09:05,556 Speaker 1: trying to grow and differentiate themselves in the market. Is 168 00:09:05,596 --> 00:09:11,076 Speaker 1: this summer paper contest in to tell me about that? 169 00:09:12,196 --> 00:09:13,796 Speaker 3: Yeah, it's it's pretty crazy. 170 00:09:13,876 --> 00:09:17,196 Speaker 2: So on this long running forum that I mentioned earlier, 171 00:09:17,276 --> 00:09:20,996 Speaker 2: this Russian hacking forum, lockbit really wanted to to get 172 00:09:21,036 --> 00:09:24,476 Speaker 2: their brand out there. So what they did is they 173 00:09:24,756 --> 00:09:31,636 Speaker 2: sponsored this hacking paper contest, meaning hackers would submit these 174 00:09:31,676 --> 00:09:35,076 Speaker 2: papers on different ways to hack and lockbit they would 175 00:09:35,156 --> 00:09:37,956 Speaker 2: they would take part in this and they would help review. 176 00:09:38,276 --> 00:09:40,836 Speaker 2: And there was five winners and the I think I 177 00:09:40,876 --> 00:09:43,156 Speaker 2: don't remember what the what the what the I think 178 00:09:43,236 --> 00:09:45,236 Speaker 2: was five thousand dollars maybe. 179 00:09:45,076 --> 00:09:50,076 Speaker 1: Uh, you put a screenshot in your report. And what's 180 00:09:50,156 --> 00:09:54,636 Speaker 1: amazing is how banal. It looks it looks totally like 181 00:09:54,716 --> 00:09:59,756 Speaker 1: some college software contest or just some boring enterprise software company. 182 00:09:59,796 --> 00:10:02,236 Speaker 1: Like there's this little kind of clip art of just 183 00:10:02,316 --> 00:10:04,956 Speaker 1: like a dude at a laptop with a little plant 184 00:10:04,996 --> 00:10:06,796 Speaker 1: next to him, although there is also a skull and 185 00:10:06,836 --> 00:10:09,756 Speaker 1: crossbones next to him. It's like, we're just coders, but we're bad. 186 00:10:10,996 --> 00:10:13,196 Speaker 1: And as you said, first place is five thousand dollars, 187 00:10:13,236 --> 00:10:16,396 Speaker 1: which seems like not that much. Right, they're exploiting that. 188 00:10:16,556 --> 00:10:19,636 Speaker 1: They're stealing tens of millions of dollars at this point, right. 189 00:10:19,796 --> 00:10:22,836 Speaker 1: And then it says like accepted article topics, just like 190 00:10:22,876 --> 00:10:26,596 Speaker 1: it would in a college contest, but under accepted article topics, 191 00:10:26,596 --> 00:10:32,556 Speaker 1: it says hacks any methods for pouring shells, fixing, elevating rights, 192 00:10:32,676 --> 00:10:36,476 Speaker 1: your story is and tricks interesting hack stories. It's such 193 00:10:36,516 --> 00:10:41,556 Speaker 1: a fantastic combination of well banality and evil. 194 00:10:42,156 --> 00:10:42,956 Speaker 3: It is. 195 00:10:42,996 --> 00:10:45,156 Speaker 2: But here's what you have to think about. There's two 196 00:10:45,236 --> 00:10:48,076 Speaker 2: benefits for this. One what I mentioned, sort of getting 197 00:10:48,076 --> 00:10:50,836 Speaker 2: their name out and getting known with hackers. But two, 198 00:10:51,236 --> 00:10:54,476 Speaker 2: they're looking for those upcoming rising stars, if you. 199 00:10:54,556 --> 00:10:59,116 Speaker 1: Will, recruitment. It's talents, right, and yeah. 200 00:10:58,556 --> 00:11:01,276 Speaker 2: That's right, and that's why Lackbit was different than most 201 00:11:01,316 --> 00:11:03,636 Speaker 2: of these are the ransomware groups, because they approached it 202 00:11:03,436 --> 00:11:05,756 Speaker 2: is a business and they thought out of the box 203 00:11:06,276 --> 00:11:08,476 Speaker 2: and that's kind of what would set them ahead in 204 00:11:08,556 --> 00:11:11,076 Speaker 2: a part at the time from other ransomware groups. 205 00:11:11,196 --> 00:11:15,556 Speaker 1: So does it work this strategy? 206 00:11:16,036 --> 00:11:17,316 Speaker 3: It absolutely worked. 207 00:11:17,756 --> 00:11:20,396 Speaker 2: I mean, there's a reason that people know their name 208 00:11:20,436 --> 00:11:22,116 Speaker 2: and know who they are, and there's a reason that 209 00:11:22,196 --> 00:11:24,996 Speaker 2: they have so many people that at the time in 210 00:11:24,996 --> 00:11:27,556 Speaker 2: a way really wanted to work for them over other groups. 211 00:11:28,756 --> 00:11:31,116 Speaker 2: It was propaganda and it worked. 212 00:11:31,876 --> 00:11:34,876 Speaker 1: And so it seems like by around twenty twenty one 213 00:11:36,116 --> 00:11:39,796 Speaker 1: they've hit the big time. And there's this one hack 214 00:11:39,836 --> 00:11:42,636 Speaker 1: in particular that you write about in the summer of 215 00:11:42,676 --> 00:11:47,316 Speaker 1: twenty one of Accenture, the big international consulting company. Tell 216 00:11:47,356 --> 00:11:48,596 Speaker 1: me about the Accenture hack. 217 00:11:49,836 --> 00:11:54,036 Speaker 2: So in the Accenture hack, you know, the affiliate had 218 00:11:54,076 --> 00:11:57,796 Speaker 2: gone in compromised them, they locked down their data, and 219 00:11:58,236 --> 00:12:01,476 Speaker 2: lock Bit, you know, put on their site that you 220 00:12:01,516 --> 00:12:04,196 Speaker 2: know they were a victim. Reporter started to report about it, 221 00:12:04,236 --> 00:12:06,716 Speaker 2: and you got a lot of buzz in the media. Now, 222 00:12:06,836 --> 00:12:11,156 Speaker 2: the problem with the Accenture hack is that Accenture denied 223 00:12:11,276 --> 00:12:15,396 Speaker 2: that the hack took place. Initially saying that it wasn't 224 00:12:15,436 --> 00:12:18,716 Speaker 2: real and it didn't happen. The issue with that is 225 00:12:18,916 --> 00:12:22,956 Speaker 2: their customer's data was on their website and you could 226 00:12:23,036 --> 00:12:25,276 Speaker 2: you could go see it and validate it and download 227 00:12:25,276 --> 00:12:26,036 Speaker 2: samples of it. 228 00:12:26,276 --> 00:12:29,116 Speaker 1: The customer's data was on the lockbit website. 229 00:12:29,156 --> 00:12:29,796 Speaker 3: That's correct. 230 00:12:30,156 --> 00:12:32,556 Speaker 2: That's correct, and it was just a sampling, but you 231 00:12:32,596 --> 00:12:36,316 Speaker 2: could see this information and it looked quite authentic. 232 00:12:37,116 --> 00:12:42,196 Speaker 1: So so does this accenture hack sort of put Lockbit 233 00:12:42,316 --> 00:12:43,836 Speaker 1: on the map in a bigger way? 234 00:12:44,796 --> 00:12:50,196 Speaker 3: Oh? I mean the media surrounding that was was was 235 00:12:50,396 --> 00:12:50,836 Speaker 3: very loud. 236 00:12:50,836 --> 00:12:54,676 Speaker 2: I mean it was across many organizations. Lots of of 237 00:12:54,876 --> 00:13:00,236 Speaker 2: of well known journalists and organizations reported on it. All 238 00:13:00,316 --> 00:13:03,156 Speaker 2: this feeds into the propaganda. Now the journalist shouldn't report 239 00:13:03,196 --> 00:13:05,476 Speaker 2: on it. I'm just saying, you know, lockbit plays that 240 00:13:05,556 --> 00:13:07,636 Speaker 2: to benefit him as them as well. 241 00:13:07,716 --> 00:13:10,876 Speaker 1: Yeah, So basically the press coverage is good for lockbit 242 00:13:10,996 --> 00:13:14,196 Speaker 1: because hackers see it and go to lockbit and say, hey, 243 00:13:14,276 --> 00:13:16,076 Speaker 1: I want to be an affiliate and do some hacking. 244 00:13:16,236 --> 00:13:18,876 Speaker 2: Essentially, that's right, and to be fair, the same thing 245 00:13:18,916 --> 00:13:21,716 Speaker 2: from me from writing these reports. Yes, it helps researchers 246 00:13:21,796 --> 00:13:24,436 Speaker 2: law enforcement, but it also helps them that that's the 247 00:13:24,436 --> 00:13:26,316 Speaker 2: reason that they were friendly to me is because they 248 00:13:26,316 --> 00:13:28,836 Speaker 2: were fans of a lot. I have probably just as 249 00:13:28,836 --> 00:13:31,596 Speaker 2: many criminal hackers that are fans of the ransomware diaries 250 00:13:31,636 --> 00:13:35,676 Speaker 2: as there are researchers and you know, right, regular people 251 00:13:35,716 --> 00:13:36,476 Speaker 2: that are not criminals. 252 00:13:36,556 --> 00:13:42,356 Speaker 1: Well, I mean there's an ecosystem here, right, like the 253 00:13:42,356 --> 00:13:44,956 Speaker 1: the job. There's a universe of people whose job is 254 00:13:44,996 --> 00:13:48,516 Speaker 1: fighting criminals and a universe of people who are criminals 255 00:13:48,556 --> 00:13:51,676 Speaker 1: who are trying to evade being caught. Right, And that's right, 256 00:13:52,076 --> 00:13:54,836 Speaker 1: the kind of intellectual universe has got to be almost 257 00:13:54,996 --> 00:13:57,876 Speaker 1: entirely overlapping. Everybody's trying to figure out what everybody else 258 00:13:57,956 --> 00:14:00,756 Speaker 1: is doing. Everybody's sort of using the same tricks on 259 00:14:00,796 --> 00:14:04,596 Speaker 1: each other. It makes sense that the bad guys and 260 00:14:04,676 --> 00:14:06,316 Speaker 1: the good guys would be reading the same. 261 00:14:06,116 --> 00:14:08,156 Speaker 3: Stuff it does. 262 00:14:08,356 --> 00:14:11,156 Speaker 2: And you know that's really where that uh that that 263 00:14:11,156 --> 00:14:15,036 Speaker 2: that that human framework came in because his ego was 264 00:14:15,036 --> 00:14:17,476 Speaker 2: was the main thing I was able to play on 265 00:14:18,196 --> 00:14:21,236 Speaker 2: in order to get information. And even when there were 266 00:14:21,276 --> 00:14:23,236 Speaker 2: lies in that information, you know, I talked to the 267 00:14:23,236 --> 00:14:25,076 Speaker 2: people who work for them, So I would take those 268 00:14:25,156 --> 00:14:27,156 Speaker 2: lies and I would present them in a different way 269 00:14:27,316 --> 00:14:30,316 Speaker 2: to those people to get a response, and that would 270 00:14:30,356 --> 00:14:32,316 Speaker 2: help me to validate what's real and what's not. 271 00:14:32,596 --> 00:14:35,276 Speaker 1: Is there some specific example of playing on his ego, 272 00:14:35,436 --> 00:14:37,916 Speaker 1: something you said to flatter him or something. 273 00:14:38,756 --> 00:14:40,876 Speaker 2: Uh well, yeah, you know one of the one of 274 00:14:40,876 --> 00:14:43,796 Speaker 2: the things that that was big for him was, you know, 275 00:14:43,876 --> 00:14:46,516 Speaker 2: he wanted to be sort of the Darth Vader of 276 00:14:46,596 --> 00:14:49,716 Speaker 2: ransomware of my words, not his, but you know, he 277 00:14:49,716 --> 00:14:52,556 Speaker 2: he wanted to be this this top person. So you 278 00:14:52,556 --> 00:14:54,796 Speaker 2: know when you would talk about him changing the game 279 00:14:54,836 --> 00:14:58,756 Speaker 2: of ransomware and telling him, you know, you guys are 280 00:14:58,476 --> 00:15:00,756 Speaker 2: are are on top? You know, how did you get there? 281 00:15:00,796 --> 00:15:03,716 Speaker 2: How did you how did you get ahead of other 282 00:15:03,756 --> 00:15:08,756 Speaker 2: groups like like REvil and uh in in time, Black Matter, 283 00:15:09,276 --> 00:15:11,876 Speaker 2: in groups like that, And you know he loved that. 284 00:15:11,956 --> 00:15:14,036 Speaker 2: You know, it would just that was a thing that 285 00:15:14,036 --> 00:15:17,436 Speaker 2: would get mister grumpy pants talking was sort of playing 286 00:15:17,436 --> 00:15:20,076 Speaker 2: on his ego, you know, asking questions about how he 287 00:15:20,156 --> 00:15:23,636 Speaker 2: got to be the top brand in ransomware and how 288 00:15:23,676 --> 00:15:25,036 Speaker 2: he's better than all the other ones. 289 00:15:25,236 --> 00:15:26,756 Speaker 3: And he fed right into that. 290 00:15:30,836 --> 00:15:33,716 Speaker 1: Coming up after the break, what happens when lockbit is 291 00:15:33,796 --> 00:15:48,236 Speaker 1: used to hack a hospital for children with cancer, So 292 00:15:48,436 --> 00:15:53,116 Speaker 1: kind of early twenty twenties Lockbit is king of the 293 00:15:53,196 --> 00:15:56,676 Speaker 1: ransomware world. And then it seems like in about twenty 294 00:15:56,756 --> 00:15:59,916 Speaker 1: twenty three they sort of start going too far or 295 00:15:59,956 --> 00:16:03,956 Speaker 1: their affiliates start going too far right, they start to 296 00:16:03,996 --> 00:16:09,476 Speaker 1: get into trouble, and it seems like the back of 297 00:16:10,236 --> 00:16:13,876 Speaker 1: hospital that is actually called Thick Kids, which is yeh, 298 00:16:14,316 --> 00:16:19,156 Speaker 1: a children's cancer hospital in Canada, is kind of a 299 00:16:19,196 --> 00:16:25,716 Speaker 1: turning point. And like I do wonder, like you could 300 00:16:25,756 --> 00:16:30,756 Speaker 1: hack anybody, why would you hack a cancer hospital for children? Like, 301 00:16:30,796 --> 00:16:33,596 Speaker 1: is it because you want to be as evil as possible? 302 00:16:34,796 --> 00:16:37,836 Speaker 2: Yeah, it's because they see them as a as an 303 00:16:37,876 --> 00:16:41,116 Speaker 2: easy target because a hospital has to be available and 304 00:16:41,156 --> 00:16:48,516 Speaker 2: make their resources easily accessible by their patients, clients, medical organizations, 305 00:16:49,036 --> 00:16:52,796 Speaker 2: and inherently the more accessible something is less secure it is. 306 00:16:53,116 --> 00:16:55,156 Speaker 2: So it makes them an easy target. They have a 307 00:16:55,276 --> 00:16:59,196 Speaker 2: lot of money, and they're more likely to pay because 308 00:16:59,236 --> 00:17:01,836 Speaker 2: the data is so sensitive and the systems that are 309 00:17:01,916 --> 00:17:04,916 Speaker 2: encrypted are so critical that it makes them a ripe 310 00:17:04,956 --> 00:17:08,516 Speaker 2: target and that's the reason that they'll go after them. Initially, 311 00:17:09,996 --> 00:17:14,196 Speaker 2: the hospital was hacked, the systems were encrypted, data was stolen, 312 00:17:14,436 --> 00:17:16,996 Speaker 2: and they didn't they weren't going to let them out 313 00:17:17,036 --> 00:17:19,956 Speaker 2: of this. They were going to force them to pay 314 00:17:20,236 --> 00:17:22,156 Speaker 2: or they weren't going to give them the key to 315 00:17:22,196 --> 00:17:24,876 Speaker 2: decryptor systems, and didn't seem to care that these kids 316 00:17:24,876 --> 00:17:27,436 Speaker 2: couldn't get the care that they needed and the treatments 317 00:17:27,476 --> 00:17:30,996 Speaker 2: that they needed. The only reason so what ended up 318 00:17:30,996 --> 00:17:33,956 Speaker 2: happening was with all the media around it, it was 319 00:17:33,996 --> 00:17:37,276 Speaker 2: such a bad look for Lockbit that the leadership of 320 00:17:37,316 --> 00:17:41,396 Speaker 2: the group decided, after you know, about two weeks, they decided, Okay, 321 00:17:41,636 --> 00:17:43,356 Speaker 2: we're going to go ahead and we're going to give 322 00:17:43,396 --> 00:17:46,316 Speaker 2: them the cryption key, just because this was getting to 323 00:17:46,356 --> 00:17:49,196 Speaker 2: be too hot. And if you remember, like the whole 324 00:17:49,196 --> 00:17:52,556 Speaker 2: Colonial Pipeline thing with the Dark Side ransomware group, you 325 00:17:52,556 --> 00:17:55,396 Speaker 2: know that got that got so much attention that you know, 326 00:17:55,476 --> 00:17:58,156 Speaker 2: government agencies got involved and went after them, and when 327 00:17:58,156 --> 00:18:01,636 Speaker 2: that happens, it's very bad for ransomware groups. So they 328 00:18:02,116 --> 00:18:05,676 Speaker 2: essentially saw things could possibly go that direction with the 329 00:18:05,676 --> 00:18:08,356 Speaker 2: amount of bad publicity they were getting, and decided it 330 00:18:08,396 --> 00:18:10,596 Speaker 2: wasn't worth it the payment they were going to get, 331 00:18:10,676 --> 00:18:13,356 Speaker 2: and they went ahead and provided the hospital with the 332 00:18:14,036 --> 00:18:17,236 Speaker 2: decryption key so they could get those systems back online. 333 00:18:18,276 --> 00:18:22,516 Speaker 1: And and in fact, their concern about a backlash was justified. Right, 334 00:18:22,556 --> 00:18:27,116 Speaker 1: it seems like international governments, kind of led by the UK, 335 00:18:27,796 --> 00:18:32,436 Speaker 1: do start to go after Lockbit around this point. Right, 336 00:18:32,916 --> 00:18:35,316 Speaker 1: What do you do if you're a government and you 337 00:18:35,396 --> 00:18:37,956 Speaker 1: want to go after a Russian hecking gang? 338 00:18:39,556 --> 00:18:43,436 Speaker 2: Well, it's not easy. The things that you have to 339 00:18:43,476 --> 00:18:45,756 Speaker 2: do is you have to use resources that people like 340 00:18:45,836 --> 00:18:49,396 Speaker 2: me don't have available to try to figure out their 341 00:18:49,436 --> 00:18:53,876 Speaker 2: their infrastructure, their hosting infrastructure, what what what where their 342 00:18:53,916 --> 00:18:57,436 Speaker 2: servers live? Uh, and then which is very difficult when 343 00:18:57,436 --> 00:18:59,636 Speaker 2: they're there the dark web. 344 00:18:59,636 --> 00:19:00,636 Speaker 3: It's hard to figure. 345 00:19:00,356 --> 00:19:02,476 Speaker 1: That out because there's this is the cat and mouse thing. 346 00:19:02,516 --> 00:19:06,516 Speaker 1: They're like complicated smart systems. These people used to hide 347 00:19:06,996 --> 00:19:08,436 Speaker 1: their location essentially. 348 00:19:08,756 --> 00:19:12,756 Speaker 2: That's that's right, and so that's one aspect is trying 349 00:19:12,796 --> 00:19:14,556 Speaker 2: to figure out that infrastructure. 350 00:19:15,156 --> 00:19:16,236 Speaker 3: In some cases you. 351 00:19:16,196 --> 00:19:18,116 Speaker 2: Can use legal means to take it down, but with 352 00:19:18,196 --> 00:19:22,036 Speaker 2: groups like Lockbit, often they will use service providers that 353 00:19:22,076 --> 00:19:25,676 Speaker 2: are in countries that cater to criminal activity and won't 354 00:19:25,676 --> 00:19:29,156 Speaker 2: respond subpoenas. The other thing, though, that lawn that these 355 00:19:29,196 --> 00:19:32,316 Speaker 2: governments and law enforcements try to get into is the 356 00:19:32,316 --> 00:19:37,076 Speaker 2: infrastructure that is public, the panel that the bad guys 357 00:19:37,316 --> 00:19:41,396 Speaker 2: use to log into with the graphical interface to control 358 00:19:41,556 --> 00:19:44,556 Speaker 2: these attacks, and there's technical ways to do that, and 359 00:19:44,596 --> 00:19:47,036 Speaker 2: then there's also the ways of infiltrating the people who 360 00:19:47,076 --> 00:19:50,796 Speaker 2: work for the group to get their credentials access. 361 00:19:50,516 --> 00:19:53,676 Speaker 1: So they're basically hacking. They're basically hacking the hackers. So 362 00:19:54,156 --> 00:20:00,516 Speaker 1: in February of twenty twenty four, this international coalition of 363 00:20:00,556 --> 00:20:05,276 Speaker 1: law enforcement agencies actually takes over lockbit sort of publicly 364 00:20:05,316 --> 00:20:08,996 Speaker 1: facing site, right Lockbit's dark websites tell me about that. 365 00:20:09,876 --> 00:20:12,636 Speaker 2: Yeah, So it was great when you went to the 366 00:20:12,636 --> 00:20:16,356 Speaker 2: website that that day, it was no longer Lockbit's data 367 00:20:16,436 --> 00:20:21,076 Speaker 2: leak site. Instead it was a mock site, so it 368 00:20:21,156 --> 00:20:26,196 Speaker 2: looks just like it, except instead of having real victims 369 00:20:26,236 --> 00:20:30,876 Speaker 2: within the site, the NCAA put the criminals as the victims, 370 00:20:31,036 --> 00:20:34,516 Speaker 2: and they named affiliates with the victims, and they had 371 00:20:34,516 --> 00:20:37,476 Speaker 2: a countdown timer for for lock bits up saying they 372 00:20:37,476 --> 00:20:39,156 Speaker 2: were going to release his identity ha. 373 00:20:39,556 --> 00:20:41,556 Speaker 1: And the countdown timer is the kind of thing that 374 00:20:41,556 --> 00:20:43,876 Speaker 1: the that the bad guys use when they hack a company, 375 00:20:43,916 --> 00:20:45,076 Speaker 1: saying we're gonna. 376 00:20:44,836 --> 00:20:47,516 Speaker 3: That's rite yeah, uh huh, yeah, that's what they do. 377 00:20:47,556 --> 00:20:50,716 Speaker 2: A count down timer for traditional victims is how long 378 00:20:50,756 --> 00:20:53,196 Speaker 2: they have to pay to the data's lead so in. 379 00:20:53,076 --> 00:20:58,036 Speaker 1: The same way that Lockbit was essentially marketing itself. Now 380 00:20:58,076 --> 00:21:01,076 Speaker 1: the now the cops, now the law enforcement officials, are 381 00:21:01,236 --> 00:21:05,036 Speaker 1: are doing that same kind of marketing. They're sort of 382 00:21:05,076 --> 00:21:09,116 Speaker 1: doing this kind of propagandistic thing to attract attention, presumer 383 00:21:09,436 --> 00:21:11,876 Speaker 1: what to scare off all the affiliates, like why why 384 00:21:11,916 --> 00:21:13,916 Speaker 1: would they be doing it in this showy way just 385 00:21:13,956 --> 00:21:15,356 Speaker 1: for attention to get good press. 386 00:21:15,476 --> 00:21:18,956 Speaker 2: No, it was it was a psychological operation. So prior 387 00:21:18,996 --> 00:21:21,596 Speaker 2: to this, they didn't they never did this there. The 388 00:21:21,916 --> 00:21:23,636 Speaker 2: way they took sites down were just to take it 389 00:21:23,636 --> 00:21:25,916 Speaker 2: down and put a message up saying law enforcement took 390 00:21:25,916 --> 00:21:29,756 Speaker 2: this down. This was psychological. It was meant to put 391 00:21:29,796 --> 00:21:33,716 Speaker 2: stress on the people who worked for the organization and 392 00:21:33,796 --> 00:21:37,356 Speaker 2: being concerned that they no longer had anonymity and that 393 00:21:37,436 --> 00:21:41,596 Speaker 2: their names and information was now being reviewed and revealed 394 00:21:41,596 --> 00:21:45,316 Speaker 2: by law enforcement. And the whole goal of this was 395 00:21:45,316 --> 00:21:48,516 Speaker 2: was to affect the lockbit brand and to make people 396 00:21:48,716 --> 00:21:50,196 Speaker 2: not trust Lockbit. 397 00:21:49,956 --> 00:21:51,716 Speaker 3: Or want to work for the organization. 398 00:21:52,476 --> 00:21:55,236 Speaker 2: So it was very planned in, thought out and methodical. 399 00:21:55,436 --> 00:21:58,476 Speaker 2: It wasn't just, you know, to get attention. It was 400 00:21:58,556 --> 00:22:02,636 Speaker 2: specifically to hurt that brand and make affiliates afraid to 401 00:22:02,716 --> 00:22:05,836 Speaker 2: work for them. And in addition to that mock website 402 00:22:05,916 --> 00:22:08,156 Speaker 2: on the back end that panel that I was mentioning 403 00:22:08,156 --> 00:22:11,236 Speaker 2: that admin paneled that they would use now when that 404 00:22:11,316 --> 00:22:14,156 Speaker 2: took place, when the takedown took place, when the affiliates 405 00:22:14,156 --> 00:22:17,276 Speaker 2: logged into that panel, they had tailored messages with their 406 00:22:17,396 --> 00:22:21,476 Speaker 2: username by law enforcement saying, hey, you're logging into the panel. 407 00:22:21,636 --> 00:22:22,516 Speaker 3: We know who you are. 408 00:22:22,676 --> 00:22:25,556 Speaker 2: We've been monitoring the activity you've been doing. We've got 409 00:22:25,596 --> 00:22:27,636 Speaker 2: your wallets. We're going to be coming to talk to 410 00:22:27,716 --> 00:22:32,756 Speaker 2: you soon. So it was it was very detrimental to criminals. 411 00:22:33,076 --> 00:22:35,516 Speaker 2: That was a brilliant operation in my opinion. 412 00:22:35,876 --> 00:22:38,236 Speaker 1: And you mentioned that they had a countdown timer for 413 00:22:38,356 --> 00:22:41,396 Speaker 1: when they were going to reveal the name of Lockbit, 414 00:22:41,516 --> 00:22:44,716 Speaker 1: sup the person. Oh that you said, there's people, but 415 00:22:44,716 --> 00:22:48,156 Speaker 1: at least one of the people behind this, behind Lockbit, 416 00:22:48,236 --> 00:22:50,156 Speaker 1: one of the key Lockbit players. Did they in fact 417 00:22:50,236 --> 00:22:51,516 Speaker 1: reveal the name of that person. 418 00:22:52,676 --> 00:22:55,156 Speaker 2: They didn't when the countdown time, or they didn't when 419 00:22:55,516 --> 00:22:57,636 Speaker 2: they did they at that time they didn't, but there's 420 00:22:57,636 --> 00:22:59,596 Speaker 2: a reason that they didn't. But they did not do 421 00:22:59,716 --> 00:23:03,276 Speaker 2: that in February. The reason that they didn't is because 422 00:23:03,516 --> 00:23:06,916 Speaker 2: Lockbit agreed to tell them information about some of his 423 00:23:07,116 --> 00:23:09,836 Speaker 2: adversarial group. There was a group called black who he 424 00:23:09,876 --> 00:23:11,836 Speaker 2: didn't like, and he agreed to try and get to 425 00:23:11,836 --> 00:23:12,756 Speaker 2: give them information. 426 00:23:13,076 --> 00:23:15,276 Speaker 1: So use they used the threat of naming him as 427 00:23:15,356 --> 00:23:22,476 Speaker 1: leverage and getting him to flip. Basically, that's correct. Do 428 00:23:22,556 --> 00:23:24,956 Speaker 1: we know who he is now? Was he ever named? 429 00:23:25,996 --> 00:23:26,676 Speaker 3: Yeah? It was. 430 00:23:27,356 --> 00:23:30,476 Speaker 2: It was several months later. The site came back online, 431 00:23:31,716 --> 00:23:34,716 Speaker 2: meaning the law enforcement version of the site came back online. 432 00:23:34,916 --> 00:23:37,876 Speaker 2: There was a new timer, and once again they said 433 00:23:37,876 --> 00:23:41,316 Speaker 2: they were going to reveal Lockfit's name, and the timer 434 00:23:41,356 --> 00:23:44,636 Speaker 2: began again, and on May seventh, when that timer expired, 435 00:23:44,756 --> 00:23:48,916 Speaker 2: they did. They released his name and his picture, Dmitry Koshewev. 436 00:23:50,116 --> 00:23:53,556 Speaker 2: They put that out there, indicted him, wanted posters the 437 00:23:53,556 --> 00:23:54,396 Speaker 2: whole nine yards. 438 00:23:54,916 --> 00:23:55,956 Speaker 1: Is that grumpy pants? 439 00:23:56,636 --> 00:23:59,436 Speaker 3: That's well my opinion. 440 00:23:59,996 --> 00:24:03,676 Speaker 2: My opinion is that that was the younger person and 441 00:24:03,796 --> 00:24:05,996 Speaker 2: the other guy's still out there, but I think law 442 00:24:06,036 --> 00:24:08,716 Speaker 2: enforcement might tell you otherwise, though they do agree with 443 00:24:08,756 --> 00:24:09,676 Speaker 2: me that there's two people. 444 00:24:09,916 --> 00:24:13,036 Speaker 1: So he's been indicted but not arrested. Is that what 445 00:24:13,076 --> 00:24:13,556 Speaker 1: you're saying? 446 00:24:13,756 --> 00:24:17,276 Speaker 2: That's correct because he's in Russia and there's protections there. 447 00:24:17,956 --> 00:24:21,396 Speaker 2: The law enforcement just can't get their hands on them. Unfortunately, 448 00:24:21,436 --> 00:24:25,076 Speaker 2: the criminals are protected when they're in Russia. 449 00:24:24,756 --> 00:24:27,436 Speaker 1: So is that the end of Lockbit? 450 00:24:28,676 --> 00:24:32,036 Speaker 2: It's not, you would think it is, But most almost 451 00:24:32,116 --> 00:24:34,796 Speaker 2: every other group that this has happened to, that's the 452 00:24:34,876 --> 00:24:37,196 Speaker 2: end of the story, or at least it causes them 453 00:24:37,196 --> 00:24:39,876 Speaker 2: to take that operation down and they have to start 454 00:24:39,916 --> 00:24:43,236 Speaker 2: from scratch somewhere else with a new operation, with a 455 00:24:43,276 --> 00:24:46,276 Speaker 2: new name and a new brand. But Lockbit worked so 456 00:24:46,356 --> 00:24:49,676 Speaker 2: hard on that brand. I don't think he'll ever take 457 00:24:49,716 --> 00:24:53,676 Speaker 2: it away until he's till they actually arrest everybody. But no, 458 00:24:53,916 --> 00:24:58,716 Speaker 2: they continued, but they continued at a much lower level. 459 00:24:58,796 --> 00:25:01,956 Speaker 2: They didn't have the equality of hackers still working for them. 460 00:25:02,596 --> 00:25:05,916 Speaker 2: They started having to lie about attacks to try and 461 00:25:05,956 --> 00:25:08,156 Speaker 2: stack the numbers and things of that nature. 462 00:25:08,516 --> 00:25:10,876 Speaker 1: Do you think they'll unforcement officials campaign the whole thing 463 00:25:10,916 --> 00:25:13,236 Speaker 1: of like naming the people and doing all the stunts 464 00:25:13,276 --> 00:25:15,196 Speaker 1: on the website. You think that worked? You think it 465 00:25:15,236 --> 00:25:17,716 Speaker 1: was sort of like Lockbit rose on marketing and in 466 00:25:17,716 --> 00:25:20,316 Speaker 1: a way fell on the marketing of the governments. 467 00:25:20,436 --> 00:25:23,676 Speaker 2: Yeah, well, was it one hundred percent effective, No, but 468 00:25:23,876 --> 00:25:26,516 Speaker 2: it was about eighty percent effective. And prior to this, 469 00:25:26,716 --> 00:25:28,716 Speaker 2: I would say that most of those operations were like 470 00:25:28,796 --> 00:25:31,676 Speaker 2: forty percent effective. And what I mean by that is 471 00:25:32,196 --> 00:25:37,356 Speaker 2: this actually affected the brand where people, the quality hackers, 472 00:25:37,396 --> 00:25:40,756 Speaker 2: the quality affiliates. Why would they work for this organization 473 00:25:40,876 --> 00:25:43,196 Speaker 2: with all this heat where they can't trust that they're 474 00:25:43,196 --> 00:25:45,476 Speaker 2: going to be protected when they can go work for 475 00:25:45,516 --> 00:25:46,916 Speaker 2: some other premier worgans. 476 00:25:46,716 --> 00:25:50,036 Speaker 1: Like any software company. Their biggest problem is finding and 477 00:25:50,116 --> 00:25:50,996 Speaker 1: keeping good people. 478 00:25:51,716 --> 00:25:53,476 Speaker 3: That's right, That's exactly right. 479 00:25:54,316 --> 00:25:56,076 Speaker 1: And by good people, I guess in this case, it 480 00:25:56,116 --> 00:26:00,236 Speaker 1: means bad people, right. So okay, so this is a 481 00:26:00,316 --> 00:26:03,276 Speaker 1: year ago. Basically, this is early twenty twenty four. Lockbit 482 00:26:03,316 --> 00:26:07,716 Speaker 1: gets mostly taken down, not knocked out, at least knocked down. 483 00:26:09,116 --> 00:26:11,156 Speaker 1: Where are we today, Like, what is the state of 484 00:26:11,196 --> 00:26:12,396 Speaker 1: the ransomware industry? 485 00:26:12,876 --> 00:26:16,956 Speaker 2: So it's changed a bit. I would say you have 486 00:26:16,996 --> 00:26:20,116 Speaker 2: more groups, but you don't have sort of these. You 487 00:26:20,156 --> 00:26:25,636 Speaker 2: don't have as many big organizations that sort of hold 488 00:26:25,996 --> 00:26:30,676 Speaker 2: all the majority of attacks. You have smaller to medium 489 00:26:30,716 --> 00:26:34,116 Speaker 2: sized groups that work more under the radar, meaning they're 490 00:26:34,156 --> 00:26:37,036 Speaker 2: not doing the same volume of attacks. They're also not 491 00:26:37,156 --> 00:26:41,036 Speaker 2: getting the same amount of money and ransom extortions as 492 00:26:41,076 --> 00:26:45,596 Speaker 2: they did before. But they're still out there. They're just 493 00:26:45,756 --> 00:26:47,956 Speaker 2: doing it, the model just changed a little bit. 494 00:26:48,036 --> 00:26:51,396 Speaker 1: And so as part of the idea that, oh, maybe 495 00:26:51,436 --> 00:26:53,716 Speaker 1: trying to have a big name and be like a 496 00:26:53,756 --> 00:26:57,836 Speaker 1: famous criminal gang is not a good long term strategy. 497 00:26:58,116 --> 00:26:59,676 Speaker 3: That's exactly correct. 498 00:26:59,996 --> 00:27:02,316 Speaker 2: I think that this is what really made them realize 499 00:27:02,316 --> 00:27:05,556 Speaker 2: that people are sort of lower on the radar, just 500 00:27:05,596 --> 00:27:08,516 Speaker 2: trying to get money and extort, but not necessarily have 501 00:27:08,596 --> 00:27:10,276 Speaker 2: this voice that's heard across the world. 502 00:27:10,796 --> 00:27:14,116 Speaker 1: What's like, what's the big lesson to you from the 503 00:27:14,116 --> 00:27:14,956 Speaker 1: Lockbit story. 504 00:27:16,476 --> 00:27:21,436 Speaker 2: The big lesson there is being voisterous. Having this ego 505 00:27:21,756 --> 00:27:27,276 Speaker 2: is actually a downfall. Being loud, getting publicity, getting your 506 00:27:27,356 --> 00:27:29,876 Speaker 2: name out there, well, that might help attract people to 507 00:27:29,876 --> 00:27:32,836 Speaker 2: come work for you. There's the opposite side of that, 508 00:27:32,876 --> 00:27:35,716 Speaker 2: where it also attracts a lot of attention from law enforcement, 509 00:27:35,796 --> 00:27:38,276 Speaker 2: and if you're a criminal group, that's not a good thing. 510 00:27:38,436 --> 00:27:41,916 Speaker 2: And I think bad guys have figured that out between 511 00:27:42,436 --> 00:27:45,756 Speaker 2: mainly from twenty twenty four with both the black Cat 512 00:27:45,836 --> 00:27:49,076 Speaker 2: ransomware group and with Lockbit. Those were your prominent players, 513 00:27:49,556 --> 00:27:52,756 Speaker 2: and those guys both got decimated by law enforcement, and 514 00:27:52,796 --> 00:27:55,636 Speaker 2: that happened because of the attention that they drew to themselves. 515 00:27:55,756 --> 00:27:59,436 Speaker 2: So I think That's the lesson that adversaries have learned 516 00:27:59,556 --> 00:28:02,316 Speaker 2: is you have to be quieter about what you do. 517 00:28:05,356 --> 00:28:16,956 Speaker 1: Lively. Back in a minute with the lightning round. Let's 518 00:28:17,116 --> 00:28:19,876 Speaker 1: finish with the lightning round. It's gonna be a little 519 00:28:19,916 --> 00:28:24,796 Speaker 1: more random and a little more about you. Okay, what's 520 00:28:24,836 --> 00:28:26,996 Speaker 1: one thing you learned when you hacked into the Pentagon 521 00:28:27,116 --> 00:28:30,236 Speaker 1: as a fifteen year old boy? 522 00:28:31,316 --> 00:28:34,156 Speaker 2: Oh man, That's the reason that had I talked to 523 00:28:34,196 --> 00:28:36,676 Speaker 2: these criminals and I sometimes have empathy to want to 524 00:28:36,676 --> 00:28:39,836 Speaker 2: help them change what they're doing, is because I got 525 00:28:39,876 --> 00:28:43,116 Speaker 2: a second chance, and I remember that fear, and I 526 00:28:43,236 --> 00:28:45,676 Speaker 2: want to try to help some of these young kids 527 00:28:45,716 --> 00:28:48,516 Speaker 2: to change what they're doing and not continue down this road. 528 00:28:48,596 --> 00:28:51,156 Speaker 1: What actually happened there? What was it that happened? 529 00:28:51,276 --> 00:28:55,076 Speaker 2: Yeah, So my stepfather worked for Colon Powell during the 530 00:28:55,356 --> 00:28:57,836 Speaker 2: Iraq War. He was at the Pentagon and he had 531 00:28:57,836 --> 00:29:00,876 Speaker 2: a classified system in our basement, and I had a 532 00:29:00,876 --> 00:29:04,036 Speaker 2: friend over and I was really into computers and hacking 533 00:29:04,116 --> 00:29:06,876 Speaker 2: figuring things out. And I didn't do anything elaborate. I 534 00:29:06,916 --> 00:29:08,836 Speaker 2: just figured out his credentials and I logged in and 535 00:29:08,876 --> 00:29:12,756 Speaker 2: was put looking around. Nothing elaborate, but enough that it 536 00:29:12,876 --> 00:29:17,236 Speaker 2: got attention and bad things happened, and and the FBI showed. 537 00:29:16,996 --> 00:29:17,356 Speaker 3: Up and things. 538 00:29:17,476 --> 00:29:18,996 Speaker 1: The FBI showed up at your house. 539 00:29:19,716 --> 00:29:21,596 Speaker 3: Yeah they did. It was It was not a good 540 00:29:21,636 --> 00:29:22,076 Speaker 3: day for me. 541 00:29:24,276 --> 00:29:26,956 Speaker 1: I'm glad it worked out in the end. It did. 542 00:29:27,156 --> 00:29:27,516 Speaker 3: It did. 543 00:29:28,236 --> 00:29:30,316 Speaker 2: It only worked out though, because of who he worked for, 544 00:29:30,396 --> 00:29:32,436 Speaker 2: my stepfather, and the connections that he had, and the 545 00:29:32,436 --> 00:29:35,156 Speaker 2: fact that I had no prior record. That's the reason 546 00:29:35,196 --> 00:29:36,956 Speaker 2: that it worked. And I had a summer where I 547 00:29:36,996 --> 00:29:39,636 Speaker 2: had to go work at Fort Belvoir doing community service, 548 00:29:39,836 --> 00:29:41,516 Speaker 2: but I just do such a good job they wanted 549 00:29:41,516 --> 00:29:44,676 Speaker 2: to hire me to work there. So it was definitely 550 00:29:44,716 --> 00:29:46,876 Speaker 2: a life changing experience. And then I joined the army 551 00:29:46,916 --> 00:29:50,876 Speaker 2: and became a military police officer. So that was my story. 552 00:29:50,956 --> 00:29:51,996 Speaker 2: But it worked out well for him. 553 00:29:52,036 --> 00:29:56,276 Speaker 1: So I understand that when you were a military police officer, 554 00:29:56,676 --> 00:30:00,556 Speaker 1: you did undercover drug bys I did. What's something you 555 00:30:00,636 --> 00:30:04,356 Speaker 1: learned doing undercover drug byes as a military police officer? 556 00:30:04,956 --> 00:30:07,116 Speaker 2: What I learned is it's not black and white. It's 557 00:30:07,156 --> 00:30:09,116 Speaker 2: not just you're a bad guy or a good guy. 558 00:30:09,476 --> 00:30:11,876 Speaker 2: There are there there's still human beings. 559 00:30:12,436 --> 00:30:15,156 Speaker 1: What's one thing you learned pushing carts at home depot. 560 00:30:17,476 --> 00:30:19,236 Speaker 2: That you should never have an ego because I did 561 00:30:19,276 --> 00:30:21,236 Speaker 2: all that crazy work and I got out and I 562 00:30:21,276 --> 00:30:23,996 Speaker 2: could not get a job in law enforcement because of 563 00:30:24,036 --> 00:30:27,996 Speaker 2: my tattoos. At the time, you couldn't have visible tattoos, 564 00:30:28,036 --> 00:30:30,836 Speaker 2: at least in Virginia. Tried to join the FBI because 565 00:30:30,836 --> 00:30:32,916 Speaker 2: I smoked weed in high school at the time, day 566 00:30:32,916 --> 00:30:33,716 Speaker 2: at a zero tolerance. 567 00:30:33,716 --> 00:30:36,116 Speaker 3: I couldn't get into that. I didn't couldn't get. 568 00:30:36,036 --> 00:30:38,356 Speaker 2: A job, and I had to start at the very bottom. 569 00:30:38,956 --> 00:30:40,916 Speaker 2: I've been working retail. I'm not even in the store. 570 00:30:40,956 --> 00:30:44,156 Speaker 2: I'm in the parking lot, you know. That was I 571 00:30:44,236 --> 00:30:45,916 Speaker 2: was living out of my truck for a couple of weeks, 572 00:30:45,916 --> 00:30:48,236 Speaker 2: and then I rented a room at a house. That house, 573 00:30:48,316 --> 00:30:49,036 Speaker 2: they were selling. 574 00:30:48,876 --> 00:30:49,716 Speaker 3: Drugs out of the house. 575 00:30:49,796 --> 00:30:52,356 Speaker 2: The cops raided it, rested everybody but me, but I 576 00:30:52,356 --> 00:30:54,316 Speaker 2: couldn't even get in the house to get my stuff. 577 00:30:54,396 --> 00:30:56,116 Speaker 3: I mean, it was a tough time in my life. 578 00:30:58,076 --> 00:31:00,316 Speaker 1: I'm going to change gears to talk about something much 579 00:31:00,356 --> 00:31:05,516 Speaker 1: more pedestrian. Now, what's your favorite depiction of hacking in 580 00:31:05,556 --> 00:31:09,116 Speaker 1: a work of fiction? Uh? 581 00:31:09,556 --> 00:31:15,516 Speaker 2: Corey Uh, there's an author, Corey Doctro, brilliant guy. He's 582 00:31:15,516 --> 00:31:19,916 Speaker 2: one of my favorite authors, and he does hacker fiction 583 00:31:20,036 --> 00:31:24,156 Speaker 2: if you will, and he's got a probably twenty books now, 584 00:31:24,316 --> 00:31:28,076 Speaker 2: but they're they're phenomenal, especially the Homeland series. That's one 585 00:31:28,076 --> 00:31:28,556 Speaker 2: of my favorite. 586 00:31:28,556 --> 00:31:32,796 Speaker 1: Okay, Homeland series. Who's your favorite cyber criminal in real life? 587 00:31:36,676 --> 00:31:39,756 Speaker 2: I would probably say the hacker known as us D 588 00:31:39,876 --> 00:31:43,276 Speaker 2: O D. He is a He is a hacker who's 589 00:31:43,316 --> 00:31:46,716 Speaker 2: not Russian. Uh. He lives in Brazil. I became very 590 00:31:46,716 --> 00:31:51,156 Speaker 2: good friends with him. I've never written about him. He 591 00:31:51,276 --> 00:31:54,396 Speaker 2: wasn't a target of mine. He helped me actually when 592 00:31:54,476 --> 00:31:57,796 Speaker 2: I was going after ransom VC and he gave me 593 00:31:57,836 --> 00:31:59,956 Speaker 2: a lot of good insight information and we just became 594 00:32:00,036 --> 00:32:03,836 Speaker 2: friends for a long time and we talked and he 595 00:32:03,916 --> 00:32:06,116 Speaker 2: was somebody who I really had wanted to help. He's 596 00:32:06,156 --> 00:32:07,916 Speaker 2: in jail now, so you can figure out if I 597 00:32:07,956 --> 00:32:08,916 Speaker 2: was able to help him or not. 598 00:32:10,316 --> 00:32:13,716 Speaker 1: Why? Why him? What was what was that relationship? 599 00:32:15,756 --> 00:32:20,036 Speaker 2: You know, he had issues like like everybody, but you know, 600 00:32:20,236 --> 00:32:22,636 Speaker 2: he was a he had a good side to him. 601 00:32:22,956 --> 00:32:24,516 Speaker 2: There was a side to him. He was a decent 602 00:32:24,556 --> 00:32:29,916 Speaker 2: person and I really thought if he hadn't become a criminal, 603 00:32:29,996 --> 00:32:32,276 Speaker 2: he's somebody that would have been in the cybersecurity field. 604 00:32:33,316 --> 00:32:37,436 Speaker 2: He did have empathy for people. He hated law enforcement 605 00:32:37,516 --> 00:32:39,836 Speaker 2: in the government, but he did have empathy for people, 606 00:32:40,516 --> 00:32:42,276 Speaker 2: and he was somebody who I could talk to and 607 00:32:42,596 --> 00:32:44,996 Speaker 2: and actually feel like I could I could make a 608 00:32:44,996 --> 00:32:46,836 Speaker 2: difference with the conversations that we had. 609 00:32:53,156 --> 00:32:56,796 Speaker 1: John DiMaggio is the chief security strategist at Analyst One. 610 00:32:57,636 --> 00:33:00,676 Speaker 1: Today's show was produced by Gabriel Hunter Chang. It was 611 00:33:00,876 --> 00:33:03,676 Speaker 1: edited by Lydia Jean Kott and engineered. 612 00:33:03,156 --> 00:33:03,996 Speaker 3: By Sarah Buguer. 613 00:33:04,596 --> 00:33:07,156 Speaker 1: I'm Jacob Goldstein and we'll be back later this week 614 00:33:07,196 --> 00:33:15,436 Speaker 1: with another episode of What's Your Problem. A port Asner 615 00:33:17,516 --> 00:33:17,676 Speaker 1: SA