WEBVTT - Infiltrating an International Ransomware Gang 0:00:15.356 --> 0:00:22.596 Pushkin. Just a quick note, this is a bonus episode 0:00:22.596 --> 0:00:26.476 of What's Your Problem, and it's sponsored by Microsoft. John 0:00:26.516 --> 0:00:30.756 Demaggio studies cybercrime for a living. It's his job. But 0:00:30.956 --> 0:00:34.636 when he wanted to understand an international cybercrime gang called 0:00:34.676 --> 0:00:38.036 lock Bit, he realized he couldn't learn everything he wanted 0:00:38.036 --> 0:00:40.516 to know from the outside, so he started trying to 0:00:40.516 --> 0:00:42.796 figure out how to get people on the inside to 0:00:42.876 --> 0:00:44.036 tell him what he needed to know. 0:00:44.236 --> 0:00:46.796 So I spent a lot of time studying going back 0:00:46.836 --> 0:00:50.956 to World War Two when they started having all these 0:00:50.996 --> 0:00:54.316 documents about how to use the human trade craft to 0:00:55.156 --> 0:00:58.236 sort of recruit and convince people to do things that 0:00:58.276 --> 0:01:02.076 they don't necessarily know that they're doing to support your cause. 0:01:02.356 --> 0:01:04.316 So were you telling me you started studying sort of 0:01:04.636 --> 0:01:06.636 World War two era spycraft. 0:01:07.276 --> 0:01:08.276 Yes, that's correct. 0:01:08.396 --> 0:01:11.476 What's something you learn from World War two era spycraft 0:01:11.556 --> 0:01:15.236 that helped you weasel your way into a ransomware gang? 0:01:15.596 --> 0:01:20.876 Everything from their ego to understanding who their adversary is 0:01:21.556 --> 0:01:25.156 and making them feel that being friends with you will 0:01:25.196 --> 0:01:29.036 benefit them because you have a common enemy, or even 0:01:29.196 --> 0:01:33.996 even being adversarial towards them and saying certain things just 0:01:34.036 --> 0:01:37.196 to see what the reaction is to sometimes understand the truth. 0:01:37.676 --> 0:01:38.796 There's also the sort. 0:01:38.596 --> 0:01:40.476 Of the plan and prepare phase where you have to 0:01:40.476 --> 0:01:43.476 go and sort of stalk them and understand who their 0:01:43.516 --> 0:01:46.476 contacts are, who their friends are, who their enemies are, 0:01:46.876 --> 0:01:49.276 where they hang out online, all of that stuff. 0:01:49.556 --> 0:01:54.996 So you have this set of strategic ideas in your mind, 0:01:56.396 --> 0:01:57.356 what do you actually do? 0:01:59.356 --> 0:01:59.996 So what I did. 0:02:00.116 --> 0:02:01.836 The first thing I did is I needed to figure 0:02:01.836 --> 0:02:05.756 out sort of their digital fingerprint, so I profiled them. 0:02:05.916 --> 0:02:09.556 I began looking across the dark web. Obviously started with 0:02:09.596 --> 0:02:12.396 the easy One, their data leak site, their own infrastructure, 0:02:13.236 --> 0:02:15.516 and I went from there and I eventually found the 0:02:15.556 --> 0:02:18.756 forums that they live on. And there's some very prominent 0:02:18.876 --> 0:02:21.756 Russian hacking forums that have been around for about twenty years, 0:02:21.876 --> 0:02:24.996 so it made sense to start there. And sure enough, 0:02:25.076 --> 0:02:28.836 they were very prevalent on that website. They were very 0:02:28.836 --> 0:02:32.716 involved with conversations, They have friends, their enemies, and they 0:02:32.716 --> 0:02:35.396 do their business. So they actually would go there just 0:02:35.436 --> 0:02:38.236 to talk and sort of hang out with their buddies. 0:02:38.276 --> 0:02:40.676 And the drama, it was like it was like a 0:02:40.716 --> 0:02:43.196 soap opera. The drama these guys would getting these big 0:02:43.316 --> 0:02:47.196 arguments are the stupidest things. I just started profiling and 0:02:47.316 --> 0:02:50.476 visually mapping out who is who, who they were talking to, 0:02:50.636 --> 0:02:54.356 what those other people's roles were. Again, then I would 0:02:54.356 --> 0:02:55.796 find the ones who are their friends, and I would 0:02:55.836 --> 0:02:59.676 try to approach them and the people who worked for them. 0:02:59.876 --> 0:03:01.396 And did it work. 0:03:02.396 --> 0:03:04.396 It did well, It sort of worked. 0:03:10.436 --> 0:03:13.276 I'm Jacob Goldstein, and this is what's your problem. My 0:03:13.356 --> 0:03:17.196 guest today is John DiMaggio. John is the chief security 0:03:17.236 --> 0:03:20.676 strategist at a company called Analyst One, and I wanted 0:03:20.676 --> 0:03:24.676 to talk with John about Lockbit, this ransomware gang that 0:03:24.836 --> 0:03:28.196 was behind attacks that extorted over one hundred million dollars 0:03:28.236 --> 0:03:31.116 from companies around the world. John wrote this sort of 0:03:31.516 --> 0:03:34.996 book length series of online posts about Lockbit. It was 0:03:35.036 --> 0:03:38.876 part of a thing John called the Ransomware Diaries. The 0:03:38.916 --> 0:03:42.756 story of Lockbit is a great window into the ransomware industry, 0:03:43.236 --> 0:03:46.396 and it is an industry with a lot of remarkable 0:03:46.396 --> 0:03:51.116 similarities to ordinary non criminal industries. Lockbitch tried to brand itself, 0:03:51.156 --> 0:03:54.276 It tried to attract talent and notch keywins, just like 0:03:54.476 --> 0:03:57.916 any software company. But then there's also the part that 0:03:58.036 --> 0:04:01.756 is not like any software company. There is the crime part, 0:04:02.196 --> 0:04:04.516 and it was the crime part where Lockbit went too 0:04:04.636 --> 0:04:07.596 far and wound up drawing the ire of international law 0:04:07.636 --> 0:04:10.916 enforcement agencies that in fact have their own set of 0:04:10.956 --> 0:04:14.916 innovative strategies. And John watched all this happen up close. 0:04:15.236 --> 0:04:17.356 He told me his key contact on the inside had 0:04:17.356 --> 0:04:21.276 the user name lock bits up, short for Lockbit Support. 0:04:21.796 --> 0:04:24.236 I didn't know it at the time when I first 0:04:24.236 --> 0:04:26.636 started talking to them, but what I found out as 0:04:26.636 --> 0:04:29.436 I began to talk more is there were two personalities 0:04:29.476 --> 0:04:30.316 behind the account. 0:04:30.596 --> 0:04:31.876 One seemed to be much. 0:04:31.756 --> 0:04:35.756 Younger, friendlier, more in tune with sort of pop culture, 0:04:36.196 --> 0:04:39.876 and the other one, who I gave a name mister 0:04:39.916 --> 0:04:43.836 grumpy Pants, because he was all business, always serious, and 0:04:43.876 --> 0:04:45.356 that was kind of how I differentiated. 0:04:45.596 --> 0:04:49.836 Tell me about the sort of conversations you had with 0:04:49.916 --> 0:04:53.036 lockbits up, like, what was the nature of those exchanges. 0:04:53.876 --> 0:04:55.076 Well, so you have. 0:04:54.996 --> 0:04:57.356 To understand that when I did the initial part that 0:04:57.436 --> 0:04:59.476 was sort of cover pretending to be somebody else. I 0:04:59.476 --> 0:05:02.436 only got so far with that, and after I wrote 0:05:02.436 --> 0:05:05.316 The Ransomware Diaries Volume one, they knew who I was. 0:05:05.836 --> 0:05:08.196 The farthest I got was talking to them is myself, 0:05:08.396 --> 0:05:11.636 and they you know, it was just I started with with, Hey, 0:05:11.676 --> 0:05:13.636 do you guys know who I am? I want to 0:05:13.636 --> 0:05:16.116 have a conversation with you, And they were, you know, 0:05:16.196 --> 0:05:20.116 said to me, yeah, your favorite researcher. We love you, okay, 0:05:20.356 --> 0:05:22.356 And they were very willing to talk, which is why 0:05:22.396 --> 0:05:24.636 I got so much farther talking to them as myself 0:05:24.796 --> 0:05:26.516 as I did pretending to be a hacker. 0:05:26.596 --> 0:05:30.636 Uh Huh. What's the thing you learned from lock bits up? 0:05:30.756 --> 0:05:33.556 What's a what's a What's one detail of your understanding 0:05:33.556 --> 0:05:35.356 that was improved by that relationship? 0:05:36.596 --> 0:05:38.676 Well, there were a lot of things, but one of 0:05:38.716 --> 0:05:41.916 the key things I had learned was information about uh. 0:05:42.636 --> 0:05:46.236 They prob internal problems that they had with affiliates. For example, 0:05:46.596 --> 0:05:49.516 they complained that they've got really good hackers, but some 0:05:49.556 --> 0:05:52.676 of these hackers are younger kids, and they're good at hacking, 0:05:52.716 --> 0:05:56.036 but they're really bad at negotiating, uh, And he was. 0:05:56.116 --> 0:05:58.676 They were unhappy about the amount of money coming in, 0:05:59.636 --> 0:06:01.716 so they talked about that and coming up with a 0:06:01.876 --> 0:06:04.356 with a model of how much they would accept, and 0:06:04.436 --> 0:06:07.476 they created sort of a formula per company, and so 0:06:07.836 --> 0:06:10.556 just things like that, things around tech resources. They asked 0:06:10.596 --> 0:06:13.036 me one time if I would buy them. They couldn't 0:06:13.076 --> 0:06:15.556 get a they they couldn't get a Domain tools account, 0:06:15.596 --> 0:06:17.276 and they wanted to know because they couldn't pay for 0:06:17.276 --> 0:06:18.676 it with crypto, they want to know if I would 0:06:18.676 --> 0:06:20.956 buy it for them, which, of course they're playing with me, 0:06:21.196 --> 0:06:23.036 you know. And it was sort of a cat and 0:06:23.076 --> 0:06:26.316 mouse fun relationship for a while of going back and forth. 0:06:26.396 --> 0:06:31.196 So it was friendly for most of our relationship until 0:06:31.196 --> 0:06:31.676 it wasn't. 0:06:31.836 --> 0:06:34.076 So okay, So you're in this world and I just 0:06:34.116 --> 0:06:37.876 want to step back for a minute to talk about 0:06:37.876 --> 0:06:39.756 what's going on in a big way. Right, there's this 0:06:39.916 --> 0:06:43.436 phrase that's sort of central here, which is ransomware as 0:06:43.476 --> 0:06:48.556 a service. Ransomware is like straightforwards something a lot of 0:06:48.556 --> 0:06:52.756 people are familiar with. It's basically, some bad actor, some hacker, 0:06:53.116 --> 0:06:56.876 hacks into some companies' computers, locks them up and says 0:06:57.236 --> 0:06:59.836 we're not going to unlock them unless you pay us 0:06:59.916 --> 0:07:02.036 a ransom. That's ransomware. 0:07:02.476 --> 0:07:02.996 Exactly. 0:07:03.436 --> 0:07:06.116 What is ransomware as a service? What is I mean? 0:07:06.116 --> 0:07:08.556 We know about software as a service, right, it's basically 0:07:08.756 --> 0:07:10.516 you pay whatever amount of a month and you get to 0:07:10.596 --> 0:07:12.396 use software. What's ransomware as a service. 0:07:12.876 --> 0:07:17.476 So ransomware is a service. There's more than just ransomware. 0:07:17.556 --> 0:07:20.356 So you have this two part model where you have 0:07:20.676 --> 0:07:25.396 a service provider. That service provider provides the actual ransomware code. 0:07:25.956 --> 0:07:30.116 They also provide infrastructure. So the provider provides these services, 0:07:30.476 --> 0:07:33.236 the hacker goes and does the dirty work of actual hacking, 0:07:33.636 --> 0:07:37.276 and together when a victim pays the extortion, they share 0:07:37.316 --> 0:07:40.436 the profit from it. The benefit from using this model 0:07:40.636 --> 0:07:43.036 is you can have a lot higher volume than if 0:07:43.076 --> 0:07:46.036 it was just five guys in a group doing it themselves. 0:07:46.356 --> 0:07:49.436 By using this model, you can have many people doing 0:07:49.916 --> 0:07:53.476 attacks on your behalf. Much higher volume of attacks, much 0:07:53.516 --> 0:07:54.596 higher revenue. 0:07:54.836 --> 0:08:00.876 So Lockbit is basically just a software company. They're like 0:08:00.916 --> 0:08:03.996 an enterprise software company. They write software and provide various 0:08:04.036 --> 0:08:08.316 tools for users. But in this case the users are criminals, 0:08:08.396 --> 0:08:11.636 are people who want to hack into various computer systems 0:08:11.796 --> 0:08:13.596 and steal data and extort money. 0:08:14.396 --> 0:08:15.076 That's correct. 0:08:15.596 --> 0:08:18.996 But the other piece to it is the service provider aspect. 0:08:19.156 --> 0:08:21.156 They're the ones that are sort of in charge, that 0:08:21.236 --> 0:08:24.876 run the show, that give direction, that step in whenever 0:08:24.916 --> 0:08:28.436 there's an issue, if there's a victim not paying, sometimes 0:08:28.436 --> 0:08:30.676 they'll come in and help with the negotiation or take 0:08:30.716 --> 0:08:33.476 over or give direction on how much you can you 0:08:33.516 --> 0:08:36.956 can accept as a payment, or even say this is 0:08:36.956 --> 0:08:40.516 what you can or cannot hack this company. So they're 0:08:40.876 --> 0:08:42.476 definitely in the leadership chair. 0:08:42.716 --> 0:08:44.876 So I want to talk about how lockbit sort of 0:08:44.996 --> 0:08:47.676 grows and makes a name for itself. And one of 0:08:47.676 --> 0:08:51.836 the things that's really interesting is kind of how uninteresting 0:08:51.836 --> 0:08:54.396 it is. It's like, oh, it's this international criminal gang 0:08:54.836 --> 0:08:57.876 and they're acting like a boring software company, and it 0:08:57.996 --> 0:09:01.676 seems like a key early moment for them as they're 0:09:01.676 --> 0:09:05.556 trying to grow and differentiate themselves in the market. Is 0:09:05.596 --> 0:09:11.076 this summer paper contest in to tell me about that? 0:09:12.196 --> 0:09:13.796 Yeah, it's it's pretty crazy. 0:09:13.876 --> 0:09:17.196 So on this long running forum that I mentioned earlier, 0:09:17.276 --> 0:09:20.996 this Russian hacking forum, lockbit really wanted to to get 0:09:21.036 --> 0:09:24.476 their brand out there. So what they did is they 0:09:24.756 --> 0:09:31.636 sponsored this hacking paper contest, meaning hackers would submit these 0:09:31.676 --> 0:09:35.076 papers on different ways to hack and lockbit they would 0:09:35.156 --> 0:09:37.956 they would take part in this and they would help review. 0:09:38.276 --> 0:09:40.836 And there was five winners and the I think I 0:09:40.876 --> 0:09:43.156 don't remember what the what the what the I think 0:09:43.236 --> 0:09:45.236 was five thousand dollars maybe. 0:09:45.076 --> 0:09:50.076 Uh, you put a screenshot in your report. And what's 0:09:50.156 --> 0:09:54.636 amazing is how banal. It looks it looks totally like 0:09:54.716 --> 0:09:59.756 some college software contest or just some boring enterprise software company. 0:09:59.796 --> 0:10:02.236 Like there's this little kind of clip art of just 0:10:02.316 --> 0:10:04.956 like a dude at a laptop with a little plant 0:10:04.996 --> 0:10:06.796 next to him, although there is also a skull and 0:10:06.836 --> 0:10:09.756 crossbones next to him. It's like, we're just coders, but we're bad. 0:10:10.996 --> 0:10:13.196 And as you said, first place is five thousand dollars, 0:10:13.236 --> 0:10:16.396 which seems like not that much. Right, they're exploiting that. 0:10:16.556 --> 0:10:19.636 They're stealing tens of millions of dollars at this point, right. 0:10:19.796 --> 0:10:22.836 And then it says like accepted article topics, just like 0:10:22.876 --> 0:10:26.596 it would in a college contest, but under accepted article topics, 0:10:26.596 --> 0:10:32.556 it says hacks any methods for pouring shells, fixing, elevating rights, 0:10:32.676 --> 0:10:36.476 your story is and tricks interesting hack stories. It's such 0:10:36.516 --> 0:10:41.556 a fantastic combination of well banality and evil. 0:10:42.156 --> 0:10:42.956 It is. 0:10:42.996 --> 0:10:45.156 But here's what you have to think about. There's two 0:10:45.236 --> 0:10:48.076 benefits for this. One what I mentioned, sort of getting 0:10:48.076 --> 0:10:50.836 their name out and getting known with hackers. But two, 0:10:51.236 --> 0:10:54.476 they're looking for those upcoming rising stars, if you. 0:10:54.556 --> 0:10:59.116 Will, recruitment. It's talents, right, and yeah. 0:10:58.556 --> 0:11:01.276 That's right, and that's why Lackbit was different than most 0:11:01.316 --> 0:11:03.636 of these are the ransomware groups, because they approached it 0:11:03.436 --> 0:11:05.756 is a business and they thought out of the box 0:11:06.276 --> 0:11:08.476 and that's kind of what would set them ahead in 0:11:08.556 --> 0:11:11.076 a part at the time from other ransomware groups. 0:11:11.196 --> 0:11:15.556 So does it work this strategy? 0:11:16.036 --> 0:11:17.316 It absolutely worked. 0:11:17.756 --> 0:11:20.396 I mean, there's a reason that people know their name 0:11:20.436 --> 0:11:22.116 and know who they are, and there's a reason that 0:11:22.196 --> 0:11:24.996 they have so many people that at the time in 0:11:24.996 --> 0:11:27.556 a way really wanted to work for them over other groups. 0:11:28.756 --> 0:11:31.116 It was propaganda and it worked. 0:11:31.876 --> 0:11:34.876 And so it seems like by around twenty twenty one 0:11:36.116 --> 0:11:39.796 they've hit the big time. And there's this one hack 0:11:39.836 --> 0:11:42.636 in particular that you write about in the summer of 0:11:42.676 --> 0:11:47.316 twenty one of Accenture, the big international consulting company. Tell 0:11:47.356 --> 0:11:48.596 me about the Accenture hack. 0:11:49.836 --> 0:11:54.036 So in the Accenture hack, you know, the affiliate had 0:11:54.076 --> 0:11:57.796 gone in compromised them, they locked down their data, and 0:11:58.236 --> 0:12:01.476 lock Bit, you know, put on their site that you 0:12:01.516 --> 0:12:04.196 know they were a victim. Reporter started to report about it, 0:12:04.236 --> 0:12:06.716 and you got a lot of buzz in the media. Now, 0:12:06.836 --> 0:12:11.156 the problem with the Accenture hack is that Accenture denied 0:12:11.276 --> 0:12:15.396 that the hack took place. Initially saying that it wasn't 0:12:15.436 --> 0:12:18.716 real and it didn't happen. The issue with that is 0:12:18.916 --> 0:12:22.956 their customer's data was on their website and you could 0:12:23.036 --> 0:12:25.276 you could go see it and validate it and download 0:12:25.276 --> 0:12:26.036 samples of it. 0:12:26.276 --> 0:12:29.116 The customer's data was on the lockbit website. 0:12:29.156 --> 0:12:29.796 That's correct. 0:12:30.156 --> 0:12:32.556 That's correct, and it was just a sampling, but you 0:12:32.596 --> 0:12:36.316 could see this information and it looked quite authentic. 0:12:37.116 --> 0:12:42.196 So so does this accenture hack sort of put Lockbit 0:12:42.316 --> 0:12:43.836 on the map in a bigger way? 0:12:44.796 --> 0:12:50.196 Oh? I mean the media surrounding that was was was 0:12:50.396 --> 0:12:50.836 very loud. 0:12:50.836 --> 0:12:54.676 I mean it was across many organizations. Lots of of 0:12:54.876 --> 0:13:00.236 of well known journalists and organizations reported on it. All 0:13:00.316 --> 0:13:03.156 this feeds into the propaganda. Now the journalist shouldn't report 0:13:03.196 --> 0:13:05.476 on it. I'm just saying, you know, lockbit plays that 0:13:05.556 --> 0:13:07.636 to benefit him as them as well. 0:13:07.716 --> 0:13:10.876 Yeah, So basically the press coverage is good for lockbit 0:13:10.996 --> 0:13:14.196 because hackers see it and go to lockbit and say, hey, 0:13:14.276 --> 0:13:16.076 I want to be an affiliate and do some hacking. 0:13:16.236 --> 0:13:18.876 Essentially, that's right, and to be fair, the same thing 0:13:18.916 --> 0:13:21.716 from me from writing these reports. Yes, it helps researchers 0:13:21.796 --> 0:13:24.436 law enforcement, but it also helps them that that's the 0:13:24.436 --> 0:13:26.316 reason that they were friendly to me is because they 0:13:26.316 --> 0:13:28.836 were fans of a lot. I have probably just as 0:13:28.836 --> 0:13:31.596 many criminal hackers that are fans of the ransomware diaries 0:13:31.636 --> 0:13:35.676 as there are researchers and you know, right, regular people 0:13:35.716 --> 0:13:36.476 that are not criminals. 0:13:36.556 --> 0:13:42.356 Well, I mean there's an ecosystem here, right, like the 0:13:42.356 --> 0:13:44.956 the job. There's a universe of people whose job is 0:13:44.996 --> 0:13:48.516 fighting criminals and a universe of people who are criminals 0:13:48.556 --> 0:13:51.676 who are trying to evade being caught. Right, And that's right, 0:13:52.076 --> 0:13:54.836 the kind of intellectual universe has got to be almost 0:13:54.996 --> 0:13:57.876 entirely overlapping. Everybody's trying to figure out what everybody else 0:13:57.956 --> 0:14:00.756 is doing. Everybody's sort of using the same tricks on 0:14:00.796 --> 0:14:04.596 each other. It makes sense that the bad guys and 0:14:04.676 --> 0:14:06.316 the good guys would be reading the same. 0:14:06.116 --> 0:14:08.156 Stuff it does. 0:14:08.356 --> 0:14:11.156 And you know that's really where that uh that that 0:14:11.156 --> 0:14:15.036 that that human framework came in because his ego was 0:14:15.036 --> 0:14:17.476 was the main thing I was able to play on 0:14:18.196 --> 0:14:21.236 in order to get information. And even when there were 0:14:21.276 --> 0:14:23.236 lies in that information, you know, I talked to the 0:14:23.236 --> 0:14:25.076 people who work for them, So I would take those 0:14:25.156 --> 0:14:27.156 lies and I would present them in a different way 0:14:27.316 --> 0:14:30.316 to those people to get a response, and that would 0:14:30.356 --> 0:14:32.316 help me to validate what's real and what's not. 0:14:32.596 --> 0:14:35.276 Is there some specific example of playing on his ego, 0:14:35.436 --> 0:14:37.916 something you said to flatter him or something. 0:14:38.756 --> 0:14:40.876 Uh well, yeah, you know one of the one of 0:14:40.876 --> 0:14:43.796 the things that that was big for him was, you know, 0:14:43.876 --> 0:14:46.516 he wanted to be sort of the Darth Vader of 0:14:46.596 --> 0:14:49.716 ransomware of my words, not his, but you know, he 0:14:49.716 --> 0:14:52.556 he wanted to be this this top person. So you 0:14:52.556 --> 0:14:54.796 know when you would talk about him changing the game 0:14:54.836 --> 0:14:58.756 of ransomware and telling him, you know, you guys are 0:14:58.476 --> 0:15:00.756 are are on top? You know, how did you get there? 0:15:00.796 --> 0:15:03.716 How did you how did you get ahead of other 0:15:03.756 --> 0:15:08.756 groups like like REvil and uh in in time, Black Matter, 0:15:09.276 --> 0:15:11.876 in groups like that, And you know he loved that. 0:15:11.956 --> 0:15:14.036 You know, it would just that was a thing that 0:15:14.036 --> 0:15:17.436 would get mister grumpy pants talking was sort of playing 0:15:17.436 --> 0:15:20.076 on his ego, you know, asking questions about how he 0:15:20.156 --> 0:15:23.636 got to be the top brand in ransomware and how 0:15:23.676 --> 0:15:25.036 he's better than all the other ones. 0:15:25.236 --> 0:15:26.756 And he fed right into that. 0:15:30.836 --> 0:15:33.716 Coming up after the break, what happens when lockbit is 0:15:33.796 --> 0:15:48.236 used to hack a hospital for children with cancer, So 0:15:48.436 --> 0:15:53.116 kind of early twenty twenties Lockbit is king of the 0:15:53.196 --> 0:15:56.676 ransomware world. And then it seems like in about twenty 0:15:56.756 --> 0:15:59.916 twenty three they sort of start going too far or 0:15:59.956 --> 0:16:03.956 their affiliates start going too far right, they start to 0:16:03.996 --> 0:16:09.476 get into trouble, and it seems like the back of 0:16:10.236 --> 0:16:13.876 hospital that is actually called Thick Kids, which is yeh, 0:16:14.316 --> 0:16:19.156 a children's cancer hospital in Canada, is kind of a 0:16:19.196 --> 0:16:25.716 turning point. And like I do wonder, like you could 0:16:25.756 --> 0:16:30.756 hack anybody, why would you hack a cancer hospital for children? Like, 0:16:30.796 --> 0:16:33.596 is it because you want to be as evil as possible? 0:16:34.796 --> 0:16:37.836 Yeah, it's because they see them as a as an 0:16:37.876 --> 0:16:41.116 easy target because a hospital has to be available and 0:16:41.156 --> 0:16:48.516 make their resources easily accessible by their patients, clients, medical organizations, 0:16:49.036 --> 0:16:52.796 and inherently the more accessible something is less secure it is. 0:16:53.116 --> 0:16:55.156 So it makes them an easy target. They have a 0:16:55.276 --> 0:16:59.196 lot of money, and they're more likely to pay because 0:16:59.236 --> 0:17:01.836 the data is so sensitive and the systems that are 0:17:01.916 --> 0:17:04.916 encrypted are so critical that it makes them a ripe 0:17:04.956 --> 0:17:08.516 target and that's the reason that they'll go after them. Initially, 0:17:09.996 --> 0:17:14.196 the hospital was hacked, the systems were encrypted, data was stolen, 0:17:14.436 --> 0:17:16.996 and they didn't they weren't going to let them out 0:17:17.036 --> 0:17:19.956 of this. They were going to force them to pay 0:17:20.236 --> 0:17:22.156 or they weren't going to give them the key to 0:17:22.196 --> 0:17:24.876 decryptor systems, and didn't seem to care that these kids 0:17:24.876 --> 0:17:27.436 couldn't get the care that they needed and the treatments 0:17:27.476 --> 0:17:30.996 that they needed. The only reason so what ended up 0:17:30.996 --> 0:17:33.956 happening was with all the media around it, it was 0:17:33.996 --> 0:17:37.276 such a bad look for Lockbit that the leadership of 0:17:37.316 --> 0:17:41.396 the group decided, after you know, about two weeks, they decided, Okay, 0:17:41.636 --> 0:17:43.356 we're going to go ahead and we're going to give 0:17:43.396 --> 0:17:46.316 them the cryption key, just because this was getting to 0:17:46.356 --> 0:17:49.196 be too hot. And if you remember, like the whole 0:17:49.196 --> 0:17:52.556 Colonial Pipeline thing with the Dark Side ransomware group, you 0:17:52.556 --> 0:17:55.396 know that got that got so much attention that you know, 0:17:55.476 --> 0:17:58.156 government agencies got involved and went after them, and when 0:17:58.156 --> 0:18:01.636 that happens, it's very bad for ransomware groups. So they 0:18:02.116 --> 0:18:05.676 essentially saw things could possibly go that direction with the 0:18:05.676 --> 0:18:08.356 amount of bad publicity they were getting, and decided it 0:18:08.396 --> 0:18:10.596 wasn't worth it the payment they were going to get, 0:18:10.676 --> 0:18:13.356 and they went ahead and provided the hospital with the 0:18:14.036 --> 0:18:17.236 decryption key so they could get those systems back online. 0:18:18.276 --> 0:18:22.516 And and in fact, their concern about a backlash was justified. Right, 0:18:22.556 --> 0:18:27.116 it seems like international governments, kind of led by the UK, 0:18:27.796 --> 0:18:32.436 do start to go after Lockbit around this point. Right, 0:18:32.916 --> 0:18:35.316 What do you do if you're a government and you 0:18:35.396 --> 0:18:37.956 want to go after a Russian hecking gang? 0:18:39.556 --> 0:18:43.436 Well, it's not easy. The things that you have to 0:18:43.476 --> 0:18:45.756 do is you have to use resources that people like 0:18:45.836 --> 0:18:49.396 me don't have available to try to figure out their 0:18:49.436 --> 0:18:53.876 their infrastructure, their hosting infrastructure, what what what where their 0:18:53.916 --> 0:18:57.436 servers live? Uh, and then which is very difficult when 0:18:57.436 --> 0:18:59.636 they're there the dark web. 0:18:59.636 --> 0:19:00.636 It's hard to figure. 0:19:00.356 --> 0:19:02.476 That out because there's this is the cat and mouse thing. 0:19:02.516 --> 0:19:06.516 They're like complicated smart systems. These people used to hide 0:19:06.996 --> 0:19:08.436 their location essentially. 0:19:08.756 --> 0:19:12.756 That's that's right, and so that's one aspect is trying 0:19:12.796 --> 0:19:14.556 to figure out that infrastructure. 0:19:15.156 --> 0:19:16.236 In some cases you. 0:19:16.196 --> 0:19:18.116 Can use legal means to take it down, but with 0:19:18.196 --> 0:19:22.036 groups like Lockbit, often they will use service providers that 0:19:22.076 --> 0:19:25.676 are in countries that cater to criminal activity and won't 0:19:25.676 --> 0:19:29.156 respond subpoenas. The other thing, though, that lawn that these 0:19:29.196 --> 0:19:32.316 governments and law enforcements try to get into is the 0:19:32.316 --> 0:19:37.076 infrastructure that is public, the panel that the bad guys 0:19:37.316 --> 0:19:41.396 use to log into with the graphical interface to control 0:19:41.556 --> 0:19:44.556 these attacks, and there's technical ways to do that, and 0:19:44.596 --> 0:19:47.036 then there's also the ways of infiltrating the people who 0:19:47.076 --> 0:19:50.796 work for the group to get their credentials access. 0:19:50.516 --> 0:19:53.676 So they're basically hacking. They're basically hacking the hackers. So 0:19:54.156 --> 0:20:00.516 in February of twenty twenty four, this international coalition of 0:20:00.556 --> 0:20:05.276 law enforcement agencies actually takes over lockbit sort of publicly 0:20:05.316 --> 0:20:08.996 facing site, right Lockbit's dark websites tell me about that. 0:20:09.876 --> 0:20:12.636 Yeah, So it was great when you went to the 0:20:12.636 --> 0:20:16.356 website that that day, it was no longer Lockbit's data 0:20:16.436 --> 0:20:21.076 leak site. Instead it was a mock site, so it 0:20:21.156 --> 0:20:26.196 looks just like it, except instead of having real victims 0:20:26.236 --> 0:20:30.876 within the site, the NCAA put the criminals as the victims, 0:20:31.036 --> 0:20:34.516 and they named affiliates with the victims, and they had 0:20:34.516 --> 0:20:37.476 a countdown timer for for lock bits up saying they 0:20:37.476 --> 0:20:39.156 were going to release his identity ha. 0:20:39.556 --> 0:20:41.556 And the countdown timer is the kind of thing that 0:20:41.556 --> 0:20:43.876 the that the bad guys use when they hack a company, 0:20:43.916 --> 0:20:45.076 saying we're gonna. 0:20:44.836 --> 0:20:47.516 That's rite yeah, uh huh, yeah, that's what they do. 0:20:47.556 --> 0:20:50.716 A count down timer for traditional victims is how long 0:20:50.756 --> 0:20:53.196 they have to pay to the data's lead so in. 0:20:53.076 --> 0:20:58.036 The same way that Lockbit was essentially marketing itself. Now 0:20:58.076 --> 0:21:01.076 the now the cops, now the law enforcement officials, are 0:21:01.236 --> 0:21:05.036 are doing that same kind of marketing. They're sort of 0:21:05.076 --> 0:21:09.116 doing this kind of propagandistic thing to attract attention, presumer 0:21:09.436 --> 0:21:11.876 what to scare off all the affiliates, like why why 0:21:11.916 --> 0:21:13.916 would they be doing it in this showy way just 0:21:13.956 --> 0:21:15.356 for attention to get good press. 0:21:15.476 --> 0:21:18.956 No, it was it was a psychological operation. So prior 0:21:18.996 --> 0:21:21.596 to this, they didn't they never did this there. The 0:21:21.916 --> 0:21:23.636 way they took sites down were just to take it 0:21:23.636 --> 0:21:25.916 down and put a message up saying law enforcement took 0:21:25.916 --> 0:21:29.756 this down. This was psychological. It was meant to put 0:21:29.796 --> 0:21:33.716 stress on the people who worked for the organization and 0:21:33.796 --> 0:21:37.356 being concerned that they no longer had anonymity and that 0:21:37.436 --> 0:21:41.596 their names and information was now being reviewed and revealed 0:21:41.596 --> 0:21:45.316 by law enforcement. And the whole goal of this was 0:21:45.316 --> 0:21:48.516 was to affect the lockbit brand and to make people 0:21:48.716 --> 0:21:50.196 not trust Lockbit. 0:21:49.956 --> 0:21:51.716 Or want to work for the organization. 0:21:52.476 --> 0:21:55.236 So it was very planned in, thought out and methodical. 0:21:55.436 --> 0:21:58.476 It wasn't just, you know, to get attention. It was 0:21:58.556 --> 0:22:02.636 specifically to hurt that brand and make affiliates afraid to 0:22:02.716 --> 0:22:05.836