CyberWire Daily - International effort dismantles LockBit. [Research Saturday]
Episode Date: May 25, 2024Jon DiMaggio, a Chief Security Strategist at Analyst1, is sharing his work on "Ransomware Diaries Volume 5: Unmasking LockBit." On February 19, 2024, the National Crime Agency (NCA), a UK sovereign la...w enforcement agency, in collaboration with the FBI, Europol, and nine other countries under "Operation Cronos," disrupted the LockBit ransomware gang’s data leak site used for shaming, extorting, and leaking victim data. The NCA greeted visitors to LockBit’s dark web leak site with a seizure banner, revealing they had been controlling LockBit’s infrastructure for some time, collecting information, acquiring victim decryption keys, and even compromising the new ransomware payload intended for LockBit 4.0. The research can be found here: Ransomware Diaries Volume 5: Unmasking LockBit Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. Hello, everyone, and welcome to the CyberWires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities, solving some of the hard problems,
and protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
So about two years ago, before LockBit was really known who they are today,
I started researching them after I got done with Reval.
And, you know, I somehow just got on the inside.
That's John DiMaggio, Chief Security Strategist at AnalystOne.
Today, we're discussing his research, Ransomware Diaries, Volume 5, Unmasking Lockbit.
After I published the Ransomware Diaries Volume 1,
they knew who I was, began using my face as their avatar on the dark web.
So I started talking to them from there as myself,
developed a relationship, which led to a lot of the findings in my volumes of The Ransomware Diaries after the first one.
And at times, we were friendly. I mean, you know, at times we were, you know,
friendly. I mean, you can't talk to somebody that much and not grow a relationship. But I've always
been out to get them. I've always been honest about what my, you know, what my intent was.
So fast forward sort of to where we are now, you know, I wasn't planning to publish research,
but, you know, we got to a point where, you know, I always do deconfliction before I publish.
And with this one, when I did deconfliction, they were like, do not publish.
And I said, OK, well, let me know when I can.
Law enforcement, that is.
But basically, a day before the site was resurrected that law enforcement had seized with this countdown timer that they were going to release an identity.
So long story short, I had to write in like three days and put everything I had in. I really wasn't ready, but I did what I had to do.
And the day of, I held my breath and was like, please be the same person.
And if it was going to be the same person, I was going to move forward and publish.
And if it wasn't, then obviously we wouldn't be talking right now
because I never would have came up with a report.
But yeah, so I published about 45 minutes after the indictment came out.
And, you know, it was clearly obvious to everyone that I had been working on this for a while.
But yeah, so it's been a big splash and a lot of attention because of that.
Before we dig in here, there's something a little unusual about this particular publication from you.
You start out here with a warning about engaging with ransomware criminals.
Can you unpack that for us?
Yeah, so that actually started out, I did it in one of my volumes.
It was sort of a joke, you know, my kids like to watch wrestling and they have some sort of similar warning at the beginning. So it started out as a joke. And then my editors and handlers at AnalystOne liked it. And obviously, there's not any legal aspect from it, but they thought it was a good way to let people know, don't read this and decide to go out and try and talk to ransomware criminals or any type of cyber
criminal on the dark web.
Because I mean, I can certainly tell you there's a lot of negative things that can happen from
that and it can certainly be dangerous and getting threatened by, you know, organized
ransomware criminals is never fun.
So it's sort of a lighthearted way to let people know, you know, don't do this unless
you know what you're doing.
Yeah. So it's sort of a lighthearted way to let people know, you know, don't do this unless you know what you're doing. Yeah, it's interesting because, you know, I often hear people say that how much fun it would be to lead scammers along, you know, when you're talking about social engineering and things like that.
But it is a tricky game.
tricky game. It is. And there's a big difference from having fun with scammers versus talking to long-running cyber criminals that, like last year alone, they made $100 million on the dark web.
The resources they have are infinite. And I live in all the same spaces as they do. And I see all
the bad things you can buy with money if you wanted to do something to someone. So you're
always putting yourself at risk when you get out there.
And it's very different
than having some fun with scammers.
The repercussions can be significant.
And so, yeah, people just need to be careful
if they decide to try to do something like this
and only do it if they have legal blessing
as well as they're skilled
and comfortable with what they're doing.
Well, let's walk through this together. I mean, this is a fascinating tale of your own journey
here and your own sort of unmasking of the person behind LockBit. Where should we begin?
Yeah. Why don't we begin with, we can go earlier than this, but three days before the announcement of who I was,
that's sort of the trigger that put all of this into fast forward to where we are today.
Is that early enough or would you like to go farther back? Yeah, let's begin there. That
sounds good. Okay. Well, let me take one step back further. About, I don't know, a month ago,
three weeks ago, I had received a tip. I often get tips from people, criminals, researchers, and things of that nature.
Sometimes they are people I know.
Sometimes they're from accounts that were just created.
In this case, it was from an account that was just created.
So I wasn't sure how much validity I should put into it.
But it gave me some information on an email address and told me it was related to an account
that was controlled by the person behind Lockpits Up.
That email address is in my report.
It's sitedev5 at yandex.ru.
So as I began to look at that,
I figured I might as well do what bad guys do
and look through stolen leaked data that's out there
and see what I can find on this account.
And I found quite a bit of information. There were some legitimate businesses.
There were legitimate businesses and then sort of IOCs related to it. And then there were what
I'll call secondary IOCs, which were not affiliated with this person's legitimate life, but were
clearly more suspicious. And as I dug on those, they started to lead back to some of these Russian forums where a lot of ransomware criminals talk. So I didn't know that if it was Lock, Bits, Up.
And honestly, if the indictment hadn't come out, I would not have published this until I had
something more concrete. But so I just began to collect and look at this person. And they had this
very strong, legitimate presence. And they had this very smaller footprint that was suspicious and had linkage to some of the places where these criminals live.
So having said that, I sort of built all this out, both in technical, like with using a tool called Maltego, where I could visually see all the links and everything.
And then also through probing and asking questions of LockBitsUp without giving away what I was doing, just trying to sort of find something I could link him to. Now we're at three
days prior to the release of the indictment and this person's name. I mentioned I was a
deconfliction. So I did that. I said, hey, this is what I'm working on. I don't know if I'm going
to publish, but before I put too much time into it, I want to know if this is going to cause any issues. And so I was asked to not publish, which with that alone gave me all the information I
didn't know is that I needed to keep digging on this person. And I just said, okay, well,
I do want to publish, so don't catch me off guard and release something. And I have no time. I was
like, you know, I'm through you guys' phone, you know, with not publishing, please let me know.
So I think it was a Friday. You know, law enforcement was like, yeah know, I'm through you guys' phone, you know, with not publishing, please let me know. So I think it was a Friday.
You know, law enforcement was like, yeah, we can't give you any details, but just keep an eye out on, you know, LockBit, all things LockBit this weekend.
To me, it made the most sense that their mechanism to release information the last time was through the LockBit infrastructure that they seized.
So I have different tools and resources to monitor those. And every hour, I was checking
those resources. And I began writing my research with the assumption that I was going to have
something that would be similar and would pair to what they were going to release.
and would pair to what they were going to release.
And so Sunday, yeah, Sunday at 3 p.m., I saw the light on my little status thing for that,
for some of the old, three of the old Lockpit websites turned green.
So I immediately went to it.
I saw that it was a new site also from the NCA,
which is the National Crime Agency,
made up of some different law enforcement and
government-related entities. And in it, they had victim posts, just like you'd see on the real
LockBit page, except all the posts were for criminals. The most relevant one being a countdown
timer that they had for LockBit's sup to reveal his identity. So then I literally went three days
without sleep, just working through the nights. I had to put off my kids' sports and have somebody else take them. I couldn't
be there. But there's certain times in your career where you just have to go. And this was definitely
go time. So I wrote 22 pages over the next three days and came. I had to travel to RSA. So I had
to fly out there. And of course, the plane was filled with security people, so I couldn't work on it on the plane in case somebody saw me. So I finished at 1.47, I guess, in the
morning of the release in San Francisco, where I was with TimeZone. It was 7 a.m. when they were
going to actually release the information. So I just remember getting those four hours of sleep
and waking up and being like, oh, I just don't even want to get out of bed. But I did. And sure enough, the release came out,
and it was Dimitri, the same exact person I had profiled. And what I really was happy about is I
had way more information than was what was originally released in that indictment that
morning. So I felt really good about releasing this information. Having been a former, you know, I worked for a government intelligence
agency. I was a signals intelligence analyst for a long time. I've got a lot of background on things
I can't talk about, but I know a lot of the tools and resources that go into validating these people.
So while the general public is like, hey, there's no evidence for this. I also understand if you go
and look back, there's no ransomware indictment that we've had where there's evidence in the indictments.
That stuff is held closely for the day if it ever comes where we actually arrest someone,
law enforcement can't show their hands. So that made it difficult for me because I didn't have
evidence besides the coincidence that we were both looking at the same person. And I had this tip
that led me there. But I felt strong that if they're doing not just an indictment but sanctions against this person, there is evidence out there.
It's just somewhere either I'm never going to find because of the resources they used to get it or two.
It's information that's really well hidden that I have not found.
Since then, there's been a lot of talk about, oh, there's no evidence.
This isn't LockBit.
And he's even gone and done interviews now, LockBit subs, saying, oh, no evidence this isn't LockBit. And he's even gone
and done interviews now, LockBit subs saying, oh no, this isn't me. There's no evidence of it being
me. And that kind of, you know, that bothers me from one aspect because we're, you know, giving
him a platform. I mean, I've taken part in some of these platforms where he gets in the interview,
so I can try and put in my piece that, hey, you know, just because he says it's not him,
let's not everybody believe a criminal here. But he is correct. There is not public evidence, and I'm working very hard to try and find some.
I don't know if I'm going to get it. If I do, I'm going to update what I put out. But I do feel
strongly that the government would not put out sanctions and an indictment against an individual
unless they did have a solid attribution. It's just that at the end of the day, what the public thinks isn't as important as what a judge will think if that day ever comes where he is facing those charges.
We'll be right back.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. So, in terms of evidence, would you have,
let's say the indictment didn't come from the government, from NCA.
Were you on the path to the same conclusion in terms of it being the same person?
I honestly was still at an unknown. The links to the Russian forums, I thought were really
interesting. And Brian Krebs put something out today where he found some, I hadn't gotten really
dig into the forums yet. And he did find some content in the forums that, again, aren't a hard link, but do make it a little bit stronger than what I had found in my reporting. But still, there is not
a smoking gun for this individual. And that brings me back to my point. With him saying it's not him,
everybody saying, oh, there's no evidence it's him. And then people are saying, well,
his operational security was so poorly, meaning this person, Dimitri, was so poor, there's no way this is Lockbit. But here's the thing. These are all
people that are going to look for him after knowing this person's name. And his personal
life might not have had the best OPSEC, but clearly he did have strong OPSEC because myself
and some of the best researchers in the world have not yet linked him.
So he did have good OPSEC.
It's just that he separated his criminal life from his personal life,
which is why we're not finding that link.
And the OPSEC in his personal life being poor does not mean that his OPSEC is poor.
It just means he was smart enough to make a diversion
and put enough out there that he would look like a regular person.
So he could have an argument that it's not him.
Right. Kind of hiding in plain sight.
Exactly. Exactly.
No, that's an interesting insight. Can you talk some about the relationship that you had with
this person? I should mention also that we're using the phrase LockBitSup. That's the handle
that this person used online. And this is the presumed leader of the LockBit organization.
That's right.
That's right.
He used it on multiple Russian underground criminal forums that are primarily based in
the dark web.
And he also used that name to communicate with myself as well as the other criminals
in his program.
So when there were issues, they wanted to discuss an attack, or even if he had
to talk to a victim, that's the moniker that this person used. And there was a time where
I do believe that there was someone else that also helped out with this moniker. And that makes sense
because think about it, if it's support for a criminal program, you can't have one person
monitor it 24-7. But at some point in time, you know, Lockpitsup decided that
I couldn't talk to the other people anymore because it went from getting almost immediate
responses to sometimes taking hours to a day. And the obvious reason why is whatever they told me,
I would then use to dig and find more and then report publicly. And I think he wanted to control
that. I see. Can you give us some insights onto that relationship? I mean, it strikes me as
it must be a little bit odd. The two of you know that you are at odds with each other.
There's a tension between the two of you, and yet you stay in touch.
Yeah, it's the strangest relationship that I think I've ever had with a threat actor.
And it's certainly not the only relationship,
but it's the longest running
and it's the most unique
because we both sort of had this
common respect for one another,
but we had this cat and mouse game.
And because of that, yeah,
up front, I expressed my intent and then time and time again,
I doubled down on that by putting out information
where I did not hold back or let off on the guy,
but he always came back to talk to me.
Now, there were times he would definitely be upset
and talk less, but overall, he got it
that it wasn't personal and I think he enjoyed
that I was spending all my time
chasing him and almost got a thrill out of trying to evade me. He would say often, like, you and the
FBI are too dumb to find me, you know, things like that. And, you know, it was just this sort of
unique love-hate relationship that we had. But it was never down to, it was never, there was never
name-calling. There was never crazy unprofessional things said. You know, it was always, like I said,
a level of respect between us, you know, that we had. And that's what made this so great is that,
you know, it just lasted. And it was this back and forth, me chasing and him evading and him,
you know, doing these different crazy things. But it was never threatening or anything like that.
Now, that could change after what I just put out,
but historically, that's how it's been.
Yeah.
It's interesting to me, too, the amount of swagger that we're seeing here
from the NCA, the FBI, the partners involved with this.
You know, like the FBI is using the, I think the email address is like FBI sup.
They're not holding back in puffing up their chests
and letting the bad guys know,
I guess, who's boss here.
Yeah, well, this particular takedown operation,
Operation Kronos, is the most successful.
And that is because they started using different tactics, very out-of-the-box tactics, if you compare them to many of the other
takedowns. And what I mean by that is they started using psychological tactics in addition to just,
you know, traditional cyber, you know, tactics that are used to take down infrastructure.
So that's the reason why normally you just see a
takedown and then an indictment the same day and that's it. As where this one, they did the first
takedown on February 19th. And when affiliates went to log in, they each had a personalized
note to them saying, we have your information, your logs, your communication, we'll be seeing
you soon type of a thing. And then they made the victim posts
for members of LockBit and put a countdown timer for LockBitSupp himself. And a few days later,
when that timer ended, we were all disappointed that they didn't name who it was. But now the
indictment is out. We know the reason why is because, and this is crazy to me, LockBitSupp
offered to give up names of some of his competitors and who they were in exchange for his anonymity.
And, you know, that's just one of those unspoken sins you don't do.
So I was surprised to see that.
But it makes sense if he was going to give information, you know, that he's a solid source for that.
So I think that it was worth delaying this.
So I think that it was worth delaying this. And clearly that relationship soured because here we are again just a couple months later and they essentially began the operation again with a countdown timer. But making him wait and have it in his safe using his platform and their anonymity is protected.
And it literally made the bad guys feel like the victims.
And no one should take that away from law enforcement because this has been the most
successful operation against ransomware that I've seen.
Well, and you can imagine that that could be motivation for him to also say, hey, this
isn't me, because I would imagine a lot of his colleagues in the
cybercrime underground world, he may have a target on his back. If he was willing to give them up
to save his own skin, his local reputation is probably not so great right now.
That's true. But he has such a strong ego. He may not be able to see that. That vision might
be a little bit blurred,
or he may see it and think he's untouchable and not care. I'm not sure, but he at least publicly
is acting like it doesn't bother him. But the public version of Black Bits Up is completely
different than the person I know. That public version is like Tony Montana from Scarface,
this very loud, arrogant gangster. And the person that I have got to know is a much more minimalistic, down-to-earth, doesn't get upset, is always the same sort of tone type of person.
And I don't believe that he's out there – well, I know he's not now, but out there with, when he said it before, Lamborghinis, yachts, and women in bikinis and partying.
That's not the guy I got to know. And that's not the guy who could evade law enforcement for four
years. So he's very different from his public perception that we see with all these media
engagements and things versus the actual person that's Dimitri who's sitting behind it.
Can you try to give us some perspective here of what this takedown means for the larger ecosystem here? How do you suppose things are going to look going forward?
that with, you know, with this, we just see these small improvements, but this one was a massive improvement. And when this first happened, you know, the media jumped on and said, okay, well,
the takedown was February 19th, February 25th, Lockpits stood up new infrastructure. Clearly,
it was ineffective. And, you know, I just explained to you why it was so effective.
But what this means going forward is it's sort of a new day when it comes to how law enforcement
looks at
this. They're no longer just doing these traditional, oh, this is how we take down malicious
websites. This is how we try to take down an actor. I think they know that indictments aren't
going to have a person arrested, but indictments and sanctions have a massive impact on ransomware
groups because now, at least in the U.S., you can no longer pay
a lockbit ransom payment. That is essentially going to shut this organization down whether
lockbit wants it or not. And what I think we'll see in the future are similar tactics. I hope
that they'll continue to progress, but we made a huge step or they made a huge step in this
particular takedown with all this new out-of-the-box thinking
and doing things that we just never saw before from law enforcement. And the proof is in the
pudding. Clearly, this was effective. How about your own feelings personally here? I mean,
is this a sigh of relief? Are you going to miss having this one to chase down?
to miss having this one to chase down? It sounds crazy, but I am going to miss it.
It's impossible to not feel a certain way when you've talked to somebody for so long.
It never stops me from doing my job. The person does horrible things, but that doesn't mean that still not a person and a personality behind it. And I think my days of talking to LockBit are
probably done. Outside of if I find some evidence to publish, I don't think there'll be a lot more that I do with LockBit.
So, yeah, after two years of this consuming my life, you know, this is the first time where I'm sitting here and I'm like, I don't know what I'm going to do next.
And I'll be honest, it's also a huge sigh of relief because that's so much pressure constantly.
I can't even go on vacation and not have to respond and talk to bad guys involved with this because it's your life. You can't just turn it off while you go.
And it's a lot of weight off my shoulders to know that I have a clear canvas in front of me
and I can do whatever I want with it. And the first thing I'm going to do is take a nice break
this summer and do some lower key stuff. But I'll definitely be back. I just don't know what it's going to be next.
Our thanks to John DiMaggio from AnalystOne for joining us.
The research is titled Ransomware Diaries Volume 5, Unmasking Lockbit.
You can find a link and additional resources in the show notes.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
And that's Research Saturday, brought to you by N2K CyberWire.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
We're privileged that N2K Cyber Wire
is part of the daily routine
of the most influential leaders
and operators in the public
and private sector
from the Fortune 500
to many of the world's preeminent
intelligence and law enforcement agencies.
N2K makes it easy for companies
to optimize your biggest investment,
your people. We make you smarter about your teams while making your teams smarter.
Learn how at n2k.com. This episode was produced by Liz Stokes. We're mixed by Elliot Peltzman
and Trey Hester. Our executive producer is Jennifer Iben. Our executive editor is Brandon Karp.
Simone Petrella is our president.
Peter Kilpie is our publisher. And I'm Dave Bittner. Thanks for listening. We'll see you back here next time. Thank you. products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your
role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.