Experience the ultimate flexibility with the Isolation API, allowing you to securely Quisque pellentesque id ultrices lacus ornare elit vitae ullamcorper. Learn More

We go behind the scenes with Jon DiMaggio of Ransomware Diaries. As the chief security strategist at Analyst 1, Jon has conducted in-depth investigations of ransomware groups, including the famed Lockbit gang. He tells us the open-source tactics he uses and how cyber threats can take a mental toll.

Key takeaways

  • Tracking the Lockbit story
  • Where OSINT meets ransomware investigations
  • The human element in threat detection

About Jon DiMaggio

Jon DiMaggio is the chief security strategist at Analyst1 and has over 15 years of experience hunting, researching, and writing about advanced cyber threats. As a specialist in enterprise ransomware attacks and nation-state intrusions, including the world’s first ransomware cartel and the infamous Black Vine cyberespionage group, he has exposed the criminal organizations behind major ransomware attacks, aided law enforcement agencies in federal indictments of nation-state attacks, and discussed his work with The New York Times, Bloomberg, Fox, CNN, Reuters, and Wired. You can find Jon speaking about his research at conferences such as RSA and Blackhat.

Where to find John

[00:00:01.690] - Jon DiMaggio
I just began a vacation. I was two days into it, and Operation Kronos took place. They took down Lockpit's infrastructure, and they began this sort of psychological operation that was lasted for about a week where they released different pieces of information and sort of toyed with the threat actors. And because of that takedown, I had to cancel my vacation and come back to work.

[00:00:38.490] - Jeff Phillips
Welcome to Needlestack. I'm your host, Jeff Phillips.

[00:00:41.540] - Shannon Reagan
And I'm Shannon Reagan. Today we're going to be discussing the ins and outs of ransomware and the groups behind it with John DiMaggio.

[00:00:49.790] - Jeff Phillips
Yeah, this is going to be a really fun conversation. John is the chief security strategist at analyst one. Analyst one's a threat intelligence provider and platform. He's also, though, the author of Ransomware diaries. It's a blog series. It actually reads like a mystery novel, so I definitely suggest you check it out. John, welcome to the show.

[00:01:13.880] - Jon DiMaggio
Thank you for having me. I'm excited to be here.

[00:01:16.580] - Shannon Reagan
Well, can you start us off by telling us a little bit about what ransomware diaries is and how you got started with it?

[00:01:23.610] - Jon DiMaggio
Yeah. So the ransomware diaries is a series essentially. I've been doing research and writing for years, and I really wanted to have a way to sort of gel the concept together and have a story that sort of threads and intertwined from one piece to the next. And over the years of research, I've really found that a lot of the ransomware attackers that I interact with are connected, and it's a much smaller world than most people realize. So I thought this might be a good opportunity to sort of highlight that and sort of provide research as well as tell a really good story. I've spent a lot of my career, I worked for the government for years doing intelligence reports, and I've written from that aspect as well as publicly. When I came to semantic, when I left the government, where I was doing a lot of nation state work, and that was all straight CTI based type of work, cyber threat intelligence type of work. So when I came to analyst one, I had a lot more creative freedom, and I really wanted to expand on that. That's sort of what the ransomware diary was, is my creative outlet to still provide intelligence and try to sort of fight the fight with ransomware, if you will, and to shed light on stories that otherwise wouldn't be known by adding the human element on top of that CTI piece and to really give an in depth view of what we're facing when we're chasing these guys in the zeros and ones.

[00:03:01.050] - Jon DiMaggio
I wanted people to understand that there's more to it than that. And that's what the ransomware diaries is, and I continue to write it. There's been four volumes so far. They're each about 60 or 70 pages, and they take anywhere from three to six months for me to put together.

[00:03:19.150] - Jeff Phillips
Well, they are super interesting and they do read. The human element comes through. That's been. What's been so different to me from a ransomware perspective is hearing about these individuals, which means you talk about that, you get to communicate with some of them. But for our CTI researchers out there, you talk about having to build up credibility. I believe you're lurking in places and in forums, dark and surface web. And so you talk about building up credibility. Could you tell me a little bit about that? Was it difficult? How are you doing that? Are you using different. Do you have Personas? So how are you going about hanging out in these ransomware places?

[00:04:02.580] - Jon DiMaggio
Yeah, so there's two varying ways that I go about that. But the first way is the way that 99% of the rest of researchers in this space would do it, which is developing fake Personas. Now, developing fake Personas is not something where you just go create an account and use it. It requires planning, it requires developing a backstory for this character. It's almost like developing the character in a book. You have to be a writer. Yeah, literally, you need to create this person if you want them to be believable. And then once you've sort of created this and detailed what you want this person to be, you need to go give them an online presence. And so I'll go and register accounts, even ones you're not going to use, just so that if it's a real person, they're going to have these things. So you create other accounts, social media accounts. You try to get on some of the lower hanging fruit forms, meaning some of the ones that necessarily don't require a validation from another hacker or things of that nature, just to get your name out there. And then you have to start actually talking to people and making posts and commenting on things.

[00:05:15.650] - Jon DiMaggio
And of course, when you're developing that, you want it to be within the topic of what you're going to eventually research, but you don't want it to be where you're going to stand out and people are going to know you. So there's just a lot of development that goes into it over time. Once you've created a nice footprint and this character, if you will, appears to be believable. There's people that you interacted with, there's people that you've made friends, if you will, with that will talk about you and say, yeah, I've had conversations with that person. Then you can start thinking about using it to get closer to wherever your target is. And that requires other work, too, using different open source techniques and Osin techniques in order to fingerprint your target and identify where they live, the accounts that they use, who they talk to, what those roles are. You want to do all of that before you ever engage with someone because you don't want to end up not having answer for a question or looking like or at least a question that you should be able to answer or looking like. You just started doing this yesterday.

[00:06:15.810] - Jon DiMaggio
So it takes a lot of work and a lot of time, and while you're developing one to use actively, you have to have other accounts. So I'll have accounts that are just what I call my news reader accounts, where it's almost like the opposite of being an initial access broker. Initial access brokers gain access to networks and then sell it to other criminals to compromise. What I do is I'll gain access to criminal forums and then I will just stay there. I won't do anything with that account and just use it to sort of monitor. That's why I call it my news account. And then there's other accounts where I actually touch things, talk to people and engage. But while you're doing this, you have to have a third account that's farther down the development road than your news reader account because you need a backup account for whatever reason, eventually your accounts get burned and you don't want to start this whole process over and be down for three to six months. So it's an evolving cycle where you have to constantly feed into it. The more you feed into it, the better output you're going to get from it.

[00:07:16.910] - Shannon Reagan
Wow, sounds like a Dickens novel. It's very complex.

[00:07:20.590] - Jon DiMaggio
It is complex. There's an art to it, for sure. And then language barriers are a whole nother of every, every engagement. And every piece of research I do requires different things. And a lot of times, especially ransomware, they're russian speaking. I just did an engagement over the past six months a lot with Ransom VC, which is who the ransom diary sport was about. And they were very fluent in English and so were sort of their top affiliates. So that required a different approach, but it also made the communication much easier and the conversations would be much longer at the same time. Those people are going to get to know you much more. And that brings to the second piece of what you asked me. I told you there were two different approaches. I told you the approach that 99% of CTI researchers and analysts or human intelligence analysts would do, and that's creating fake Personas. I'm in a unique position because of sort of the popularity of the ransomware diaries that's been gained by hackers in addition to CTI researchers. That's allowed me to use my real life identity and Persona to also talk and create these relationships, and I get different output when I do that.

[00:08:40.630] - Jon DiMaggio
But after my name was out there and my face was on the first ransomware diaries and lockbit started using my face as their avatar and one of the dark web forums, there was no point in. I might as well benefit from it then. I mean, I'm not hiding at that point. They know who you are. Clearly, they're sending you a message. They know who you are. So I might as well go with it and use it to benefit my research, and that's what I did. But most people aren't going to do that, and they shouldn't do that because it's not for a weak stomach, that's for sure.

[00:09:09.140] - Jeff Phillips
That seems stressful, for sure.

[00:09:11.970] - Shannon Reagan
Well, you mentioned the l word. Should we talk lockbit?

[00:09:17.090] - Jon DiMaggio
Why not?

[00:09:17.650] - Shannon Reagan
Have you talked lockbit enough? You have been on the press junket for your investigation into this group, your interaction with Bastrolord, and all of the great information that you've written about it and that you shared.

[00:09:34.650] - Jon DiMaggio
Yeah, I've been on the lockbit tour lately that really, actually, I just began a vacation. I was two days into it, and Operation Kronos took place. They took down Lockpit's infrastructure, and they began this sort of psychological operation that was lasted for about a week, where they released different pieces of information and sort of toyed with the threat actors. Because of that takedown, I had to cancel my vacation and come back to work. Since then, yeah, I've been talking to law enforcement agencies, government agencies, lots of media organizations. A lot of people want to talk about the topic right now. And because I just happened to be in a place where I'm very close to the people behind lockbit and have been doing the CTI research on lockbit now for a year and a half, two years. I've just been sort of the subject matter expert. So, yes, I've been talking about it a. Yeah, you know, you go with the flow with what's happening in the world right now. So I thought I was actually going to be working on my next project would not be lockbit. And the way things are going, I have a feeling I won't be able to get away just quite yet, but we'll see.

[00:10:52.600] - Jon DiMaggio
But, yeah, lockbit is definitely a hot topic right now.

[00:10:55.910] - Shannon Reagan
Could you talk a bit about your investigation? It's sprawling, like the CTI element. There's an open source investigation, an Osin element to it as well. But you're engaging directly with the threat actors. You're also reaching out to victims as well, like the human aspect of it as well. Can you talk about how you tied those threads together?

[00:11:17.160] - Jon DiMaggio
Yeah. So the CTI aspect, I think most people are going to understand what that is. That's sort of looking at the zeros and ones, looking at the indicators of compromise, understanding the attack chain of each step of what the attacker does in order to complete that overall objective of extorting and ransoming victims. But there's another aspect to it, and it's something before I changed, meaning I wrote most of my career, I just did the CTI part. And before I really changed my tactics, it was one day I just kind of thought about it and I was like, ransomware victims have to talk to their attacker. Attacker 100% of the time, or I should say communicate. Not necessarily talk, but they have to communicate with their attacker 100% of the time. So it made me really think about it. That is something where we know very little information about these people, yet we're having to deal with them and to talk to them. And they're human, so they're going to have things that influence what they do. They're going to have aspects of who they are and their character and their personality traits that if you understand that better, you can use that to your advantage when you're doing these negotiations.

[00:12:28.230] - Jon DiMaggio
So that was kind of what got me on the thread of, hey, we need to start looking at the humans behind it. But it's not just that, because there has been, for years more on the government side. There's been human intelligence aspect where people have an expertise in that. And then you've had more of the CTI piece, but no one, at least in a public level, is really putting that together. And so that's what I wanted to do. I wanted to better understand the people who are conducting the attacks. I wanted to better understand how it's affecting the victims behind it, how they're handling these things when it's taking place. And obviously, I already understood the CTI piece, but I wanted to put that all together. And at the same time, I wanted to tell a really interesting story because I write 60, 70 pages of research for each one of these volumes. If it is not sort of quote unquote fun and exciting, people wouldn't read it. So my goal in doing this is to share information and to make it read like a Tom Clancy novel. But I don't want it to deviate too far away to where it's still not hitting the mark of being solid analytical research.

[00:13:38.020] - Jon DiMaggio
And one of the things I build myself on is how to conduct attribution. I wrote a whole book on how to do practical CTI type of work, so I have a thorough understanding of that. But I don't focus on that part as much. But I always want to show my findings, provide the evidence. Kind of like my math teacher used to tell me, show your work. So if a human person tells me something, I'm going to include that. But if I'm going to value that as high confidence, then I need to have technical data to support that. And if I don't, I'm still going to share it, but I'm going to assess it at a lower confidence rating. And I think it's important that you put all this together so that your reader, one gets the information, gets the technical piece, gets the human piece, likes it because it's a good story. More importantly, they have a feel for how valuable this or invaluable this information is, so they can use it and make judgments moving forward as their own attribution as they work through attacks that are affecting their organization.

[00:14:35.770] - Jeff Phillips
I do think the diaries, they do a great mix of pulling that all together, someone that's not as technical. I can still get the gist of the humans behind it, but I can see where you're also helping the threat intel analysts. But I do want to go in because to some of that human element. You've talked personally with a number of the members of lockbit of this group, and hearing their backgrounds and personalities is super interesting. Can you tell us a little bit about one of them in particular? Bastard Lord is super interesting character. I know he's real, but great name and the group dynamics tell us a little about him. And then the overall group dynamics within this ransomware gang.

[00:15:25.650] - Jon DiMaggio
Yeah, so bastard Lord really surprised me. He was much different than what I sort of perceived before I went into this to talk to him. But I've spoken with him a lot over the past year. And if I didn't know he was a criminal, my answer would be, I like the guy. I think he's a good guy. He is a likable person. Out of everyone I talked to, he's probably one of the. There's a short list of ones that I've actually have established relationships with that I actually care about. What happens to now for everybody that's. That's going to beat me up for saying that. That doesn't mean I don't think that you should be held accountable for your crimes. It just means there's a difference between someone who is reckless or mentally ill or wants to harm people physically that are just really bad people at the core, versus people who've taken the wrong path in life. And now they're so far in that that's all they know. And that would be more bastard lord. I think in different scenario, he would have had a much different life, but that doesn't matter because that's not the scenario he had.

[00:16:34.130] - Jon DiMaggio
But yeah, I learned how to understand people and not judge them. And it is something you have to learn because you don't even know that you have preconceived things in your head sometimes before you talk to somebody. But what I really learned about Bastor Lord was he really isn't that different than a lot of CTI analysts outside of the aspect that he commits really bad crimes. So when I talk to him, I never condone what he does. And I'm direct with my intent. When I begin these engagements with people, I tell them I don't lie to them, especially when it's being done as myself. I tell them I'm very straightforward. I say, I'm researching you. I'm not going to make you look good in my writing. I'm going to be professional, and I'll always be professional when I talk to you. But the end result is going to be me trying to find information that's going to help take you down. And if they still want to talk to me, then we continue. But I don't want to lie to them again. It's different with a fake Persona. But if I'm doing this as myself, I feel like I need to be straightforward.

[00:17:39.960] - Jon DiMaggio
And if they still want to talk to me, great. And if they don't, they don't. But Bastor Lord was. There was something more appealing about his personality because he was able to show empathy. There was a time where he found some other. I'm not going to get too far into teals with this, but some of the ransomware guys he knew were going to attack the hospital, he convinced them not to, and he provided me with the information so that I could contact them to get them to fix the vulnerability. So that's my point. He is different than most of the ransomware actors that are out there. We would talk about things that are farther outside of the realm than just what our job is. We'd actually talk about music that we like, different types of sports that we watch and like, life stories, those type of things. So it's a unique relationship, but I think it really has gotten me to be able to not only just understand him, but it's really helped me to understand how to approach other threat actors. Most of them don't fall in sort of the cast that Bastorworth does that I just explained, but most of them are a little bit different.

[00:18:51.260] - Jon DiMaggio
And some of them are very dangerous and threatening and do bad things and want to harm people, just harm. So you have to understand those people so that you can then tailor how you're going to interact with them in order to keep yourself safe.

[00:19:06.910] - Shannon Reagan
Well, speaking of maybe the not so nice or the not so complex, how do you deal with the balance of contacting them, engaging in conversations with people that might be doing terrible things or saying terrible things while they do?

[00:19:24.630] - Jon DiMaggio
Yeah, that's. It's not easy. And I am a trained CTI analyst. I am a trained intelligence analyst. I am not a trained human to. I've just had to learn on my own and kind of see what happens type of thing, which is not a great way to approach this, but I wanted to explore this and that was the only way to do it. So that balance is difficult because here's the difference. As a CTI analyst, the only thing that's dictating when I have to work is my employer as what I do now, there's a human aspect to it, a human intelligence aspect to it. What dictates it is real world people and events. So when I'm trying to build a relationship just because I'm on vacation or just because it's a Saturday, that doesn't mean I can just say, hey, I'm off hours, I can't talk. I could do that, but I'm not going to develop a relationship with this person because if I tell you this is only a working relationship, it's not going to go anywhere near as far as if I build a relationship where you get to know me and I get to know you personally.

[00:20:35.130] - Jon DiMaggio
And that takes a lot of time and effort. Now, on top of that, I've talked to some pretty scary people over the years now. And with that, you also can't just blow people off if they're a crazy psychopath criminal that wants to be the world's most evil villain, which some of these guys have mental illnesses, and that is how they perceive themselves. So it's a very delicate balance. There's always a risk and a threat. It's something that doesn't just affect the person doing it, but you also have to consider how that's going to affect your family, friends, the people around you. And then you have to kind of tailor your whole life to it. Just as an example, doing this, you can't have social media for your personal life, and you can't have people that are meaningful to you, connect to them. You have to constantly be worried. I don't know if worried is the right word, but you have to be aware of everything around you and know that there are crazy people that could do crazy things. Have a rock or a brick thrown through your window, have you squatted? Worst case scenario, use violence as a service against you, all of those things.

[00:21:42.190] - Jon DiMaggio
It's a very delicate balance, and you have to go into that again, I keep repeating this, but with intense and a well thought out approach before you ever engage with these guys and understand that it could go south anytime and you got to know when to get out.

[00:21:58.070] - Jeff Phillips
Can we go into that just a little deeper, the Opsec side of this? Well, you're already using your real name, but can we talk about it? When you're on the dark web for general CTI analysts, how do you investigate these groups? How do you protect yourselves during those investigations?

[00:22:15.650] - Jon DiMaggio
Yeah, so for years, what I would actually have to do is create virtual machines and have, I still have a separate network for when I do my research, but have separate networks constantly. Make sure you have separately physical devices that are separated from personal work and then what I call research. We're actually reaching out and doing this stuff, and it's very cumbersome, especially when you're dealing with virtual machines and having multiple running at once and all these different resources, it can be difficult. So one of the tools that I use is authenticate Silo, and that is actually a tool. I'm not one that ever champions a vendor, but it's made my job so much easier. And it's one of the very few resources where I actually got more than what I was promised at the point of the sale. What that does, what Silo does and enables me to do is basically I still have virtual machines that I use for specific, but for 90% of what I do now, I'm able to use silo. Silo, the best way I could describe it is there's a data server somewhere that when I send my queries to, to go, whether it's to the dark web or go to whatever site I want to research, I can pick where I'm coming from anywhere in the world, and it'll run sort of in that data center, but it almost mirrors it back to my screen.

[00:23:46.360] - Jon DiMaggio
Well, the reason that's so important is because if I'm visiting a russian forum and if I don't speak Russian and I have to go in there speaking with English and then translate everything, all of that is things that can be detected in their logs as you're doing it. This literally, even as a translation service that's done after the fact. I don't actually see that it operates the same as it would if I was using like the traditional translator, but it doesn't leave any traces on their logs or their systems. I can pop out, visit a russian dark web forum. It'll appear as though, again, from a data entry logging aspect, that I actually am speaking the language based off of those settings on my browser and everything else. So those are things that I have to think about and do manually when I use virtual machines. So I've even used it on my. I don't do this often, but I've been in a situation where I've even had to use it on my phone before.

[00:24:43.770] - Jeff Phillips
You're right, because you're 24 x seven in this.

[00:24:46.880] - Jon DiMaggio
Yes. But anywhere that I have a web browser, I use a lot of different systems and operating systems with different tools for different things. But anything has a web browser I can access silo through. And most importantly, at least in my opinion, compared to most of the tools that I've had to buy, it's much more cost effective than the other tools I buy, and I use it more than any of them. So, I mean, there's lots of tools that I use, but that's probably the tool that surprised me the most over the years here.

[00:25:18.410] - Shannon Reagan
We love to hear you.

[00:25:20.500] - Jeff Phillips
We do. We do, John. And our listeners know we don't often go down the path of houting the product here.

[00:25:27.770] - Jon DiMaggio
Yeah, no one's asked me to do this. I just am a cheerleader because I have been surprised so infrequently by vendor tools and resources. And it makes my life easier and safer, which is the only reason even in my writing, very rarely do you ever see me even mention analyst one or any of the software they make. And that's not because I don't use it or like it but this was so unique and so helpful for my work that I don't care if I sound like a commercial for it because people need to know about it. And it's going to make analyst jobs just that much easier to do. And even if I was a private researcher and I didn't work for a company, it's something that I could afford on my own if I wanted to. So I think it's something that people need to understand because it's going to keep them safer when they're doing this type of work. And I really appreciate the products.

[00:26:20.430] - Jeff Phillips
Well, thank you. And look, we appreciate again to our listeners. Check out it's John DiMaggio. Check out ransomware diaries. Follow him and the company. It is super interesting, all the elements from technical to the human side of ransomware. They're great reads. So we hope you continue with that work and thank you for joining us today. It's very much appreciated that you spent this much time with us.

[00:26:50.210] - Jon DiMaggio
Of course, thank you for having me. I appreciate it.

[00:26:52.760] - Jeff Phillips
Yeah, we'll have all of John's information, social media, et cetera, in the show notes. Thank you all for again spending time with us on Needlestack. You can view transcripts other episode info on our website, Authenticate.com needlestack. That's authentic with the number eight needlestack. And be sure to let us know your thoughts on X, formerly Twitter or blue sky. We're there on blue sky at Needlestack pod and to like and subscribe wherever you're listening today. We'll see you next time on Needlestack.

Enter your email address below to receive notifications from needlestack@authentic8.com