Ep.

50: LockBit Diaries: A year undercover with the world’s most dangerous ransomware
gang

DINA TEMPLE-RASTON: Back in June 2020 an unusual announcement popped up in a bunch

of Dark Web forums. Normally the Dark Web is filled with ads for stolen credit card numbers
or personally identifiable information.

But back then, there was this call for papers — you know, like the call for research papers
academic conferences always have.

JON DIMAGGIO: I’m reading from the ad right now… non-standard methods of extracting
material, admin shells… roots bases…

TEMPLE-RASTON: This is Jon DiMaggio. He’s a researcher at Analyst1, a threat intelligence

company based in Virginia. He remembers seeing the ad when it came out and thinking how
odd it was for someone to ask a bunch of people on the DarkWeb for research papers on
hacking.

DIMAGGIO: You as a submitter are looking to find a new creative way to hack something or
to program or code something that conducts a hacking function. It could be theory…

TEMPLE-RASTON: It was a weirdly highbrow way to get the attention of what was essentially
an audience of cyber criminals.

DIMAGGIO: They're calling it like, in the name of education and the criminal community
helping out the, the young, the young guys and gals coming up.

TEMPLE-RASTON: Cyber criminals who were, apparently, happy to spend some time writing
thoughtful academic papers. The Summer Paper Contest, as they called it, generated a
huge amount of interest. There were literally dozens and dozens of entries with titles like:
How we wrote the first ransomware for Android…

Some of the papers touched on cryptography. Others provided tips on how to stay
anonymous. The contest was sponsored, as it turns out, by a group that was pretty good at
dreaming up novel approaches to get themselves noticed. In fact, word of mouth helped put
this new Russian ransomware gang on the map.

1
They called themselves LockBit. And just a few months after that contest, they took the
world by storm.

[MONTAGE]

[MUSIC]

TEMPLE-RASTON: And we’re talking to Jon DiMaggio about all this because he managed to
do a remarkable thing. He spent more than a year inside LockBit’s operation undercover,
watching as LockBit grew from a rag-tag gang of cyber criminals into the most prolific
ransomware syndicate the world has ever seen.

[THEME MUSIC]

TEMPLE-RASTON: I’m Dina Temple-Raston and this is Click Here, a podcast about all things
cyber and intelligence.

Today, a journey into LockBit. For more than a year, Jon DiMaggio infiltrated the group using
an online persona, and he discovered not only how the LockBit ransomware syndicate
operates but also how it’s building its future too.

And his secret weapon?

DIMAGGIO: This LockBit, it's been, it's been like such a gift because they just won't shut up.

TEMPLE-RASTON: Stay with us.

[BREAK]

TEMPLE-RASTON: To place LockBit in the pantheon of ransomware gangs, you just need to
look at the numbers. Last year they were responsible for about 44 percent of the total
ransomware campaigns launched – 44 percent. None of its competitors come close to that.
And some of their attacks, they’ve been epic.

LA NEWS: Well, hackers have carried out a cyber attack against the city of LA’s housing
authority.

2
YOUTUBER: The Canadian city of St. Mary’s, Ontario, has been hit with a ransomware
attack.

NEWS: SickKids hospital is recovering from a second cybersecurity incident in recent weeks.

NEWS: Ransomware from a gang called LockBit has infected Royal Mail computers used to
print customs labels.

TEMPLE-RASTON: But a few years ago, back when that intelligence analyst Jon DiMaggio
first started following LockBit, it was just another cyber criminal gang. Just another group of
guys trying to make a name for themselves, struggling to recruit talented people who could
help them launch ransomware attacks. Subcontractors, if you will.

And back in 2020, when a LockBit job posting came up, Jon DiMaggio, and probably lots of
researchers like him, just went ahead and applied. Eighty percent of success is showing up,
right?

DIMAGGIO: I approach them as when they have open, when they open their doors for
affiliates, when they're, when they're recruiting and once you apply, you get in.

TEMPLE-RASTON: Well, maybe not in, but you get a virtual interview. And then they give you
an assessment test to gauge if you really have the skills they need or you’re just a script
kiddie who talks big and can’t code.

DIMAGGIO: The assessment test that they gave me, um, I wasn't, I was not qualified enough,
which, which was okay, I didn't expect to get through. Um, but they let me remain in the
TOX channel.

TEMPLE-RASTON: Remain in the TOX channel. TOX is a peer-to-peer instant messaging

service that cyber criminals just love. In fact, a lot of today’s ransomware negotiations
happen in TOX. So if you’re in the TOX channel for LockBit, well, you’re kind of a fly on the
wall, watching cyber criminals at work, in the wild.

But Jon wanted to be more than a fly on the wall, he wanted to engage. So, he baited the
person who’s thought to be the leader of the group, a guy who goes by the name
LockBitSupp.

3
First, he offered LockBitSupp a chance to do what hackers can’t resist: trash talk other
hackers. He asked the guy what he thought of a rival hacking group and whether it had
been infiltrated by a snitch. LockBitSupp took the bait, even invited Jon into a separate
channel to chat in private. That’s gold for a researcher!

The only problem, for Jon, was that LockBit is a Russian ransomware gang. And he doesn’t
speak Russian. So he had an idea…

DIMAGGIO: So I started off the conversation with German, and of course then he says, I
don't speak German, but here's the thing. All of them speak a little bit of English because
those are the primary victims.

TEMPLE-RASTON: So I guess you speak German? Is that the idea?

DIMAGGIO: Oh, I, I don't, I just knew that LockBit didn't, so that is.

[LAUGHS]

DIMAGGIO: Yeah, yeah, so I start speaking in broken English. I'm like, do you speak English?
Type of thing? And, and they'll be like, yes. And I'll say, okay, well why don't we try to
communicate like, like this? And then I just have to remember to make sure my English isn't
too good as I communicate, but it works. And, and that's exactly what I did with LockBit.

TEMPLE-RASTON: And what he found was a guy who not only exaggerated his
accomplishments and trash talked other groups, but also a man who fundamentally
understood in a way few people did that in order for the ransomware industry to get “next
level” it needed to be run more like a traditional business.

So he decided to do just that. And his first step was to turn LockBit into more than just a
ragtag bunch of hackers. He decided to make it a brand.

[MUSIC]

DIMAGGIO: They constantly did things to get their name out there, and then they capitalized
on opportunity.

TEMPLE-RASTON: He started with a logo. Red, white and black, a little retro looking. They
put it on everything they touched. It was on their website, on email signatures, on the

4
letterhead of their ransom messages and then, a little twist, a different kind of IRL
branding.

DIMAGGIO: They at one point paid people to tattoo it on their bodies. And it was for between
500 and a thousand dollars. And I just, when I heard that, I’m like, there is no way anyone is
going to tattoo the name of a ransomware brand and their logo on their bodies.

[MUSIC]

DIMAGGIO: And there’s a few people who did it.

TEMPLE-RASTON: Wow.

DIMAGGIO: That's just crazy to me.

[MUSIC]

TEMPLE-RASTON: But this went well beyond just getting the word out. LockBit’s leader was
thinking strategically. He began studying the inefficiencies and bottlenecks in the
ransomware business model. What was preventing the average hacker from launching
successful attacks? And his solution was something he called LockBit Red. He branded it
publicly as LockBit 2.0. Think of it as ransomware made easy.

Not a great coder, but want to make some ransomware money? Not a problem, LockBit
makes it point and click. It created an administrator’s panel to help conduct and control
attacks. It was like a dashboard to help hackers keep track of all the ransomware they had
released into the world. LockBit improved the encrypter so attackers could steal data faster.
There were even push notifications that would tell attackers when a victim responded to a
ransom demand.

So now, a budding ransomware operator could look at their phones and see a notification
that their mom had called or someone had retweeted their tweet. And oh! My ransomware
victim just replied!

[MUSIC]

DIMAGGIO: He took what used to require, you know, weeks of being on a network and
manually entering commands and writing scripts and stuff, and he automated it with a
graphical interface for everybody.

5
TEMPLE-RASTON: Now to be fair, LockBitSupp wasn’t the first person to try this. But, he was
the first to do it that well.

LockBit’s central management console incorporated all the disparate elements of a

ransomware attack and put it in one place.

DIMAGGIO: They made a process that was convoluted, slow, and putting data outside of
their own control. And they made it fast, efficient, uh, and going into their own
infrastructure to use.

TEMPLE-RASTON: Constantly improving and upgrading LockBit was a lot of work and
LockBitSupp said as much. In fact he was talking about it in one exchange Jon captured.
And he said: “What doesn’t kill you makes you stronger.”

He said LockBit would keep updating its infrastructure until stealing a victim’s data became
something anyone could do.

And then, to top it all off, he did something big. Something that no one had dared to do: He
upended the ransomware payment model.

[CASH REGISTER SOUND]

TEMPLE-RASTON: Now, this may not sound like a revolutionary concept. But actually LockBit
was tackling one of the biggest problems in the cyber criminal world: paying people. It’s not
just about getting a victim to pay a ransom, that was relatively easy. The issue was paying
all the people who worked on the attack — the backroom people.

Traditionally, ransomware gangs use subcontractors, they call them affiliates. Think of them
as specialists. People who might be particularly good at searching for vulnerabilities or
cracking into networks. Each hacker would do the specific thing they’re good at and then
collect that percentage of the ransom. At least they were supposed to. A lot of the time, like
subcontractors more generally, they just didn’t get paid.

DIMAGGIO: And that was a fear and it was a concern that was talked about a lot and still is
talked about a lot on these criminal forums.

TEMPLE-RASTON: LockBit’s solution? To flip the script. Put the affiliates in charge.

6
DIMAGGIO: You as the affiliate, you do the negotiation and collect that money yourself and
then you pay us our percentage. And that inherently, gives them trust and removes that
fear of getting ripped off.

TEMPLE-RASTON: Once he did that, affiliates were banging down the doors to work with
them and LockBit suddenly had more ransomware work than it knew what to do with.

Which explains why LockBit has become what it is today, responsible for, remember, 44% of
all ransomware attacks last year. As they tell you in business school, delegate and partner
with the right people and you’ll be unstoppable.

[MUSIC]

TEMPLE-RASTON: When we come back we hear from someone on the receiving end of
LockBit’s product development efforts.

AL STRATHDEE: These folks are doing nothing but spending time developing software, how
to shut us down and how to penetrate systems. How do you compete against that?

TEMPLE-RASTON: And learn more about the man who made LockBit what it is today.

Stay with us.

[BREAK]

TEMPLE-RASTON: Last summer Jon DiMaggio was in the chatrooms when LockBit started
crowing about its latest victim: it was a small Canadian town called St. Mary’s.

DIMAGGIO: The conversation on that though was almost like high fives and laughing at, at
the victim themselves. You know, uh, poking fun and how easy it was to compromise and
things of that nature.

TEMPLE-RASTON: Think of it as the hacker version of locker room talk. The attackers went
into these hackers forums and began talking about what they just stole.

7
DIMAGGIO: They like to go through the data to find the sort of the most embarrassing, um,
aspects of it and share stuff. And it's, it's usually, it's very much like an online bully. It's very
much, you know, picking on the victim, talking trash about the victim, and trying to expose
their most vulnerable aspects as though it's some big joke.

TEMPLE-RASTON: But it doesn’t feel like some big joke on the other end.

STRATHDEE: You feel like the world's gonna end as you get into it more and more and you
think, you know what has happened. It's like being robbed, it's like we were invaded and
robbed and it was a smash and grab.

TEMPLE-RASTON: This guy was on the other end of that LockBit attack Joe watched them
crow about in their forums.

STRATHDEE: My name is Al Strathdee. I'm the mayor of the town of St. Mary's, which is a
town of around 7,700 in southwestern Ontario.

TEMPLE-RASTON: St. Mary’s IT department discovered hackers in the city’s network in July
2022.

STRATHDEE: They were doing some routine maintenance on our systems and they
discovered some irregularities.

TEMPLE-RASTON: That’s cyber attack speak for ‘there appears to be someone in the servers
who isn’t supposed to be there.’

STRATHDEE: They immediately isolated the system and unplugged the servers.

TEMPLE-RASTON: And remember those push notifications? The thing that LockBit launched
so ransomware attackers could track their victims. Well, that may have happened to Al.

STRATHDEE: Our initial thought is they didn't even know they hit us when they, when they
had, you know, and whether they have systems that went back and, and discovered that we
had discovered or something went, an alarm went off.

TEMPLE-RASTON: He’s still waiting for the final report to tell him that.

STRATHDEE: And I’m not privy to that information yet.

8
TEMPLE-RASTON: So when people said, hey, this is LockBit, were you stunned because
they’re kind of a big deal ransomware organization?

STRATHDEE: I was stunned actually and the more I learned about LockBit and one of the
interesting things, I was told during one of the things that there has been incidence where
you can actually rent this software from LockBit and you maybe heard about this and, and
they take a cut, which means it could have been anyone.

TEMPLE-RASTON: In other words, it may not have been LockBit itself that hacked them, but
one of those affiliates LockBit had learned how to attract.

He said the attack made clear to him that everyone is pretty vulnerable, and everyone has
to prepare for a ransomware attack now.

STRATHDEE: You talk a lot about roads and sewers and, and, and different things like
sidewalks and things as being infrastructure. IT is becoming infrastructure as well, and we
have to start thinking of it more. And we need to spend more money, a lot more money,
than we ever expected.

[MUSIC]

TEMPLE-RASTON: So who does this kind of thing? Who thinks a hospital or a small city or
school is a legitimate target?

That’s what the analyst Jon Dimaggio really wanted to understand.

The humans behind all these attacks.

[MUSIC]

TEMPLE-RASTON: Jon used to do this kind of analysis for government intelligence agencies.

And, after spending more than a year lurking in chat rooms, lobbing questions, watching
the interaction, what he thinks he pieced together is this:

LockBitSupp is a white male living in Russia or Eastern Europe…

He’s in his mid to late thirties…

9
He grew up poor…

DIMAGGIO: He says that he was picked on for not having money and not having a lot of
friends. So because of that this builds in these insecurities and when you get a lot of
success, that breeds a very strong ego that is insecure.

TEMPLE-RASTON: LockBit sees himself as a prince of darkness, like a Batman villain of

ransomware bent on sowing destruction.

One of his latest things is to make ransomware more destructive. He says LockBit is going
to start broadening its repertoire. It is now going to start including DDOS or denial of service
attacks in LockBit operations.

They want to crash servers.

LOCKBITSUPP: I am looking for DDosers

TEMPLE-RASTON: We ran one of his chat messages through an AI voice.

LOCKBITSUPP: We’ll now attack targets and provide triple extortion: encryption, data leaks
and DDos attacks.

TEMPLE-RASTON: Why the change? Because, he says, DDOS attacks invigorate him and, in
his words, make life more interesting.

Just a little glimpse into this weird kind of Batman Super Villain persona he’s assembling.

THE PENGUIN (BATMAN): You gotta admit, I played this stinking city like a harp from hell.

TEMPLE-RASTON: But here’s the thing about so-called Super Villains like the Penguin or
LockBitSupp, deep down, they have issues. For all their bravado, they’re a little insecure.

And in LockBit’s case, maybe less surprisingly, he’s super paranoid. He’s really worried he’s
going to get caught.

DIMAGGIO: His paranoia prevents him from ever being able to enjoy all this money that he
has and all the things, um, that he actually wants to do. He can't travel to places he can't,

10
you know, go on vacation or, or, or leave certain areas of the world, you know? And because
of all of this, um, he, he doesn't seem happy.

TEMPLE-RASTON: So Jon took all this stuff he gleaned from inside LockBit’s TOX channel
and he’s put it all into a 69-page report. He’s called it Ransomware Diaries, Volume 1. We
have a link on our webpage.

He gave us an early look, which is what we used to put together this episode. Jon assumes
once the report goes public any personas he used to get all that information will be burned.

But he maintains that the whole exercise was an important one because people are so
focused on the technical aspects of ransomware they forget the people behind these
attacks are only human.

Remembering that, he says, provides a roadmap on how to topple groups like LockBit.

How would he do it?

Play on its leader’s paranoia, use information campaigns against him. Make him nervous.
Um… more nervous.

Which could explain why, when I asked Jon what he’d say to LockBitSupp now, he said…

DIMAGGIO: Watch your back, you know. There’s researchers, there’s analysts, there’s law
enforcement agencies and entire governments that are coming for you.

So when you have to sit there every day and look over your shoulder. And when it’s hard to
sleep at night, that makes me smile.

[MUSIC]

TEMPLE-RASTON: This is Click Here.

[HEADLINES MUSIC]

11
TEMPLE-RASTON: Here are of the big cyber and intelligence stories of the past week.

France’s data protection regulator – the Commission Nationale de L’information et des

libertes – leveled a $5.4 million fine against TikTok for allegedly making it difficult for users
to opt out of their tracking.

According to CNIL, the fine isn’t related to the ongoing debate over TikTok’s privacy
settings. Instead this had to do with TikTok.com’s cookie banner. There is a single-click
option for users to accept all the cookies that might track them, but no correspondingly
simple option to refuse them.

Under the European Union’s data protection law websites are required to withhold all
marketing cookies and trackers from users’ browsers until they have received explicit
permission from those users to use them.
—
Researchers at SentinelOne have identified a group of pro-Russian hackers – known as
NoName057 – as using Telegram and GitHub to launch DDOS or distributed
denial-of-service attacks against Ukraine and several NATO countries.

The group has been targeting candidate websites in the Czech presidential elections as well
as assorted businesses and organizations in Poland and Lithuania. Sentinel One says the
group is also responsible for a recent disruption of services in Denmark’s financial sector.

SentinelOne told The Record that the group may be paying people to lauch the DDoS
attacks. While other pro-Russian hacking groups like Killnet have made international news,
NoNAme 57 has been flying under the radar.
—
And finally, NSA Director Gen. Paul Nakasone made a pitch for keeping targeted internet
surveillance program known as Section 702. It allows U.S. intelligence and law enforcement
to track the communications of non-U.S. citizens.

Nakasone said 702 has played an “irreplaceable” role in helping the agency fend off
ransomware attacks and prevent weapons components from reaching adversaries…

He didn’t provide much detail about those operations aside from saying without 702 it
would have been hard to interdict them. Section 702 of the Foreign Intelligence Surveillance

12
Act, or FISA, is set to sunset at the end of the year…. Its renewal is expected to be
contentious. Critics argue that collecting information on the communications of
non-American overseas cannot help but sweep up innocent Americans in the process.

[THEME MUSIC]

TEMPLE-RASTON: Click Here is a production of Recorded Future News. I’m Dina

Temple-Raston, your host, writer and executive producer.

Sean Powers is our senior producer and marketing director, and Will Jarvis is our producer
and helps with writing.

Karen Duffin and Lu Olkowski are our editors. Darren Ankrom is our fact checker, and Ben
Levingston composes our theme. We use other music from Blue Dot Sessions.

Gabriella Glueck is our intern.

And we want to hear from you. Please leave us a review and rating wherever you get your
podcasts, and connect with us by email: Click Here [at] Recorded Future [dot] com or on our
website at ClickHereshow [dot] com. I’m Dina Temple-Raston. We’ll be back on Tuesday.

13