AI transcript
0:00:06 Something unexpected happened after Jeremy Scott confessed to killing Michelle Schofield
0:00:08 in Bone Valley Season 1.
0:00:11 Every time I hear about my dad, it’s, oh, he’s a killer.
0:00:13 He’s just straight evil.
0:00:17 I was becoming the bridge between Jeremy Scott and the son he’d never known.
0:00:20 At the end of the day, I’m literally a son of a killer.
0:00:26 Listen to new episodes of Bone Valley Season 2 starting April 9th on the iHeartRadio app,
0:00:29 Apple Podcasts, or wherever you get your podcasts.
0:00:37 Pushkin.
0:00:44 Just a quick note, this is a bonus episode of What’s Your Problem?
0:00:46 and it’s sponsored by Microsoft.
0:00:50 John DiMaggio studies cybercrime for a living.
0:00:51 It’s his job.
0:00:56 But when he wanted to understand an international cybercrime gang called Lockbit,
0:01:00 he realized he couldn’t learn everything he wanted to know from the outside.
0:01:03 So he started trying to figure out how to get people on the inside
0:01:05 to tell him what he needed to know.
0:01:10 So I spent a lot of time studying, going back to, you know, World War II
0:01:15 when they started having all these documents about how to use the human trade craft
0:01:21 to sort of recruit and convince people to do things that they don’t necessarily know
0:01:23 that they’re doing to support your cause.
0:01:28 So were you telling me you started studying sort of World War II era spycraft?
0:01:29 Yes, that’s correct.
0:01:35 What’s something you learned from World War II era spycraft that helped you weasel your way
0:01:36 into a ransomware gang?
0:01:42 Everything from their ego to understanding who their adversary is
0:01:47 and making them feel that being friends with you will benefit them
0:01:48 because you have a common enemy.
0:01:55 Or even being adversarial towards them and saying certain things
0:01:58 just to see what their reaction is to sometimes understand the truth.
0:02:01 There’s also sort of the plan and prepare phase
0:02:03 where you have to go and sort of stalk them
0:02:05 and understand who their contacts are,
0:02:06 who their friends are,
0:02:07 who their enemies are,
0:02:09 where they hang out online,
0:02:10 all of that stuff.
0:02:16 So you have this set of strategic ideas in your mind.
0:02:18 What do you actually do?
0:02:23 So what I did, the first thing I did is I needed to figure out
0:02:25 sort of their digital fingerprint.
0:02:26 So I profiled them.
0:02:29 I began looking across the dark web.
0:02:31 I obviously started with the easy one,
0:02:32 their data leak site,
0:02:33 their own infrastructure.
0:02:35 And I went from there
0:02:38 and I eventually found the forums that they live on.
0:02:41 And there’s some very prominent Russian hacking forums
0:02:43 that have been around for about 20 years.
0:02:44 So it made sense to start there.
0:02:46 And sure enough,
0:02:48 they were very prevalent on that website.
0:02:51 They were very involved with conversations.
0:02:53 They have friends there, enemies,
0:02:54 and they do their business.
0:02:57 So they actually would go there just to talk
0:02:59 and sort of hang out with their buddies.
0:03:00 And the drama,
0:03:02 it was like a soap opera,
0:03:03 the drama.
0:03:05 These guys would get in these big arguments
0:03:06 over the stupidest things.
0:03:08 I just started profiling
0:03:09 and visually mapping out
0:03:10 who was who,
0:03:12 who they were talking to,
0:03:14 what those other people’s roles were.
0:03:15 Again,
0:03:16 then I would find the ones
0:03:16 who are their friends
0:03:18 and I would try to approach them
0:03:21 and the people who worked for them.
0:03:22 And did it work?
0:03:24 It did.
0:03:24 Well,
0:03:25 it sort of worked.
0:03:32 I’m Jacob Goldstein,
0:03:34 and this is What’s Your Problem?
0:03:36 My guest today is John DiMaggio.
0:03:39 John is the chief security strategist
0:03:41 at a company called Analyst One.
0:03:44 And I wanted to talk with John about Lockbit,
0:03:45 this ransomware gang
0:03:47 that was behind a tax
0:03:49 that extorted over $100 million
0:03:50 from companies around the world.
0:03:52 John wrote this sort of
0:03:55 book-length series of online posts
0:03:56 about Lockbit.
0:03:57 It was part of a thing
0:03:59 John called the ransomware diaries.
0:04:01 The story of Lockbit
0:04:02 is a great window
0:04:04 into the ransomware industry.
0:04:05 And it is an industry
0:04:08 with a lot of remarkable similarities
0:04:10 to ordinary non-criminal industries.
0:04:12 Lockbit tried to brand itself.
0:04:13 It tried to attract talent
0:04:15 and notch key wins
0:04:17 just like any software company.
0:04:18 But then there’s also
0:04:20 the part that is not like
0:04:21 any software company.
0:04:23 There is the crime part.
0:04:24 And it was the crime part
0:04:26 where Lockbit went too far
0:04:28 and wound up drawing the ire
0:04:30 of international law enforcement agencies
0:04:31 that, in fact,
0:04:32 have their own set
0:04:33 of innovative strategies.
0:04:34 And John watched
0:04:36 all this happen up close.
0:04:37 He told me his key contact
0:04:38 on the inside
0:04:40 had the username LockbitSup,
0:04:42 short for Lockbit Support.
0:04:45 I didn’t know it at the time
0:04:46 when I first started talking to them.
0:04:47 But what I found out
0:04:49 as I began to talk more
0:04:50 is there were two personalities
0:04:51 behind the account.
0:04:52 One seemed to be
0:04:54 much younger, friendlier,
0:04:56 more in tune
0:04:57 with sort of pop culture.
0:04:58 And the other one
0:05:00 who I gave a name,
0:05:02 Mr. Grumpy Pants,
0:05:03 because he was all business,
0:05:04 always serious.
0:05:05 And that was kind of
0:05:06 how I differentiated.
0:05:08 tell me about the sort of
0:05:11 conversations you had
0:05:11 with LockbitSup.
0:05:13 Like, what was the nature
0:05:14 of those exchanges?
0:05:16 Well, so you have to understand
0:05:18 that when I did the initial part
0:05:19 that was sort of covert
0:05:20 pretending to be somebody else,
0:05:22 I only got so far with that.
0:05:23 And after I wrote
0:05:25 The Ransomware Diaries Volume 1,
0:05:26 they knew who I was.
0:05:28 The farthest I got
0:05:29 is talking to them is myself.
0:05:31 And they, you know,
0:05:31 it was just,
0:05:32 I started with,
0:05:33 with, hey,
0:05:34 do you guys know who I am?
0:05:35 I want to have a conversation
0:05:36 with you.
0:05:37 And they were, you know,
0:05:38 said to me, yeah,
0:05:39 you’re our favorite researcher.
0:05:40 We love you.
0:05:41 Okay.
0:05:42 And they were very willing
0:05:43 to talk,
0:05:44 which is why I got so much
0:05:45 farther talking to them
0:05:46 as myself as I did
0:05:47 pretending to be a hacker.
0:05:48 Uh-huh.
0:05:50 What’s a thing you learned
0:05:52 from LockbitSup?
0:05:52 What’s a, what’s a,
0:05:54 what’s one detail
0:05:54 of your understanding
0:05:55 that was improved
0:05:56 by that relationship?
0:05:59 Well, there were a lot of things,
0:06:00 but one of the key things
0:06:02 I’d learned was information
0:06:04 about they probably,
0:06:05 internal problems
0:06:06 that they had
0:06:06 with affiliates.
0:06:07 For example,
0:06:09 they complained that
0:06:10 they’ve got really good hackers,
0:06:11 but some of these hackers
0:06:12 are younger kids
0:06:14 and they’re good at hacking,
0:06:15 but they’re really bad
0:06:16 at negotiating.
0:06:17 Uh, and he was,
0:06:18 they were unhappy
0:06:19 about the amount
0:06:20 of money coming in.
0:06:21 Uh, so they talked
0:06:22 about that
0:06:22 and coming up
0:06:23 with a, with a model
0:06:24 of how much
0:06:25 they would accept
0:06:26 and they created
0:06:27 sort of a formula
0:06:28 per company.
0:06:29 And so it’s just
0:06:30 things like that,
0:06:31 things around attack resources.
0:06:32 They asked me one time
0:06:33 if I would buy them a,
0:06:34 they couldn’t get a,
0:06:35 they couldn’t get
0:06:37 a domain tools account
0:06:37 and they wanted to know
0:06:38 because they couldn’t
0:06:39 pay for it with crypto.
0:06:39 They want to know
0:06:40 if I would buy it for them,
0:06:41 which of course
0:06:42 they’re playing with me,
0:06:42 you know,
0:06:44 and it was sort of
0:06:44 a cat and mouse
0:06:45 fun relationship
0:06:46 for a while
0:06:47 of going back and forth.
0:06:49 So it was, it was friendly
0:06:51 for most of our relationship
0:06:53 until it wasn’t.
0:06:53 So, okay, so you’re
0:06:54 in this world
0:06:55 and I just want to
0:06:57 step back for a minute
0:06:59 to, to, to talk about
0:06:59 what’s going on
0:07:00 in a big way, right?
0:07:01 There’s this phrase
0:07:02 that’s sort of central here,
0:07:04 which is ransomware
0:07:05 as a service.
0:07:07 Ransomware is like
0:07:08 straightforward,
0:07:10 something a lot of people
0:07:10 are familiar with.
0:07:11 It’s basically
0:07:13 some bad actor,
0:07:14 some hacker,
0:07:15 hacks into some company’s
0:07:17 computers, locks them up
0:07:18 and says,
0:07:20 we’re not going to unlock them
0:07:21 unless you pay us a ransom.
0:07:23 That’s ransomware.
0:07:24 Exactly.
0:07:25 What is ransomware
0:07:26 as a service?
0:07:27 What is, I mean,
0:07:28 we know about software
0:07:29 as a service, right?
0:07:29 It’s basically
0:07:31 you pay whatever amount
0:07:31 a month and you get
0:07:32 to use software.
0:07:33 What’s ransomware
0:07:33 as a service?
0:07:35 So ransomware
0:07:35 as a service,
0:07:37 there’s more than,
0:07:38 than just ransomware.
0:07:39 So you have
0:07:41 this two-part model
0:07:41 where you have
0:07:43 a service provider.
0:07:44 That service provider
0:07:45 provides the actual
0:07:46 ransomware code.
0:07:48 They also provide
0:07:49 infrastructure.
0:07:50 So the provider
0:07:51 provides these services.
0:07:52 The hacker goes
0:07:53 and does the dirty work
0:07:54 of the actual hacking.
0:07:55 And together,
0:07:56 when a victim
0:07:57 pays the extortion,
0:07:59 they share the profit
0:07:59 from it.
0:08:00 The benefit
0:08:01 from using this model
0:08:02 is you can have
0:08:04 a lot higher volume
0:08:05 than if it was just
0:08:06 five guys in a group
0:08:07 doing it themselves.
0:08:08 By using this model,
0:08:09 you can have
0:08:10 many people
0:08:11 doing attacks
0:08:12 on your behalf,
0:08:13 much higher volume
0:08:14 of attacks,
0:08:15 much higher revenue.
0:08:17 So Lockbit
0:08:18 is basically
0:08:20 just a software company.
0:08:20 They’re like,
0:08:22 they’re like
0:08:23 an enterprise software company.
0:08:24 They write software
0:08:25 and provide various
0:08:26 tools for users.
0:08:27 But in this case,
0:08:28 the users
0:08:29 are criminals,
0:08:30 are people
0:08:31 who want to hack
0:08:32 into various
0:08:33 computer systems
0:08:34 and steal data
0:08:34 and extort money.
0:08:36 That’s correct.
0:08:37 But the other piece
0:08:38 to it
0:08:39 is the service
0:08:40 provider aspect.
0:08:41 They’re the ones
0:08:41 that are sort of
0:08:42 in charge,
0:08:43 that run the show,
0:08:44 that give direction,
0:08:45 that step in
0:08:46 whenever there’s
0:08:47 an issue.
0:08:48 If there’s a victim
0:08:49 not paying,
0:08:50 sometimes they’ll come in
0:08:51 and help with the negotiation
0:08:52 or take over
0:08:53 or give direction
0:08:54 on how much
0:08:55 you can accept
0:08:56 as a payment
0:08:57 or even say,
0:08:58 this is,
0:08:59 you can or cannot
0:09:00 hack this company.
0:09:02 So they’re definitely
0:09:03 in the leadership chair.
0:09:05 So I want to talk
0:09:05 about how LockBit
0:09:06 sort of grows
0:09:08 and makes a name
0:09:08 for itself.
0:09:09 And one of the things
0:09:10 that’s really interesting
0:09:12 is kind of how
0:09:13 uninteresting it is.
0:09:13 It’s like,
0:09:14 oh, it’s this
0:09:15 international criminal gang
0:09:16 and they’re acting
0:09:17 like a boring
0:09:18 software company.
0:09:20 And it seems like
0:09:22 a key early moment
0:09:22 for them
0:09:23 as they’re trying
0:09:23 to grow
0:09:25 and differentiate
0:09:26 themselves in the market
0:09:27 is this
0:09:29 summer paper contest
0:09:31 in 2020.
0:09:32 Tell me about that.
0:09:35 Yeah, it’s pretty crazy.
0:09:36 So on this
0:09:37 long-running forum
0:09:38 that I mentioned earlier,
0:09:39 this Russian hacking forum,
0:09:41 LockBit really wanted
0:09:43 to get their brand
0:09:43 out there.
0:09:45 So what they did
0:09:46 is they sponsored
0:09:48 this hacking paper
0:09:50 contest,
0:09:52 meaning hackers
0:09:52 would submit
0:09:53 these papers
0:09:54 on different ways
0:09:54 to hack
0:09:55 and LockBit,
0:09:57 they would take part
0:09:57 in this
0:09:58 and they would
0:09:59 help review.
0:10:00 And there was
0:10:01 five winners
0:10:02 and I think,
0:10:02 I don’t remember
0:10:03 what the,
0:10:04 I think it was
0:10:06 $5,000 maybe.
0:10:08 You put a screenshot
0:10:09 in your report
0:10:12 and what’s amazing
0:10:13 is how banal
0:10:14 it looks.
0:10:15 It looks totally
0:10:17 like some college
0:10:18 software contest
0:10:19 or just some boring
0:10:21 enterprise software company.
0:10:21 Like there’s this
0:10:22 little kind of
0:10:23 clip art
0:10:23 of just like
0:10:24 a dude
0:10:25 at a laptop
0:10:26 with a little
0:10:26 plant next to him.
0:10:27 Although there is
0:10:28 also a skull
0:10:28 and crossbones
0:10:29 next to him.
0:10:29 It’s like,
0:10:30 we’re just coders,
0:10:31 but we’re bad.
0:10:33 And as you said,
0:10:34 first place is $5,000,
0:10:35 which seems like
0:10:36 not that much,
0:10:36 right?
0:10:37 They’re exploiting,
0:10:39 they’re stealing
0:10:40 tens of millions
0:10:40 of dollars
0:10:40 at this point,
0:10:40 right?
0:10:41 And then it says
0:10:43 like accepted
0:10:43 article topics,
0:10:44 just like it would
0:10:45 in a college contest.
0:10:46 But under accepted
0:10:48 article topics,
0:10:48 it says,
0:10:50 hacks,
0:10:50 any,
0:10:52 methods for pouring
0:10:52 shells,
0:10:53 fixing,
0:10:53 elevating rights,
0:10:55 your stories and tricks,
0:10:56 interesting hack stories.
0:10:58 It’s such a fantastic
0:11:00 combination of,
0:11:01 well,
0:11:03 banality and evil.
0:11:04 It is,
0:11:05 but here’s what
0:11:05 you have to think about.
0:11:07 There’s two benefits
0:11:07 for this.
0:11:07 One,
0:11:08 what I mentioned,
0:11:09 sort of getting their name
0:11:10 out and getting known
0:11:11 with hackers,
0:11:12 but two,
0:11:14 they’re looking for those
0:11:15 upcoming rising stars,
0:11:16 if you will.
0:11:17 It’s recruitment,
0:11:19 it’s talent pipeline,
0:11:19 yeah.
0:11:20 That’s right.
0:11:21 And that’s why
0:11:22 Lockbit was different
0:11:22 than most of these
0:11:23 other ransomware groups
0:11:24 because they approached
0:11:25 it as a business
0:11:26 and they thought
0:11:27 out of the box
0:11:28 and that’s kind of
0:11:29 what set them ahead
0:11:31 and apart at the time
0:11:32 from other ransomware groups.
0:11:33 So,
0:11:34 so does it work,
0:11:35 this strategy?
0:11:38 It absolutely works.
0:11:39 I mean,
0:11:40 there’s a reason
0:11:41 that people know
0:11:41 their name
0:11:42 and know who they are
0:11:43 and there’s a reason
0:11:44 that they have
0:11:44 so many people
0:11:46 that at the time
0:11:46 in a way
0:11:47 I really wanted
0:11:47 to work for them
0:11:49 over other groups.
0:11:51 It was propaganda
0:11:52 and it worked.
0:11:53 And so,
0:11:54 it seems like
0:11:56 by around 2021
0:11:58 they’ve hit the big time
0:12:01 and there’s this one hack
0:12:01 in particular
0:12:03 that you write about
0:12:04 in the summer of 21
0:12:06 of Accenture,
0:12:06 the big
0:12:08 international consulting company.
0:12:09 Tell me about
0:12:10 the Accenture hack.
0:12:11 So,
0:12:12 in the Accenture hack,
0:12:13 you know,
0:12:15 the affiliate
0:12:16 had gone in,
0:12:17 compromised them,
0:12:18 they locked down
0:12:18 their data
0:12:20 and Lockbit,
0:12:21 you know,
0:12:22 put it on their site
0:12:22 that,
0:12:23 you know,
0:12:23 they were a victim,
0:12:24 reporters started
0:12:25 to report about it
0:12:26 and you got a lot
0:12:27 of buzz in the media.
0:12:28 Now,
0:12:28 the problem
0:12:30 with the Accenture hack
0:12:31 is that Accenture
0:12:33 denied that the hack
0:12:33 took place
0:12:34 initially
0:12:36 saying that
0:12:37 it wasn’t real
0:12:38 and it didn’t happen.
0:12:39 the issue with that
0:12:41 is their customer’s data
0:12:43 was on their website
0:12:44 and you could
0:12:45 go see it
0:12:46 and validate it
0:12:47 and download samples of it.
0:12:48 The customer’s data
0:12:50 was on the Lockbit website.
0:12:51 That’s correct.
0:12:52 That’s correct.
0:12:53 And it was just a sampling
0:12:54 but you could see
0:12:55 this information
0:12:56 and it looked
0:12:57 quite authentic.
0:12:58 So,
0:13:00 so does this
0:13:01 Accenture hack
0:13:02 sort of
0:13:03 put Lockbit
0:13:04 on the map
0:13:05 in a bigger way?
0:13:06 Oh,
0:13:07 100%.
0:13:07 I mean,
0:13:08 the media
0:13:09 surrounding that
0:13:12 was very loud.
0:13:12 I mean,
0:13:13 it was across
0:13:14 many organizations.
0:13:16 Lots of
0:13:17 well-known
0:13:18 journalists
0:13:19 and organizations
0:13:20 reported on it.
0:13:22 All this feeds
0:13:23 into the propaganda.
0:13:23 Not that journalists
0:13:24 shouldn’t report on it.
0:13:25 I’m just saying,
0:13:25 you know,
0:13:26 Lockbit plays that
0:13:27 to benefit him
0:13:29 as them as well.
0:13:29 So,
0:13:30 so basically
0:13:31 the press coverage
0:13:32 is good for Lockbit
0:13:32 because
0:13:34 hackers see it
0:13:35 and go to Lockbit
0:13:35 and say,
0:13:35 hey,
0:13:36 I want to be
0:13:36 an affiliate
0:13:37 and do some
0:13:37 hacking,
0:13:38 essentially.
0:13:38 That’s right.
0:13:39 And to be fair,
0:13:40 the same thing
0:13:40 for me
0:13:41 from writing
0:13:41 these reports.
0:13:42 Yes,
0:13:42 it helps
0:13:43 researchers,
0:13:43 law enforcement,
0:13:44 but it also
0:13:45 helps them.
0:13:46 That’s the reason
0:13:46 that they were
0:13:47 friendly to me
0:13:47 is because
0:13:48 they were fans
0:13:49 of a lot.
0:13:49 I have probably
0:13:50 just as many
0:13:51 criminal hackers
0:13:52 that are fans
0:13:52 of the ransomware
0:13:53 diaries
0:13:53 as there are
0:13:54 researchers
0:13:54 and,
0:13:55 you know,
0:13:57 regular people
0:13:57 that are not criminals.
0:13:58 Well,
0:13:58 I mean,
0:13:58 there’s an
0:14:00 ecosystem here,
0:14:00 right?
0:14:00 Like,
0:14:04 the job,
0:14:05 there’s a universe
0:14:05 of people
0:14:06 whose job
0:14:06 is fighting
0:14:07 criminals
0:14:09 and a universe
0:14:09 of people
0:14:09 who are criminals
0:14:10 who are trying
0:14:10 to evade
0:14:11 being caught,
0:14:11 right?
0:14:13 That’s right.
0:14:14 The kind of
0:14:15 intellectual universe
0:14:15 has got to be
0:14:16 almost entirely
0:14:17 overlapping.
0:14:18 Everybody’s trying
0:14:18 to figure out
0:14:19 what everybody
0:14:19 else is doing.
0:14:20 Everybody’s
0:14:21 sort of using
0:14:22 the same tricks
0:14:22 on each other.
0:14:23 It makes sense
0:14:26 that the bad guys
0:14:26 and the good guys
0:14:27 would be reading
0:14:27 the same stuff.
0:14:29 It does.
0:14:30 And,
0:14:30 you know,
0:14:31 that’s really
0:14:33 where that human
0:14:34 framework came in
0:14:35 because his ego
0:14:37 was the main thing
0:14:37 I was able
0:14:39 to play on
0:14:40 in order
0:14:41 to get information.
0:14:42 And even when
0:14:43 there were lies
0:14:43 in that information,
0:14:44 you know,
0:14:44 I talked to the people
0:14:45 who work for them.
0:14:46 So I would take
0:14:46 those lies
0:14:47 and I would present
0:14:48 them in a different
0:14:49 way to those people
0:14:50 to get a response
0:14:52 and that would help
0:14:52 me to validate
0:14:53 what’s real
0:14:53 and what’s not.
0:14:54 Is there some
0:14:55 specific example
0:14:56 of playing on his ego?
0:14:57 Something you said
0:14:58 to flatter him
0:14:58 or something?
0:15:00 Well,
0:15:01 yeah,
0:15:01 you know,
0:15:02 one of the things
0:15:03 that was big
0:15:04 for him was,
0:15:05 you know,
0:15:06 he wanted to be
0:15:06 sort of the
0:15:08 Darth Vader of ransomware,
0:15:09 my words,
0:15:09 not his.
0:15:10 But,
0:15:10 you know,
0:15:12 he wanted to be
0:15:13 this top person.
0:15:13 So,
0:15:14 you know,
0:15:14 when you would talk
0:15:15 about him changing
0:15:17 the game of ransomware
0:15:18 and telling him,
0:15:18 you know,
0:15:21 you guys are on top,
0:15:21 you know,
0:15:22 how did you get there?
0:15:24 How did you get ahead
0:15:25 of other groups
0:15:26 like Revol
0:15:27 and,
0:15:29 at the time,
0:15:30 Black Matter
0:15:31 and groups like that?
0:15:31 And,
0:15:32 you know,
0:15:33 he loved that.
0:15:33 You know,
0:15:34 it would just,
0:15:35 that was a thing
0:15:35 that would get
0:15:37 Mr. Grumpy Pants talking
0:15:38 was sort of playing
0:15:39 on his ego,
0:15:40 you know,
0:15:40 asking him questions
0:15:41 about how he got
0:15:43 to be the top brand
0:15:44 in ransomware
0:15:45 and how he’s better
0:15:46 than all the other ones.
0:15:47 and he fed right
0:15:48 into that.
0:15:52 Coming up
0:15:53 after the break,
0:15:54 what happens
0:15:55 when LockBit
0:15:55 is used
0:15:55 to hack
0:15:56 a hospital
0:15:57 for children
0:15:58 with cancer?
0:16:09 Something unexpected
0:16:10 happened after
0:16:11 Jeremy Scott
0:16:12 confessed to killing
0:16:13 Michelle Schofield
0:16:14 in Bone Valley
0:16:15 season one.
0:16:16 I just knew him
0:16:17 as a kid.
0:16:18 Long,
0:16:19 silent voices
0:16:20 from his past
0:16:21 came forward.
0:16:22 And he was just
0:16:23 staring at me.
0:16:25 And they had secrets
0:16:25 of their own
0:16:26 to share.
0:16:28 Gilbert King,
0:16:34 I was no longer
0:16:35 just telling the story.
0:16:37 I was part of it.
0:16:38 Every time I hear
0:16:39 about my dad,
0:16:39 it’s,
0:16:40 oh,
0:16:40 he’s a killer.
0:16:41 He’s just straight evil.
0:16:43 I was becoming
0:16:43 the bridge
0:16:44 between a killer
0:16:45 and the son
0:16:46 he’d never known.
0:16:47 If the cops
0:16:48 and everything
0:16:48 would have done
0:16:49 their job properly,
0:16:49 my dad would have
0:16:50 been in jail.
0:16:50 I would have
0:16:51 never existed.
0:16:53 I never expected
0:16:54 to find myself
0:16:54 in this place.
0:16:56 Now,
0:16:57 I need to tell you
0:16:58 how I got here.
0:16:59 At the end of the day,
0:17:00 I’m literally
0:17:01 a son of a killer.
0:17:02 Bone Valley,
0:17:04 Season 2.
0:17:05 Jeremy.
0:17:06 Jeremy,
0:17:07 I want to tell you
0:17:07 something.
0:17:09 Listen to new episodes
0:17:09 of Bone Valley,
0:17:10 Season 2,
0:17:12 starting April 9th
0:17:13 on the iHeartRadio app,
0:17:14 Apple Podcasts,
0:17:15 or wherever you
0:17:15 get your podcasts.
0:17:17 And to hear
0:17:18 the entire new season
0:17:19 ad-free
0:17:20 with exclusive content
0:17:21 starting April 9th,
0:17:22 subscribe to
0:17:23 Lava for Good Plus
0:17:25 on Apple Podcasts.
0:17:30 early 2020s,
0:17:31 Lockbit is
0:17:34 king of the ransomware world.
0:17:35 And then it seems like
0:17:37 in about 2023,
0:17:39 they sort of start
0:17:39 going too far,
0:17:40 or their affiliates
0:17:41 start going too far,
0:17:42 right?
0:17:43 They start to
0:17:45 get into trouble.
0:17:48 And it seems like
0:17:49 the hack of
0:17:50 a hospital
0:17:51 that is actually
0:17:52 called Sick Kids,
0:17:53 which is
0:17:55 a children’s
0:17:56 cancer hospital
0:17:57 in Canada
0:17:59 is kind of
0:17:59 a turning point.
0:18:00 And, like,
0:18:03 I do wonder,
0:18:04 like,
0:18:05 you could hack
0:18:06 anybody.
0:18:08 Why would you
0:18:08 hack a
0:18:10 cancer hospital
0:18:10 for children?
0:18:10 Like,
0:18:11 is it because
0:18:12 you want to be
0:18:13 as evil as possible?
0:18:15 Yeah,
0:18:16 it’s because
0:18:16 they see them
0:18:18 as an easy target
0:18:19 because a hospital
0:18:20 has to be available
0:18:21 and make their
0:18:22 resources
0:18:23 easily
0:18:25 accessible
0:18:26 by their
0:18:26 patients,
0:18:27 clients,
0:18:28 medical organizations.
0:18:29 And inherently,
0:18:31 the more accessible
0:18:31 something is,
0:18:32 the less secure
0:18:32 it is.
0:18:33 so it makes
0:18:34 them an easy
0:18:34 target.
0:18:35 They have a lot
0:18:36 of money
0:18:37 and they’re
0:18:38 more likely
0:18:38 to pay
0:18:39 because the
0:18:40 data is so
0:18:40 sensitive
0:18:41 and the systems
0:18:42 that are encrypted
0:18:43 are so critical
0:18:44 that it makes
0:18:45 them a ripe target.
0:18:46 And that’s the
0:18:46 reason that
0:18:47 they’ll go after
0:18:47 them.
0:18:48 Initially,
0:18:51 the hospital
0:18:51 was hacked,
0:18:52 the systems
0:18:53 were encrypted,
0:18:54 data was stolen,
0:18:55 and they
0:18:56 weren’t going
0:18:56 to let them
0:18:57 out of this.
0:18:58 They were going
0:18:59 to force
0:19:00 them to pay
0:19:01 or they weren’t
0:19:01 going to give
0:19:02 them the key
0:19:02 to decrypt
0:19:03 their systems
0:19:03 and didn’t
0:19:04 seem to care
0:19:04 that these
0:19:05 kids couldn’t
0:19:06 get the care
0:19:06 that they needed
0:19:07 and the treatments
0:19:08 that they needed.
0:19:09 The only reason,
0:19:10 so what ended
0:19:11 up happening
0:19:12 was with all
0:19:12 the media
0:19:13 around it,
0:19:14 it was such
0:19:15 a bad look
0:19:16 for Lockbit
0:19:17 that the leadership
0:19:17 of the group
0:19:19 decided after,
0:19:19 you know,
0:19:20 about two weeks
0:19:20 they decided,
0:19:21 okay,
0:19:22 we’re going
0:19:22 to go ahead
0:19:23 and we’re going
0:19:23 to give them
0:19:24 the encryption key
0:19:25 just because this
0:19:26 was getting
0:19:27 to be too hot.
0:19:28 And if you
0:19:28 remember like
0:19:29 the whole
0:19:30 Colonial Pipeline
0:19:30 thing with
0:19:31 the Darkside
0:19:31 ransomware
0:19:32 group,
0:19:33 that got so
0:19:34 much attention
0:19:35 that government
0:19:36 agencies got
0:19:37 involved and went
0:19:37 after them
0:19:38 and when that
0:19:38 happens,
0:19:40 it’s very bad
0:19:40 for ransomware
0:19:41 groups.
0:19:41 So they
0:19:43 essentially saw
0:19:43 things could
0:19:44 possibly go that
0:19:45 direction with
0:19:46 the amount of
0:19:46 bad publicity
0:19:47 they were getting
0:19:48 and decided it
0:19:49 wasn’t worth the
0:19:50 payment they were
0:19:50 going to get
0:19:51 and they went
0:19:52 ahead and provided
0:19:53 the hospital with
0:19:55 the encryption key
0:19:55 so they could get
0:19:56 those systems
0:19:57 back online.
0:19:59 And in fact,
0:20:00 their concern
0:20:01 about a backlash
0:20:02 was justified,
0:20:02 right?
0:20:03 It seems like
0:20:05 international governments
0:20:06 kind of led by
0:20:08 the UK do start
0:20:10 to go after
0:20:11 Lockbit around
0:20:12 this point,
0:20:12 right?
0:20:14 What do you do
0:20:14 if you’re a
0:20:15 government and you
0:20:16 want to go after
0:20:17 a Russian hacking
0:20:17 gang?
0:20:20 Well, it’s not
0:20:20 easy.
0:20:22 The things that
0:20:23 you have to do
0:20:24 is you have to
0:20:25 use resources
0:20:25 that people like
0:20:26 me don’t have
0:20:28 available to try
0:20:29 to figure out
0:20:30 their infrastructure,
0:20:31 their hosting
0:20:32 infrastructure,
0:20:33 where their
0:20:34 servers live,
0:20:36 which is very
0:20:37 difficult when
0:20:38 they’re on the
0:20:39 dark web.
0:20:40 It’s hard to
0:20:40 figure that out.
0:20:41 Because this is
0:20:42 the cat and
0:20:42 mouse thing.
0:20:42 They’re like
0:20:43 complicated,
0:20:45 smart systems
0:20:45 these people use
0:20:47 to hide their
0:20:47 location,
0:20:48 essentially.
0:20:49 That’s right.
0:20:51 And so that’s
0:20:52 one aspect is
0:20:53 trying to figure
0:20:53 out that
0:20:54 infrastructure.
0:20:55 In some cases,
0:20:56 you can use
0:20:57 legal means to
0:20:57 take it down,
0:20:58 but with groups
0:21:00 like Lockbit,
0:21:00 often they will
0:21:01 use service
0:21:02 providers that
0:21:02 are in
0:21:03 countries that
0:21:04 cater to
0:21:05 criminal activity
0:21:05 and won’t
0:21:06 respond to
0:21:06 subpoenas.
0:21:07 The other thing
0:21:08 though that
0:21:09 these governments
0:21:10 and law
0:21:10 enforcements try
0:21:11 to get into
0:21:12 is the
0:21:13 infrastructure that
0:21:13 is public,
0:21:15 the panel that
0:21:17 the bad guys
0:21:18 use to log
0:21:18 into,
0:21:19 with the
0:21:19 graphical
0:21:20 interface to
0:21:21 control these
0:21:22 attacks.
0:21:23 And there’s
0:21:23 technical ways
0:21:24 to do that,
0:21:25 and then there’s
0:21:25 also the ways
0:21:26 of infiltrating
0:21:27 the people who
0:21:27 work for the
0:21:28 group to get
0:21:29 their credentials
0:21:30 to gain access.
0:21:30 So they’re
0:21:31 basically hacking
0:21:33 the hackers.
0:21:34 so in February
0:21:37 of 2024,
0:21:39 this international
0:21:40 coalition of law
0:21:41 enforcement agencies
0:21:42 actually takes
0:21:44 over Lockbit’s
0:21:45 sort of publicly
0:21:46 facing site,
0:21:46 right?
0:21:47 Lockbit’s dark
0:21:47 website.
0:21:48 Tell me about
0:21:49 that.
0:21:50 Yeah, so it
0:21:51 was great.
0:21:52 When you went
0:21:53 to the website
0:21:53 that day,
0:21:55 it was no longer
0:21:56 Lockbit’s data
0:21:56 leak site.
0:21:57 instead,
0:21:59 it was a
0:22:00 mock site,
0:22:01 so it looks
0:22:02 just like it,
0:22:03 except instead
0:22:04 of having
0:22:06 real victims
0:22:06 within the
0:22:07 site,
0:22:08 the NCA
0:22:09 put the
0:22:09 criminals
0:22:10 as the
0:22:10 victims,
0:22:11 and they named
0:22:12 affiliates as
0:22:13 the victims,
0:22:14 they had a
0:22:15 countdown timer
0:22:16 for Lockbit’s
0:22:17 up saying they
0:22:17 were going to
0:22:18 release his
0:22:18 identity.
0:22:19 And the
0:22:20 countdown timer
0:22:21 is the kind
0:22:21 of thing that
0:22:22 the bad guys
0:22:23 use when they
0:22:23 hack a company
0:22:24 saying we’re
0:22:24 going to…
0:22:25 That’s right.
0:22:27 Yeah, that’s
0:22:27 what they do.
0:22:27 The countdown
0:22:28 timer for
0:22:29 traditional victims
0:22:30 is how long
0:22:31 they have to
0:22:31 pay until the
0:22:32 data is leaked.
0:22:33 So in the
0:22:34 same way that
0:22:35 Lockbit was
0:22:36 essentially
0:22:37 marketing itself,
0:22:39 now the cops,
0:22:40 now the law
0:22:40 enforcement officials
0:22:41 are doing that
0:22:42 same kind of
0:22:44 marketing.
0:22:45 They’re sort of
0:22:45 doing this kind
0:22:46 of propagandistic
0:22:47 thing to attract
0:22:48 attention,
0:22:49 presumably what,
0:22:50 to scare off
0:22:51 all the affiliates?
0:22:52 Like why would
0:22:52 they be doing it
0:22:53 in this showy way?
0:22:54 Just for attention,
0:22:55 to get good press?
0:22:55 No.
0:22:56 It was a
0:22:57 psychological
0:22:58 operation.
0:22:59 So prior to this,
0:23:00 they never did
0:23:01 this.
0:23:02 The way they
0:23:03 took sites down
0:23:03 were just to
0:23:03 take it down
0:23:04 and put a
0:23:04 message up
0:23:05 saying law
0:23:05 enforcement
0:23:06 took this
0:23:06 down.
0:23:07 This was
0:23:07 psychological.
0:23:08 It was meant
0:23:10 to put stress
0:23:11 on the people
0:23:12 who worked for
0:23:13 the organization
0:23:14 and being
0:23:14 concerned that
0:23:15 they no longer
0:23:16 had anonymity
0:23:17 and that their
0:23:18 names and
0:23:19 information was
0:23:20 now being
0:23:20 reviewed and
0:23:21 revealed by
0:23:22 law enforcement.
0:23:23 And the whole
0:23:24 goal of this
0:23:26 was to affect
0:23:26 the Lockbit
0:23:28 brand and to
0:23:28 make people
0:23:29 not trust
0:23:30 Lockbit or
0:23:30 want to work
0:23:31 for the
0:23:31 organization.
0:23:32 So it was
0:23:33 very planned
0:23:34 and thought
0:23:34 out and
0:23:35 methodical.
0:23:36 It wasn’t
0:23:37 just to get
0:23:37 attention.
0:23:38 It was
0:23:39 specifically to
0:23:40 hurt that
0:23:41 brand and make
0:23:42 affiliates
0:23:42 afraid to
0:23:43 work for
0:23:43 them.
0:23:44 And in
0:23:44 addition to
0:23:45 that mock
0:23:46 website on
0:23:46 the back
0:23:47 end, that
0:23:47 panel that
0:23:47 I was
0:23:48 mentioning, that
0:23:49 admin panel
0:23:49 that they
0:23:49 would use,
0:23:50 now when
0:23:51 that took
0:23:52 place, when
0:23:52 the takedown
0:23:53 took place,
0:23:53 when the
0:23:54 affiliates
0:23:54 logged into
0:23:55 that panel,
0:23:55 they had
0:23:56 tailored messages
0:23:57 with their
0:23:58 username by
0:23:59 law enforcement
0:23:59 saying,
0:24:00 hey, you’re
0:24:01 logging into the
0:24:01 panel, we
0:24:02 know who you
0:24:02 are, we’ve
0:24:03 been monitoring
0:24:04 the activity
0:24:04 you’ve been
0:24:05 doing, we’ve
0:24:05 got your
0:24:06 wallets, we’re
0:24:07 going to be
0:24:07 coming to talk
0:24:08 to you soon.
0:24:09 So it
0:24:10 was very
0:24:12 detrimental to
0:24:13 criminals, that
0:24:14 was a brilliant
0:24:15 operation in my
0:24:15 opinion.
0:24:16 And you
0:24:16 mentioned that
0:24:17 they had a
0:24:18 countdown timer
0:24:18 for when they
0:24:19 were going to
0:24:20 reveal the name
0:24:21 of Lockbit
0:24:22 Sup, the
0:24:23 person, although
0:24:24 you said there’s
0:24:24 people, but at
0:24:25 least one of the
0:24:26 people behind
0:24:27 this, behind
0:24:28 Lockbit, one of
0:24:29 the key Lockbit
0:24:29 players, did they
0:24:30 in fact reveal the
0:24:31 name of that
0:24:31 person?
0:24:33 They didn’t.
0:24:33 When the
0:24:34 countdown timer
0:24:34 they did not.
0:24:36 At that time
0:24:37 they didn’t, but
0:24:37 there’s a reason
0:24:38 that they didn’t,
0:24:39 but they did not
0:24:40 do that in
0:24:40 February.
0:24:42 The reason that
0:24:42 they didn’t is
0:24:44 because Lockbit
0:24:45 agreed to tell
0:24:46 them information
0:24:46 about some of
0:24:47 his adversarial
0:24:48 group.
0:24:48 There was a
0:24:48 group called
0:24:49 Black Cat who
0:24:50 he didn’t like,
0:24:51 and he agreed to
0:24:51 try and give
0:24:52 them information.
0:24:53 So they used
0:24:54 the thread of
0:24:55 naming him as
0:24:56 leverage and
0:24:57 getting him to
0:24:58 flip, basically.
0:24:59 That’s correct.
0:25:02 Do we know
0:25:03 who he is now?
0:25:04 Was he ever
0:25:04 named?
0:25:06 Yeah, it was
0:25:08 several months
0:25:08 later.
0:25:09 The site came
0:25:10 back online,
0:25:12 meaning the
0:25:12 law enforcement
0:25:13 version of the
0:25:14 site came back
0:25:14 online.
0:25:15 There was a
0:25:16 new timer, and
0:25:17 once again, they
0:25:18 said they were
0:25:18 going to reveal
0:25:19 Lockbit’s name,
0:25:21 and the timer
0:25:22 began again.
0:25:22 And on May
0:25:23 7th, when that
0:25:24 timer expired,
0:25:25 they did.
0:25:25 They released
0:25:26 his name and
0:25:26 his picture,
0:25:28 Dmitry
0:25:28 Koshev.
0:25:31 They put that
0:25:31 out there,
0:25:32 indicted him,
0:25:33 wanted posters,
0:25:34 the whole nine
0:25:34 yards.
0:25:35 Is that
0:25:35 grumpy pants?
0:25:37 That’s, well,
0:25:40 my opinion, my
0:25:41 opinion is that
0:25:42 that was the
0:25:43 younger person,
0:25:44 and the other
0:25:44 guy’s still out
0:25:45 there, but I
0:25:46 think law
0:25:46 enforcement might
0:25:47 tell you
0:25:47 otherwise, though
0:25:48 they do agree
0:25:49 with me that
0:25:49 there’s two
0:25:49 people.
0:25:50 So he’s been
0:25:51 indicted but not
0:25:52 arrested?
0:25:53 Is that what
0:25:53 you’re saying?
0:25:54 That’s correct,
0:25:55 because he’s in
0:25:56 Russia, and
0:25:56 there’s protections
0:25:57 there.
0:25:58 The law
0:25:59 enforcement just
0:26:00 can’t get their
0:26:00 hands on him,
0:26:01 unfortunately.
0:26:02 The criminals are
0:26:03 protected when
0:26:03 they’re in
0:26:03 Russia.
0:26:06 So is that the
0:26:07 end of Lock
0:26:07 Bit?
0:26:09 It’s not.
0:26:09 You would think
0:26:10 it is, but
0:26:12 almost every other
0:26:13 group that this
0:26:14 has happened to,
0:26:15 that’s the end of
0:26:16 the story, or at
0:26:16 least it causes
0:26:18 them to take that
0:26:19 operation down, and
0:26:19 they have to start
0:26:20 from scratch
0:26:21 somewhere else with
0:26:22 a new operation,
0:26:23 with a new name,
0:26:24 and a new
0:26:24 brand.
0:26:25 But Lock Bit
0:26:26 worked so hard
0:26:27 on that brand, I
0:26:28 don’t think he’ll
0:26:30 ever take it away
0:26:31 until they actually
0:26:32 arrest everybody.
0:26:34 But no, they
0:26:35 continued, but they
0:26:37 continued at a
0:26:38 much lower level.
0:26:39 They didn’t have
0:26:40 the quality of
0:26:41 hackers still working
0:26:42 for them.
0:26:43 They started having
0:26:45 to lie about
0:26:45 attacks to try and
0:26:46 stack the numbers
0:26:47 and things of that
0:26:48 nature.
0:26:49 Do you think the
0:26:49 law enforcement
0:26:50 officials campaign,
0:26:51 the whole thing of
0:26:52 naming the people
0:26:53 and doing all the
0:26:53 stunts on the
0:26:53 website, you know,
0:26:54 you think that
0:26:54 worked?
0:26:55 You think it was
0:26:56 sort of like Lock
0:26:57 Bit rose on
0:26:57 marketing and in
0:26:58 a way fell on the
0:26:59 marketing of the
0:27:00 government?
0:27:02 Yeah, well, was it
0:27:03 100% effective?
0:27:04 No, but it was
0:27:05 about 80% effective.
0:27:06 And prior to this,
0:27:07 I would say that
0:27:07 most of those
0:27:08 operations were like
0:27:09 40% effective.
0:27:11 And what I mean by
0:27:12 that is this
0:27:13 actually affected
0:27:14 the brand where
0:27:15 people, the
0:27:16 quality hackers,
0:27:17 the quality
0:27:19 affiliates, why
0:27:19 would they work
0:27:20 for this
0:27:21 organization with
0:27:21 all this heat
0:27:22 where they can’t
0:27:23 trust that they’re
0:27:23 going to be
0:27:24 protected when
0:27:25 they can go
0:27:25 work for some
0:27:26 other criminal
0:27:26 organization?
0:27:27 Yeah, like any
0:27:27 software company,
0:27:28 their biggest
0:27:29 problem is finding
0:27:30 and keeping good
0:27:31 people.
0:27:32 That’s right.
0:27:33 That’s exactly
0:27:33 right.
0:27:34 And by good
0:27:35 people, I guess,
0:27:36 in this case, it
0:27:37 means bad people.
0:27:38 Right.
0:27:39 So, okay, so this
0:27:40 is a year ago,
0:27:41 basically.
0:27:42 This is early
0:27:42 2024.
0:27:43 Lockbit gets
0:27:44 mostly taken
0:27:45 down, not
0:27:46 knocked out,
0:27:47 at least knocked
0:27:47 down.
0:27:49 Where are we
0:27:49 today?
0:27:50 Like, what is the
0:27:51 state of the
0:27:52 ransomware industry?
0:27:52 industry?
0:27:53 So, it’s
0:27:54 changed a bit.
0:27:56 You have, I
0:27:56 would say you
0:27:57 have more
0:27:58 groups, but you
0:27:59 don’t have sort
0:28:00 of these, you
0:28:00 don’t have as
0:28:02 many big
0:28:04 organizations that
0:28:05 sort of hold
0:28:07 the majority of
0:28:07 attacks.
0:28:10 You have smaller
0:28:10 to medium-sized
0:28:12 groups that work
0:28:12 more under the
0:28:13 radar, meaning
0:28:14 they’re not doing
0:28:15 the same volume
0:28:16 of attacks.
0:28:17 They’re also not
0:28:17 getting the same
0:28:19 amount of money
0:28:20 and ransom
0:28:21 extortions as they
0:28:23 did before, but
0:28:24 they’re still out
0:28:24 there.
0:28:25 They’re just
0:28:26 doing it.
0:28:27 The model just
0:28:27 changed a little
0:28:28 bit.
0:28:28 And so, is
0:28:29 part of the
0:28:30 idea that, oh,
0:28:31 maybe trying to
0:28:32 have a big name
0:28:33 and be, like, a
0:28:34 famous criminal
0:28:36 gang is not a
0:28:36 good long-term
0:28:37 strategy?
0:28:39 That’s exactly
0:28:39 correct.
0:28:40 I think that this
0:28:41 is what really
0:28:42 made them realize
0:28:43 that people are
0:28:44 sort of lower on
0:28:45 the radar, just
0:28:46 trying to get
0:28:46 money and
0:28:47 extort, but not
0:28:48 necessarily have
0:28:49 this voice that’s
0:28:50 heard across the
0:28:50 world.
0:28:53 What’s the big
0:28:54 lesson to you from
0:28:54 the LockBit story?
0:28:57 The big lesson
0:28:59 there is being
0:29:00 boisterous, having
0:29:01 this ego, is
0:29:02 actually a
0:29:03 downfall.
0:29:04 Being loud,
0:29:05 getting publicity,
0:29:07 getting your name
0:29:08 out there, while
0:29:09 that might help
0:29:09 attract people to
0:29:10 come work for
0:29:11 you, there’s the
0:29:12 opposite side of
0:29:13 that, where it
0:29:14 also attracts a
0:29:14 lot of attention
0:29:15 from law
0:29:15 enforcement.
0:29:16 And if you’re a
0:29:16 criminal group,
0:29:18 that’s not a good
0:29:18 thing, and I
0:29:19 think bad guys
0:29:21 have figured that
0:29:22 out between, mainly
0:29:24 from 2024, with
0:29:25 both the Black
0:29:26 Cat ransomware
0:29:27 group and with
0:29:27 LockBit, those
0:29:28 were your prominent
0:29:30 players, and those
0:29:30 guys both got
0:29:31 decimated by law
0:29:32 enforcement, and
0:29:33 that happened
0:29:33 because of the
0:29:34 attention that they
0:29:35 drew to themselves.
0:29:37 So I think that’s
0:29:37 the lesson that
0:29:38 adversaries have
0:29:39 learned, is you
0:29:41 have to be quieter
0:29:41 about what you
0:29:42 do.
0:29:45 We’ll be back
0:29:46 in a minute
0:29:46 with the
0:29:47 lightning round.
0:29:56 Something
0:29:56 unexpected
0:29:57 happened after
0:29:58 Jeremy Scott
0:29:59 confessed to
0:29:59 killing Michelle
0:30:00 Schofield in
0:30:01 Bone Valley Season
0:30:02 One.
0:30:03 I just knew him
0:30:04 as a kid.
0:30:05 Long, silent
0:30:06 voices from his
0:30:08 past came forward.
0:30:09 And he was just
0:30:10 staring at me.
0:30:11 And they had
0:30:12 secrets of their
0:30:13 own to share.
0:30:15 Gilbert King.
0:30:17 I’m the son of
0:30:19 Jeremy Lynn Scott.
0:30:21 I was no longer
0:30:22 just telling the
0:30:22 story.
0:30:24 I was part of it.
0:30:25 Every time I hear
0:30:26 about my dad, it’s
0:30:27 oh, he’s a killer.
0:30:28 He’s just straight
0:30:28 evil.
0:30:29 I was becoming
0:30:30 the bridge between
0:30:32 a killer and the
0:30:32 son he’d never
0:30:33 known.
0:30:34 If the cops and
0:30:35 everything would
0:30:35 have done their
0:30:36 job properly, my
0:30:36 dad would have
0:30:37 been in jail.
0:30:37 I would have
0:30:38 never existed.
0:30:40 I never expected
0:30:41 to find myself in
0:30:41 this place.
0:30:44 Now, I need to
0:30:44 tell you how I
0:30:45 got here.
0:30:46 At the end of
0:30:46 the day, I’m
0:30:47 literally a son of
0:30:47 a killer.
0:30:50 Bone Valley Season
0:30:50 2.
0:30:52 Jeremy.
0:30:53 Jeremy, I want to
0:30:54 tell you something.
0:30:55 Listen to new
0:30:56 episodes of Bone
0:30:57 Valley Season 2
0:30:58 starting April 9th
0:30:59 on the iHeartRadio
0:31:01 app, Apple Podcasts,
0:31:02 or wherever you
0:31:02 get your podcasts.
0:31:04 And to hear the
0:31:05 entire new season
0:31:06 ad-free with
0:31:07 exclusive content
0:31:08 starting April 9th,
0:31:09 subscribe to
0:31:09 Lava for Good
0:31:10 Plus on Apple
0:31:12 Podcasts.
0:31:16 Let’s finish
0:31:17 with the lightning
0:31:17 round.
0:31:18 It’s going to be a
0:31:18 little more random
0:31:19 and a little more
0:31:20 about you.
0:31:21 Okay.
0:31:23 What’s one thing you
0:31:24 learned when you
0:31:25 hacked into the
0:31:26 Pentagon as a
0:31:27 15-year-old boy?
0:31:30 Oh, man.
0:31:31 That’s the reason
0:31:32 that I talk to
0:31:33 these criminals and
0:31:34 I sometimes have
0:31:35 empathy to want to
0:31:36 help them change
0:31:37 what they’re doing
0:31:38 is because I got a
0:31:39 second chance and I
0:31:40 remember that fear.
0:31:42 and I want to
0:31:43 try to help some
0:31:43 of these young
0:31:44 kids to change
0:31:45 what they’re doing
0:31:46 and not continue
0:31:47 down this road.
0:31:48 What actually
0:31:48 happened there?
0:31:49 What was it that
0:31:49 happened?
0:31:50 Yeah, so my
0:31:52 stepfather worked
0:31:53 for Colin Powell
0:31:54 during the Iraq
0:31:54 War.
0:31:55 He was at the
0:31:56 Pentagon and he
0:31:56 had a classified
0:31:57 system in our
0:31:59 basement and I
0:32:00 had a friend over
0:32:01 and I was really
0:32:02 into computers and
0:32:02 hacking and
0:32:03 figuring things out
0:32:04 and I didn’t do
0:32:05 anything elaborate.
0:32:06 I just figured out
0:32:06 his credentials and
0:32:07 I logged in and
0:32:08 was poking around.
0:32:09 Nothing elaborate,
0:32:11 enough that it
0:32:12 got attention and
0:32:13 bad things happened
0:32:15 and the FBI showed
0:32:16 up and things.
0:32:16 The FBI showed up
0:32:17 at your house.
0:32:19 Yeah, they did.
0:32:20 It was not a good
0:32:20 day for me.
0:32:23 I’m glad it worked
0:32:24 out in the end.
0:32:25 It did.
0:32:26 It did.
0:32:27 It only worked out
0:32:28 though because of who
0:32:29 he worked for, my
0:32:29 stepfather and the
0:32:30 connections that he
0:32:31 had and the fact that
0:32:32 I had no prior
0:32:32 record.
0:32:33 That’s the reason
0:32:34 that it worked and
0:32:35 I had a summer where
0:32:36 I had to go work at
0:32:37 Fort Belvoir doing
0:32:38 community service but
0:32:39 I just did such a
0:32:40 good job they wanted
0:32:40 to hire me to work
0:32:41 there.
0:32:43 So it was definitely
0:32:44 a life-changing
0:32:44 experience and then I
0:32:45 joined the army and
0:32:46 became a military
0:32:47 police officer.
0:32:49 So that was my story
0:32:50 but it worked out
0:32:50 well for me.
0:32:52 So I understand that
0:32:53 when you were a
0:32:54 military police officer
0:32:56 you did undercover
0:32:57 drug buys.
0:32:58 I did.
0:32:59 What’s something you
0:33:00 learned doing
0:33:01 undercover drug buys
0:33:02 as a military police
0:33:02 officer?
0:33:04 What I learned is
0:33:05 it’s not black and
0:33:05 white.
0:33:06 It’s not just you’re
0:33:07 a bad guy or a good
0:33:07 guy.
0:33:09 They’re still human
0:33:10 beings.
0:33:11 What’s one thing you
0:33:12 learned pushing carts at
0:33:13 Home Depot?
0:33:16 That you should never
0:33:17 have an ego because I
0:33:18 did all that crazy work
0:33:19 and I got out and I
0:33:21 could not get a job in
0:33:22 law enforcement because
0:33:23 of my tattoos.
0:33:25 At the time you
0:33:26 couldn’t have visible
0:33:27 tattoos at least in
0:33:27 Virginia.
0:33:28 I tried to join the
0:33:29 FBI because I smoked
0:33:30 weed in high school.
0:33:31 At the time they had a
0:33:32 zero tolerance.
0:33:32 I couldn’t get into
0:33:33 that.
0:33:34 I couldn’t get a
0:33:35 job and I had to
0:33:36 start at the very
0:33:36 bottom.
0:33:38 I’ve been working
0:33:38 retail.
0:33:39 I’m not even in the
0:33:39 store.
0:33:40 I’m in the parking
0:33:40 lot.
0:33:43 I was living out of
0:33:44 my truck for a couple
0:33:44 weeks and then I
0:33:45 rented a room at a
0:33:46 house.
0:33:47 They were selling
0:33:48 drugs out of the
0:33:48 house.
0:33:49 The cops raided it,
0:33:50 arrested everybody
0:33:51 but me but I
0:33:51 couldn’t even get in
0:33:52 the house to get my
0:33:52 stuff.
0:33:54 It was a tough time
0:33:54 in my life.
0:33:57 I’m going to change
0:33:58 gears to talk about
0:33:59 something much more
0:34:00 pedestrian now.
0:34:02 What’s your
0:34:03 favorite depiction
0:34:04 of hacking in a
0:34:04 work of fiction?
0:34:09 Corey, there’s
0:34:10 an author, Corey
0:34:13 Doctro, brilliant
0:34:13 guy.
0:34:14 He’s one of my
0:34:16 favorite authors and
0:34:18 he does hacker
0:34:19 fiction if you will
0:34:21 and he’s got
0:34:22 probably 20 books
0:34:24 now but they’re
0:34:25 phenomenal, especially
0:34:25 the Homeland
0:34:26 series.
0:34:26 That’s one of my
0:34:27 favorites.
0:34:27 Okay, Homeland
0:34:28 series.
0:34:29 Who’s your favorite
0:34:31 cyber criminal in real
0:34:32 life?
0:34:35 Um, I would
0:34:37 probably say the
0:34:37 hacker known as
0:34:38 USDOD.
0:34:41 He is a, he is a
0:34:42 hacker who’s not
0:34:42 Russian.
0:34:43 He lives in
0:34:43 Brazil.
0:34:45 I became very good
0:34:46 friends with him.
0:34:47 I’ve never written
0:34:47 about him.
0:34:50 He wasn’t a target
0:34:51 of mine.
0:34:52 He helped me
0:34:53 actually when I was
0:34:54 going after Ransom
0:34:56 VC and he gave me a
0:34:57 lot of good inside
0:34:58 information and we
0:34:59 just became friends
0:35:00 for a long time
0:35:02 and we talked
0:35:02 and he was
0:35:03 somebody who I
0:35:03 really had wanted
0:35:04 to help.
0:35:05 He’s in jail now
0:35:06 so you can figure
0:35:06 out if I was able
0:35:07 to help him or
0:35:07 not.
0:35:09 Why?
0:35:10 Why him?
0:35:11 What was, what
0:35:12 was that relationship?
0:35:14 Um, you know, he
0:35:16 had issues like
0:35:18 everybody but, you
0:35:19 know, he was a, he
0:35:21 had a good side to
0:35:21 him.
0:35:21 He, there was a
0:35:22 side to him.
0:35:23 He was a decent
0:35:26 person and I really
0:35:27 thought if he hadn’t
0:35:28 become a criminal, he’s
0:35:29 somebody that would
0:35:29 have been in the
0:35:30 cybersecurity field.
0:35:32 Um, he, he, he did
0:35:33 have empathy for
0:35:34 people.
0:35:35 He hated law
0:35:36 enforcement and the
0:35:37 government but he did
0:35:38 have empathy for
0:35:39 people um and he was
0:35:40 somebody who I could
0:35:41 talk to and, and, and
0:35:42 actually feel like I
0:35:43 could, I could make a
0:35:44 difference with the
0:35:45 conversations that we
0:35:45 had.
0:35:52 John DiMaggio is the
0:35:53 chief security
0:35:54 strategist at
0:35:55 Analyst One.
0:35:57 Today’s show was
0:35:58 produced by Gabriel
0:35:58 Hunter Chang.
0:35:59 It was edited by
0:36:01 Lydia Jean Cott and
0:36:02 engineered by Sarah
0:36:02 Bouguer.
0:36:04 I’m Jacob Goldstein
0:36:04 and we’ll be back
0:36:06 later this week with
0:36:06 another episode of
0:36:07 What’s Your Problem?
0:36:25 Something unexpected
0:36:26 happened after Jeremy
0:36:27 Scott confessed to
0:36:28 killing Michelle
0:36:29 Schofield in Bone
0:36:30 Valley Season 1.
0:36:31 Every time I hear
0:36:33 about my dad is, oh
0:36:34 he’s a killer, he’s
0:36:35 just straight evil.
0:36:36 I was becoming the
0:36:37 bridge between Jeremy
0:36:39 Scott and the son he’d
0:36:40 never known.
0:36:41 At the end of the day
0:36:42 I’m literally a son of a
0:36:42 killer.
0:36:44 Listen to new episodes
0:36:45 of Bone Valley Season 2
0:36:47 starting April 9th on the
0:36:48 iHeartRadio app, Apple
0:36:50 Podcasts, or wherever you
0:36:51 get your podcasts.
0:00:08 in Bone Valley Season 1.
0:00:11 Every time I hear about my dad, it’s, oh, he’s a killer.
0:00:13 He’s just straight evil.
0:00:17 I was becoming the bridge between Jeremy Scott and the son he’d never known.
0:00:20 At the end of the day, I’m literally a son of a killer.
0:00:26 Listen to new episodes of Bone Valley Season 2 starting April 9th on the iHeartRadio app,
0:00:29 Apple Podcasts, or wherever you get your podcasts.
0:00:37 Pushkin.
0:00:44 Just a quick note, this is a bonus episode of What’s Your Problem?
0:00:46 and it’s sponsored by Microsoft.
0:00:50 John DiMaggio studies cybercrime for a living.
0:00:51 It’s his job.
0:00:56 But when he wanted to understand an international cybercrime gang called Lockbit,
0:01:00 he realized he couldn’t learn everything he wanted to know from the outside.
0:01:03 So he started trying to figure out how to get people on the inside
0:01:05 to tell him what he needed to know.
0:01:10 So I spent a lot of time studying, going back to, you know, World War II
0:01:15 when they started having all these documents about how to use the human trade craft
0:01:21 to sort of recruit and convince people to do things that they don’t necessarily know
0:01:23 that they’re doing to support your cause.
0:01:28 So were you telling me you started studying sort of World War II era spycraft?
0:01:29 Yes, that’s correct.
0:01:35 What’s something you learned from World War II era spycraft that helped you weasel your way
0:01:36 into a ransomware gang?
0:01:42 Everything from their ego to understanding who their adversary is
0:01:47 and making them feel that being friends with you will benefit them
0:01:48 because you have a common enemy.
0:01:55 Or even being adversarial towards them and saying certain things
0:01:58 just to see what their reaction is to sometimes understand the truth.
0:02:01 There’s also sort of the plan and prepare phase
0:02:03 where you have to go and sort of stalk them
0:02:05 and understand who their contacts are,
0:02:06 who their friends are,
0:02:07 who their enemies are,
0:02:09 where they hang out online,
0:02:10 all of that stuff.
0:02:16 So you have this set of strategic ideas in your mind.
0:02:18 What do you actually do?
0:02:23 So what I did, the first thing I did is I needed to figure out
0:02:25 sort of their digital fingerprint.
0:02:26 So I profiled them.
0:02:29 I began looking across the dark web.
0:02:31 I obviously started with the easy one,
0:02:32 their data leak site,
0:02:33 their own infrastructure.
0:02:35 And I went from there
0:02:38 and I eventually found the forums that they live on.
0:02:41 And there’s some very prominent Russian hacking forums
0:02:43 that have been around for about 20 years.
0:02:44 So it made sense to start there.
0:02:46 And sure enough,
0:02:48 they were very prevalent on that website.
0:02:51 They were very involved with conversations.
0:02:53 They have friends there, enemies,
0:02:54 and they do their business.
0:02:57 So they actually would go there just to talk
0:02:59 and sort of hang out with their buddies.
0:03:00 And the drama,
0:03:02 it was like a soap opera,
0:03:03 the drama.
0:03:05 These guys would get in these big arguments
0:03:06 over the stupidest things.
0:03:08 I just started profiling
0:03:09 and visually mapping out
0:03:10 who was who,
0:03:12 who they were talking to,
0:03:14 what those other people’s roles were.
0:03:15 Again,
0:03:16 then I would find the ones
0:03:16 who are their friends
0:03:18 and I would try to approach them
0:03:21 and the people who worked for them.
0:03:22 And did it work?
0:03:24 It did.
0:03:24 Well,
0:03:25 it sort of worked.
0:03:32 I’m Jacob Goldstein,
0:03:34 and this is What’s Your Problem?
0:03:36 My guest today is John DiMaggio.
0:03:39 John is the chief security strategist
0:03:41 at a company called Analyst One.
0:03:44 And I wanted to talk with John about Lockbit,
0:03:45 this ransomware gang
0:03:47 that was behind a tax
0:03:49 that extorted over $100 million
0:03:50 from companies around the world.
0:03:52 John wrote this sort of
0:03:55 book-length series of online posts
0:03:56 about Lockbit.
0:03:57 It was part of a thing
0:03:59 John called the ransomware diaries.
0:04:01 The story of Lockbit
0:04:02 is a great window
0:04:04 into the ransomware industry.
0:04:05 And it is an industry
0:04:08 with a lot of remarkable similarities
0:04:10 to ordinary non-criminal industries.
0:04:12 Lockbit tried to brand itself.
0:04:13 It tried to attract talent
0:04:15 and notch key wins
0:04:17 just like any software company.
0:04:18 But then there’s also
0:04:20 the part that is not like
0:04:21 any software company.
0:04:23 There is the crime part.
0:04:24 And it was the crime part
0:04:26 where Lockbit went too far
0:04:28 and wound up drawing the ire
0:04:30 of international law enforcement agencies
0:04:31 that, in fact,
0:04:32 have their own set
0:04:33 of innovative strategies.
0:04:34 And John watched
0:04:36 all this happen up close.
0:04:37 He told me his key contact
0:04:38 on the inside
0:04:40 had the username LockbitSup,
0:04:42 short for Lockbit Support.
0:04:45 I didn’t know it at the time
0:04:46 when I first started talking to them.
0:04:47 But what I found out
0:04:49 as I began to talk more
0:04:50 is there were two personalities
0:04:51 behind the account.
0:04:52 One seemed to be
0:04:54 much younger, friendlier,
0:04:56 more in tune
0:04:57 with sort of pop culture.
0:04:58 And the other one
0:05:00 who I gave a name,
0:05:02 Mr. Grumpy Pants,
0:05:03 because he was all business,
0:05:04 always serious.
0:05:05 And that was kind of
0:05:06 how I differentiated.
0:05:08 tell me about the sort of
0:05:11 conversations you had
0:05:11 with LockbitSup.
0:05:13 Like, what was the nature
0:05:14 of those exchanges?
0:05:16 Well, so you have to understand
0:05:18 that when I did the initial part
0:05:19 that was sort of covert
0:05:20 pretending to be somebody else,
0:05:22 I only got so far with that.
0:05:23 And after I wrote
0:05:25 The Ransomware Diaries Volume 1,
0:05:26 they knew who I was.
0:05:28 The farthest I got
0:05:29 is talking to them is myself.
0:05:31 And they, you know,
0:05:31 it was just,
0:05:32 I started with,
0:05:33 with, hey,
0:05:34 do you guys know who I am?
0:05:35 I want to have a conversation
0:05:36 with you.
0:05:37 And they were, you know,
0:05:38 said to me, yeah,
0:05:39 you’re our favorite researcher.
0:05:40 We love you.
0:05:41 Okay.
0:05:42 And they were very willing
0:05:43 to talk,
0:05:44 which is why I got so much
0:05:45 farther talking to them
0:05:46 as myself as I did
0:05:47 pretending to be a hacker.
0:05:48 Uh-huh.
0:05:50 What’s a thing you learned
0:05:52 from LockbitSup?
0:05:52 What’s a, what’s a,
0:05:54 what’s one detail
0:05:54 of your understanding
0:05:55 that was improved
0:05:56 by that relationship?
0:05:59 Well, there were a lot of things,
0:06:00 but one of the key things
0:06:02 I’d learned was information
0:06:04 about they probably,
0:06:05 internal problems
0:06:06 that they had
0:06:06 with affiliates.
0:06:07 For example,
0:06:09 they complained that
0:06:10 they’ve got really good hackers,
0:06:11 but some of these hackers
0:06:12 are younger kids
0:06:14 and they’re good at hacking,
0:06:15 but they’re really bad
0:06:16 at negotiating.
0:06:17 Uh, and he was,
0:06:18 they were unhappy
0:06:19 about the amount
0:06:20 of money coming in.
0:06:21 Uh, so they talked
0:06:22 about that
0:06:22 and coming up
0:06:23 with a, with a model
0:06:24 of how much
0:06:25 they would accept
0:06:26 and they created
0:06:27 sort of a formula
0:06:28 per company.
0:06:29 And so it’s just
0:06:30 things like that,
0:06:31 things around attack resources.
0:06:32 They asked me one time
0:06:33 if I would buy them a,
0:06:34 they couldn’t get a,
0:06:35 they couldn’t get
0:06:37 a domain tools account
0:06:37 and they wanted to know
0:06:38 because they couldn’t
0:06:39 pay for it with crypto.
0:06:39 They want to know
0:06:40 if I would buy it for them,
0:06:41 which of course
0:06:42 they’re playing with me,
0:06:42 you know,
0:06:44 and it was sort of
0:06:44 a cat and mouse
0:06:45 fun relationship
0:06:46 for a while
0:06:47 of going back and forth.
0:06:49 So it was, it was friendly
0:06:51 for most of our relationship
0:06:53 until it wasn’t.
0:06:53 So, okay, so you’re
0:06:54 in this world
0:06:55 and I just want to
0:06:57 step back for a minute
0:06:59 to, to, to talk about
0:06:59 what’s going on
0:07:00 in a big way, right?
0:07:01 There’s this phrase
0:07:02 that’s sort of central here,
0:07:04 which is ransomware
0:07:05 as a service.
0:07:07 Ransomware is like
0:07:08 straightforward,
0:07:10 something a lot of people
0:07:10 are familiar with.
0:07:11 It’s basically
0:07:13 some bad actor,
0:07:14 some hacker,
0:07:15 hacks into some company’s
0:07:17 computers, locks them up
0:07:18 and says,
0:07:20 we’re not going to unlock them
0:07:21 unless you pay us a ransom.
0:07:23 That’s ransomware.
0:07:24 Exactly.
0:07:25 What is ransomware
0:07:26 as a service?
0:07:27 What is, I mean,
0:07:28 we know about software
0:07:29 as a service, right?
0:07:29 It’s basically
0:07:31 you pay whatever amount
0:07:31 a month and you get
0:07:32 to use software.
0:07:33 What’s ransomware
0:07:33 as a service?
0:07:35 So ransomware
0:07:35 as a service,
0:07:37 there’s more than,
0:07:38 than just ransomware.
0:07:39 So you have
0:07:41 this two-part model
0:07:41 where you have
0:07:43 a service provider.
0:07:44 That service provider
0:07:45 provides the actual
0:07:46 ransomware code.
0:07:48 They also provide
0:07:49 infrastructure.
0:07:50 So the provider
0:07:51 provides these services.
0:07:52 The hacker goes
0:07:53 and does the dirty work
0:07:54 of the actual hacking.
0:07:55 And together,
0:07:56 when a victim
0:07:57 pays the extortion,
0:07:59 they share the profit
0:07:59 from it.
0:08:00 The benefit
0:08:01 from using this model
0:08:02 is you can have
0:08:04 a lot higher volume
0:08:05 than if it was just
0:08:06 five guys in a group
0:08:07 doing it themselves.
0:08:08 By using this model,
0:08:09 you can have
0:08:10 many people
0:08:11 doing attacks
0:08:12 on your behalf,
0:08:13 much higher volume
0:08:14 of attacks,
0:08:15 much higher revenue.
0:08:17 So Lockbit
0:08:18 is basically
0:08:20 just a software company.
0:08:20 They’re like,
0:08:22 they’re like
0:08:23 an enterprise software company.
0:08:24 They write software
0:08:25 and provide various
0:08:26 tools for users.
0:08:27 But in this case,
0:08:28 the users
0:08:29 are criminals,
0:08:30 are people
0:08:31 who want to hack
0:08:32 into various
0:08:33 computer systems
0:08:34 and steal data
0:08:34 and extort money.
0:08:36 That’s correct.
0:08:37 But the other piece
0:08:38 to it
0:08:39 is the service
0:08:40 provider aspect.
0:08:41 They’re the ones
0:08:41 that are sort of
0:08:42 in charge,
0:08:43 that run the show,
0:08:44 that give direction,
0:08:45 that step in
0:08:46 whenever there’s
0:08:47 an issue.
0:08:48 If there’s a victim
0:08:49 not paying,
0:08:50 sometimes they’ll come in
0:08:51 and help with the negotiation
0:08:52 or take over
0:08:53 or give direction
0:08:54 on how much
0:08:55 you can accept
0:08:56 as a payment
0:08:57 or even say,
0:08:58 this is,
0:08:59 you can or cannot
0:09:00 hack this company.
0:09:02 So they’re definitely
0:09:03 in the leadership chair.
0:09:05 So I want to talk
0:09:05 about how LockBit
0:09:06 sort of grows
0:09:08 and makes a name
0:09:08 for itself.
0:09:09 And one of the things
0:09:10 that’s really interesting
0:09:12 is kind of how
0:09:13 uninteresting it is.
0:09:13 It’s like,
0:09:14 oh, it’s this
0:09:15 international criminal gang
0:09:16 and they’re acting
0:09:17 like a boring
0:09:18 software company.
0:09:20 And it seems like
0:09:22 a key early moment
0:09:22 for them
0:09:23 as they’re trying
0:09:23 to grow
0:09:25 and differentiate
0:09:26 themselves in the market
0:09:27 is this
0:09:29 summer paper contest
0:09:31 in 2020.
0:09:32 Tell me about that.
0:09:35 Yeah, it’s pretty crazy.
0:09:36 So on this
0:09:37 long-running forum
0:09:38 that I mentioned earlier,
0:09:39 this Russian hacking forum,
0:09:41 LockBit really wanted
0:09:43 to get their brand
0:09:43 out there.
0:09:45 So what they did
0:09:46 is they sponsored
0:09:48 this hacking paper
0:09:50 contest,
0:09:52 meaning hackers
0:09:52 would submit
0:09:53 these papers
0:09:54 on different ways
0:09:54 to hack
0:09:55 and LockBit,
0:09:57 they would take part
0:09:57 in this
0:09:58 and they would
0:09:59 help review.
0:10:00 And there was
0:10:01 five winners
0:10:02 and I think,
0:10:02 I don’t remember
0:10:03 what the,
0:10:04 I think it was
0:10:06 $5,000 maybe.
0:10:08 You put a screenshot
0:10:09 in your report
0:10:12 and what’s amazing
0:10:13 is how banal
0:10:14 it looks.
0:10:15 It looks totally
0:10:17 like some college
0:10:18 software contest
0:10:19 or just some boring
0:10:21 enterprise software company.
0:10:21 Like there’s this
0:10:22 little kind of
0:10:23 clip art
0:10:23 of just like
0:10:24 a dude
0:10:25 at a laptop
0:10:26 with a little
0:10:26 plant next to him.
0:10:27 Although there is
0:10:28 also a skull
0:10:28 and crossbones
0:10:29 next to him.
0:10:29 It’s like,
0:10:30 we’re just coders,
0:10:31 but we’re bad.
0:10:33 And as you said,
0:10:34 first place is $5,000,
0:10:35 which seems like
0:10:36 not that much,
0:10:36 right?
0:10:37 They’re exploiting,
0:10:39 they’re stealing
0:10:40 tens of millions
0:10:40 of dollars
0:10:40 at this point,
0:10:40 right?
0:10:41 And then it says
0:10:43 like accepted
0:10:43 article topics,
0:10:44 just like it would
0:10:45 in a college contest.
0:10:46 But under accepted
0:10:48 article topics,
0:10:48 it says,
0:10:50 hacks,
0:10:50 any,
0:10:52 methods for pouring
0:10:52 shells,
0:10:53 fixing,
0:10:53 elevating rights,
0:10:55 your stories and tricks,
0:10:56 interesting hack stories.
0:10:58 It’s such a fantastic
0:11:00 combination of,
0:11:01 well,
0:11:03 banality and evil.
0:11:04 It is,
0:11:05 but here’s what
0:11:05 you have to think about.
0:11:07 There’s two benefits
0:11:07 for this.
0:11:07 One,
0:11:08 what I mentioned,
0:11:09 sort of getting their name
0:11:10 out and getting known
0:11:11 with hackers,
0:11:12 but two,
0:11:14 they’re looking for those
0:11:15 upcoming rising stars,
0:11:16 if you will.
0:11:17 It’s recruitment,
0:11:19 it’s talent pipeline,
0:11:19 yeah.
0:11:20 That’s right.
0:11:21 And that’s why
0:11:22 Lockbit was different
0:11:22 than most of these
0:11:23 other ransomware groups
0:11:24 because they approached
0:11:25 it as a business
0:11:26 and they thought
0:11:27 out of the box
0:11:28 and that’s kind of
0:11:29 what set them ahead
0:11:31 and apart at the time
0:11:32 from other ransomware groups.
0:11:33 So,
0:11:34 so does it work,
0:11:35 this strategy?
0:11:38 It absolutely works.
0:11:39 I mean,
0:11:40 there’s a reason
0:11:41 that people know
0:11:41 their name
0:11:42 and know who they are
0:11:43 and there’s a reason
0:11:44 that they have
0:11:44 so many people
0:11:46 that at the time
0:11:46 in a way
0:11:47 I really wanted
0:11:47 to work for them
0:11:49 over other groups.
0:11:51 It was propaganda
0:11:52 and it worked.
0:11:53 And so,
0:11:54 it seems like
0:11:56 by around 2021
0:11:58 they’ve hit the big time
0:12:01 and there’s this one hack
0:12:01 in particular
0:12:03 that you write about
0:12:04 in the summer of 21
0:12:06 of Accenture,
0:12:06 the big
0:12:08 international consulting company.
0:12:09 Tell me about
0:12:10 the Accenture hack.
0:12:11 So,
0:12:12 in the Accenture hack,
0:12:13 you know,
0:12:15 the affiliate
0:12:16 had gone in,
0:12:17 compromised them,
0:12:18 they locked down
0:12:18 their data
0:12:20 and Lockbit,
0:12:21 you know,
0:12:22 put it on their site
0:12:22 that,
0:12:23 you know,
0:12:23 they were a victim,
0:12:24 reporters started
0:12:25 to report about it
0:12:26 and you got a lot
0:12:27 of buzz in the media.
0:12:28 Now,
0:12:28 the problem
0:12:30 with the Accenture hack
0:12:31 is that Accenture
0:12:33 denied that the hack
0:12:33 took place
0:12:34 initially
0:12:36 saying that
0:12:37 it wasn’t real
0:12:38 and it didn’t happen.
0:12:39 the issue with that
0:12:41 is their customer’s data
0:12:43 was on their website
0:12:44 and you could
0:12:45 go see it
0:12:46 and validate it
0:12:47 and download samples of it.
0:12:48 The customer’s data
0:12:50 was on the Lockbit website.
0:12:51 That’s correct.
0:12:52 That’s correct.
0:12:53 And it was just a sampling
0:12:54 but you could see
0:12:55 this information
0:12:56 and it looked
0:12:57 quite authentic.
0:12:58 So,
0:13:00 so does this
0:13:01 Accenture hack
0:13:02 sort of
0:13:03 put Lockbit
0:13:04 on the map
0:13:05 in a bigger way?
0:13:06 Oh,
0:13:07 100%.
0:13:07 I mean,
0:13:08 the media
0:13:09 surrounding that
0:13:12 was very loud.
0:13:12 I mean,
0:13:13 it was across
0:13:14 many organizations.
0:13:16 Lots of
0:13:17 well-known
0:13:18 journalists
0:13:19 and organizations
0:13:20 reported on it.
0:13:22 All this feeds
0:13:23 into the propaganda.
0:13:23 Not that journalists
0:13:24 shouldn’t report on it.
0:13:25 I’m just saying,
0:13:25 you know,
0:13:26 Lockbit plays that
0:13:27 to benefit him
0:13:29 as them as well.
0:13:29 So,
0:13:30 so basically
0:13:31 the press coverage
0:13:32 is good for Lockbit
0:13:32 because
0:13:34 hackers see it
0:13:35 and go to Lockbit
0:13:35 and say,
0:13:35 hey,
0:13:36 I want to be
0:13:36 an affiliate
0:13:37 and do some
0:13:37 hacking,
0:13:38 essentially.
0:13:38 That’s right.
0:13:39 And to be fair,
0:13:40 the same thing
0:13:40 for me
0:13:41 from writing
0:13:41 these reports.
0:13:42 Yes,
0:13:42 it helps
0:13:43 researchers,
0:13:43 law enforcement,
0:13:44 but it also
0:13:45 helps them.
0:13:46 That’s the reason
0:13:46 that they were
0:13:47 friendly to me
0:13:47 is because
0:13:48 they were fans
0:13:49 of a lot.
0:13:49 I have probably
0:13:50 just as many
0:13:51 criminal hackers
0:13:52 that are fans
0:13:52 of the ransomware
0:13:53 diaries
0:13:53 as there are
0:13:54 researchers
0:13:54 and,
0:13:55 you know,
0:13:57 regular people
0:13:57 that are not criminals.
0:13:58 Well,
0:13:58 I mean,
0:13:58 there’s an
0:14:00 ecosystem here,
0:14:00 right?
0:14:00 Like,
0:14:04 the job,
0:14:05 there’s a universe
0:14:05 of people
0:14:06 whose job
0:14:06 is fighting
0:14:07 criminals
0:14:09 and a universe
0:14:09 of people
0:14:09 who are criminals
0:14:10 who are trying
0:14:10 to evade
0:14:11 being caught,
0:14:11 right?
0:14:13 That’s right.
0:14:14 The kind of
0:14:15 intellectual universe
0:14:15 has got to be
0:14:16 almost entirely
0:14:17 overlapping.
0:14:18 Everybody’s trying
0:14:18 to figure out
0:14:19 what everybody
0:14:19 else is doing.
0:14:20 Everybody’s
0:14:21 sort of using
0:14:22 the same tricks
0:14:22 on each other.
0:14:23 It makes sense
0:14:26 that the bad guys
0:14:26 and the good guys
0:14:27 would be reading
0:14:27 the same stuff.
0:14:29 It does.
0:14:30 And,
0:14:30 you know,
0:14:31 that’s really
0:14:33 where that human
0:14:34 framework came in
0:14:35 because his ego
0:14:37 was the main thing
0:14:37 I was able
0:14:39 to play on
0:14:40 in order
0:14:41 to get information.
0:14:42 And even when
0:14:43 there were lies
0:14:43 in that information,
0:14:44 you know,
0:14:44 I talked to the people
0:14:45 who work for them.
0:14:46 So I would take
0:14:46 those lies
0:14:47 and I would present
0:14:48 them in a different
0:14:49 way to those people
0:14:50 to get a response
0:14:52 and that would help
0:14:52 me to validate
0:14:53 what’s real
0:14:53 and what’s not.
0:14:54 Is there some
0:14:55 specific example
0:14:56 of playing on his ego?
0:14:57 Something you said
0:14:58 to flatter him
0:14:58 or something?
0:15:00 Well,
0:15:01 yeah,
0:15:01 you know,
0:15:02 one of the things
0:15:03 that was big
0:15:04 for him was,
0:15:05 you know,
0:15:06 he wanted to be
0:15:06 sort of the
0:15:08 Darth Vader of ransomware,
0:15:09 my words,
0:15:09 not his.
0:15:10 But,
0:15:10 you know,
0:15:12 he wanted to be
0:15:13 this top person.
0:15:13 So,
0:15:14 you know,
0:15:14 when you would talk
0:15:15 about him changing
0:15:17 the game of ransomware
0:15:18 and telling him,
0:15:18 you know,
0:15:21 you guys are on top,
0:15:21 you know,
0:15:22 how did you get there?
0:15:24 How did you get ahead
0:15:25 of other groups
0:15:26 like Revol
0:15:27 and,
0:15:29 at the time,
0:15:30 Black Matter
0:15:31 and groups like that?
0:15:31 And,
0:15:32 you know,
0:15:33 he loved that.
0:15:33 You know,
0:15:34 it would just,
0:15:35 that was a thing
0:15:35 that would get
0:15:37 Mr. Grumpy Pants talking
0:15:38 was sort of playing
0:15:39 on his ego,
0:15:40 you know,
0:15:40 asking him questions
0:15:41 about how he got
0:15:43 to be the top brand
0:15:44 in ransomware
0:15:45 and how he’s better
0:15:46 than all the other ones.
0:15:47 and he fed right
0:15:48 into that.
0:15:52 Coming up
0:15:53 after the break,
0:15:54 what happens
0:15:55 when LockBit
0:15:55 is used
0:15:55 to hack
0:15:56 a hospital
0:15:57 for children
0:15:58 with cancer?
0:16:09 Something unexpected
0:16:10 happened after
0:16:11 Jeremy Scott
0:16:12 confessed to killing
0:16:13 Michelle Schofield
0:16:14 in Bone Valley
0:16:15 season one.
0:16:16 I just knew him
0:16:17 as a kid.
0:16:18 Long,
0:16:19 silent voices
0:16:20 from his past
0:16:21 came forward.
0:16:22 And he was just
0:16:23 staring at me.
0:16:25 And they had secrets
0:16:25 of their own
0:16:26 to share.
0:16:28 Gilbert King,
0:16:34 I was no longer
0:16:35 just telling the story.
0:16:37 I was part of it.
0:16:38 Every time I hear
0:16:39 about my dad,
0:16:39 it’s,
0:16:40 oh,
0:16:40 he’s a killer.
0:16:41 He’s just straight evil.
0:16:43 I was becoming
0:16:43 the bridge
0:16:44 between a killer
0:16:45 and the son
0:16:46 he’d never known.
0:16:47 If the cops
0:16:48 and everything
0:16:48 would have done
0:16:49 their job properly,
0:16:49 my dad would have
0:16:50 been in jail.
0:16:50 I would have
0:16:51 never existed.
0:16:53 I never expected
0:16:54 to find myself
0:16:54 in this place.
0:16:56 Now,
0:16:57 I need to tell you
0:16:58 how I got here.
0:16:59 At the end of the day,
0:17:00 I’m literally
0:17:01 a son of a killer.
0:17:02 Bone Valley,
0:17:04 Season 2.
0:17:05 Jeremy.
0:17:06 Jeremy,
0:17:07 I want to tell you
0:17:07 something.
0:17:09 Listen to new episodes
0:17:09 of Bone Valley,
0:17:10 Season 2,
0:17:12 starting April 9th
0:17:13 on the iHeartRadio app,
0:17:14 Apple Podcasts,
0:17:15 or wherever you
0:17:15 get your podcasts.
0:17:17 And to hear
0:17:18 the entire new season
0:17:19 ad-free
0:17:20 with exclusive content
0:17:21 starting April 9th,
0:17:22 subscribe to
0:17:23 Lava for Good Plus
0:17:25 on Apple Podcasts.
0:17:30 early 2020s,
0:17:31 Lockbit is
0:17:34 king of the ransomware world.
0:17:35 And then it seems like
0:17:37 in about 2023,
0:17:39 they sort of start
0:17:39 going too far,
0:17:40 or their affiliates
0:17:41 start going too far,
0:17:42 right?
0:17:43 They start to
0:17:45 get into trouble.
0:17:48 And it seems like
0:17:49 the hack of
0:17:50 a hospital
0:17:51 that is actually
0:17:52 called Sick Kids,
0:17:53 which is
0:17:55 a children’s
0:17:56 cancer hospital
0:17:57 in Canada
0:17:59 is kind of
0:17:59 a turning point.
0:18:00 And, like,
0:18:03 I do wonder,
0:18:04 like,
0:18:05 you could hack
0:18:06 anybody.
0:18:08 Why would you
0:18:08 hack a
0:18:10 cancer hospital
0:18:10 for children?
0:18:10 Like,
0:18:11 is it because
0:18:12 you want to be
0:18:13 as evil as possible?
0:18:15 Yeah,
0:18:16 it’s because
0:18:16 they see them
0:18:18 as an easy target
0:18:19 because a hospital
0:18:20 has to be available
0:18:21 and make their
0:18:22 resources
0:18:23 easily
0:18:25 accessible
0:18:26 by their
0:18:26 patients,
0:18:27 clients,
0:18:28 medical organizations.
0:18:29 And inherently,
0:18:31 the more accessible
0:18:31 something is,
0:18:32 the less secure
0:18:32 it is.
0:18:33 so it makes
0:18:34 them an easy
0:18:34 target.
0:18:35 They have a lot
0:18:36 of money
0:18:37 and they’re
0:18:38 more likely
0:18:38 to pay
0:18:39 because the
0:18:40 data is so
0:18:40 sensitive
0:18:41 and the systems
0:18:42 that are encrypted
0:18:43 are so critical
0:18:44 that it makes
0:18:45 them a ripe target.
0:18:46 And that’s the
0:18:46 reason that
0:18:47 they’ll go after
0:18:47 them.
0:18:48 Initially,
0:18:51 the hospital
0:18:51 was hacked,
0:18:52 the systems
0:18:53 were encrypted,
0:18:54 data was stolen,
0:18:55 and they
0:18:56 weren’t going
0:18:56 to let them
0:18:57 out of this.
0:18:58 They were going
0:18:59 to force
0:19:00 them to pay
0:19:01 or they weren’t
0:19:01 going to give
0:19:02 them the key
0:19:02 to decrypt
0:19:03 their systems
0:19:03 and didn’t
0:19:04 seem to care
0:19:04 that these
0:19:05 kids couldn’t
0:19:06 get the care
0:19:06 that they needed
0:19:07 and the treatments
0:19:08 that they needed.
0:19:09 The only reason,
0:19:10 so what ended
0:19:11 up happening
0:19:12 was with all
0:19:12 the media
0:19:13 around it,
0:19:14 it was such
0:19:15 a bad look
0:19:16 for Lockbit
0:19:17 that the leadership
0:19:17 of the group
0:19:19 decided after,
0:19:19 you know,
0:19:20 about two weeks
0:19:20 they decided,
0:19:21 okay,
0:19:22 we’re going
0:19:22 to go ahead
0:19:23 and we’re going
0:19:23 to give them
0:19:24 the encryption key
0:19:25 just because this
0:19:26 was getting
0:19:27 to be too hot.
0:19:28 And if you
0:19:28 remember like
0:19:29 the whole
0:19:30 Colonial Pipeline
0:19:30 thing with
0:19:31 the Darkside
0:19:31 ransomware
0:19:32 group,
0:19:33 that got so
0:19:34 much attention
0:19:35 that government
0:19:36 agencies got
0:19:37 involved and went
0:19:37 after them
0:19:38 and when that
0:19:38 happens,
0:19:40 it’s very bad
0:19:40 for ransomware
0:19:41 groups.
0:19:41 So they
0:19:43 essentially saw
0:19:43 things could
0:19:44 possibly go that
0:19:45 direction with
0:19:46 the amount of
0:19:46 bad publicity
0:19:47 they were getting
0:19:48 and decided it
0:19:49 wasn’t worth the
0:19:50 payment they were
0:19:50 going to get
0:19:51 and they went
0:19:52 ahead and provided
0:19:53 the hospital with
0:19:55 the encryption key
0:19:55 so they could get
0:19:56 those systems
0:19:57 back online.
0:19:59 And in fact,
0:20:00 their concern
0:20:01 about a backlash
0:20:02 was justified,
0:20:02 right?
0:20:03 It seems like
0:20:05 international governments
0:20:06 kind of led by
0:20:08 the UK do start
0:20:10 to go after
0:20:11 Lockbit around
0:20:12 this point,
0:20:12 right?
0:20:14 What do you do
0:20:14 if you’re a
0:20:15 government and you
0:20:16 want to go after
0:20:17 a Russian hacking
0:20:17 gang?
0:20:20 Well, it’s not
0:20:20 easy.
0:20:22 The things that
0:20:23 you have to do
0:20:24 is you have to
0:20:25 use resources
0:20:25 that people like
0:20:26 me don’t have
0:20:28 available to try
0:20:29 to figure out
0:20:30 their infrastructure,
0:20:31 their hosting
0:20:32 infrastructure,
0:20:33 where their
0:20:34 servers live,
0:20:36 which is very
0:20:37 difficult when
0:20:38 they’re on the
0:20:39 dark web.
0:20:40 It’s hard to
0:20:40 figure that out.
0:20:41 Because this is
0:20:42 the cat and
0:20:42 mouse thing.
0:20:42 They’re like
0:20:43 complicated,
0:20:45 smart systems
0:20:45 these people use
0:20:47 to hide their
0:20:47 location,
0:20:48 essentially.
0:20:49 That’s right.
0:20:51 And so that’s
0:20:52 one aspect is
0:20:53 trying to figure
0:20:53 out that
0:20:54 infrastructure.
0:20:55 In some cases,
0:20:56 you can use
0:20:57 legal means to
0:20:57 take it down,
0:20:58 but with groups
0:21:00 like Lockbit,
0:21:00 often they will
0:21:01 use service
0:21:02 providers that
0:21:02 are in
0:21:03 countries that
0:21:04 cater to
0:21:05 criminal activity
0:21:05 and won’t
0:21:06 respond to
0:21:06 subpoenas.
0:21:07 The other thing
0:21:08 though that
0:21:09 these governments
0:21:10 and law
0:21:10 enforcements try
0:21:11 to get into
0:21:12 is the
0:21:13 infrastructure that
0:21:13 is public,
0:21:15 the panel that
0:21:17 the bad guys
0:21:18 use to log
0:21:18 into,
0:21:19 with the
0:21:19 graphical
0:21:20 interface to
0:21:21 control these
0:21:22 attacks.
0:21:23 And there’s
0:21:23 technical ways
0:21:24 to do that,
0:21:25 and then there’s
0:21:25 also the ways
0:21:26 of infiltrating
0:21:27 the people who
0:21:27 work for the
0:21:28 group to get
0:21:29 their credentials
0:21:30 to gain access.
0:21:30 So they’re
0:21:31 basically hacking
0:21:33 the hackers.
0:21:34 so in February
0:21:37 of 2024,
0:21:39 this international
0:21:40 coalition of law
0:21:41 enforcement agencies
0:21:42 actually takes
0:21:44 over Lockbit’s
0:21:45 sort of publicly
0:21:46 facing site,
0:21:46 right?
0:21:47 Lockbit’s dark
0:21:47 website.
0:21:48 Tell me about
0:21:49 that.
0:21:50 Yeah, so it
0:21:51 was great.
0:21:52 When you went
0:21:53 to the website
0:21:53 that day,
0:21:55 it was no longer
0:21:56 Lockbit’s data
0:21:56 leak site.
0:21:57 instead,
0:21:59 it was a
0:22:00 mock site,
0:22:01 so it looks
0:22:02 just like it,
0:22:03 except instead
0:22:04 of having
0:22:06 real victims
0:22:06 within the
0:22:07 site,
0:22:08 the NCA
0:22:09 put the
0:22:09 criminals
0:22:10 as the
0:22:10 victims,
0:22:11 and they named
0:22:12 affiliates as
0:22:13 the victims,
0:22:14 they had a
0:22:15 countdown timer
0:22:16 for Lockbit’s
0:22:17 up saying they
0:22:17 were going to
0:22:18 release his
0:22:18 identity.
0:22:19 And the
0:22:20 countdown timer
0:22:21 is the kind
0:22:21 of thing that
0:22:22 the bad guys
0:22:23 use when they
0:22:23 hack a company
0:22:24 saying we’re
0:22:24 going to…
0:22:25 That’s right.
0:22:27 Yeah, that’s
0:22:27 what they do.
0:22:27 The countdown
0:22:28 timer for
0:22:29 traditional victims
0:22:30 is how long
0:22:31 they have to
0:22:31 pay until the
0:22:32 data is leaked.
0:22:33 So in the
0:22:34 same way that
0:22:35 Lockbit was
0:22:36 essentially
0:22:37 marketing itself,
0:22:39 now the cops,
0:22:40 now the law
0:22:40 enforcement officials
0:22:41 are doing that
0:22:42 same kind of
0:22:44 marketing.
0:22:45 They’re sort of
0:22:45 doing this kind
0:22:46 of propagandistic
0:22:47 thing to attract
0:22:48 attention,
0:22:49 presumably what,
0:22:50 to scare off
0:22:51 all the affiliates?
0:22:52 Like why would
0:22:52 they be doing it
0:22:53 in this showy way?
0:22:54 Just for attention,
0:22:55 to get good press?
0:22:55 No.
0:22:56 It was a
0:22:57 psychological
0:22:58 operation.
0:22:59 So prior to this,
0:23:00 they never did
0:23:01 this.
0:23:02 The way they
0:23:03 took sites down
0:23:03 were just to
0:23:03 take it down
0:23:04 and put a
0:23:04 message up
0:23:05 saying law
0:23:05 enforcement
0:23:06 took this
0:23:06 down.
0:23:07 This was
0:23:07 psychological.
0:23:08 It was meant
0:23:10 to put stress
0:23:11 on the people
0:23:12 who worked for
0:23:13 the organization
0:23:14 and being
0:23:14 concerned that
0:23:15 they no longer
0:23:16 had anonymity
0:23:17 and that their
0:23:18 names and
0:23:19 information was
0:23:20 now being
0:23:20 reviewed and
0:23:21 revealed by
0:23:22 law enforcement.
0:23:23 And the whole
0:23:24 goal of this
0:23:26 was to affect
0:23:26 the Lockbit
0:23:28 brand and to
0:23:28 make people
0:23:29 not trust
0:23:30 Lockbit or
0:23:30 want to work
0:23:31 for the
0:23:31 organization.
0:23:32 So it was
0:23:33 very planned
0:23:34 and thought
0:23:34 out and
0:23:35 methodical.
0:23:36 It wasn’t
0:23:37 just to get
0:23:37 attention.
0:23:38 It was
0:23:39 specifically to
0:23:40 hurt that
0:23:41 brand and make
0:23:42 affiliates
0:23:42 afraid to
0:23:43 work for
0:23:43 them.
0:23:44 And in
0:23:44 addition to
0:23:45 that mock
0:23:46 website on
0:23:46 the back
0:23:47 end, that
0:23:47 panel that
0:23:47 I was
0:23:48 mentioning, that
0:23:49 admin panel
0:23:49 that they
0:23:49 would use,
0:23:50 now when
0:23:51 that took
0:23:52 place, when
0:23:52 the takedown
0:23:53 took place,
0:23:53 when the
0:23:54 affiliates
0:23:54 logged into
0:23:55 that panel,
0:23:55 they had
0:23:56 tailored messages
0:23:57 with their
0:23:58 username by
0:23:59 law enforcement
0:23:59 saying,
0:24:00 hey, you’re
0:24:01 logging into the
0:24:01 panel, we
0:24:02 know who you
0:24:02 are, we’ve
0:24:03 been monitoring
0:24:04 the activity
0:24:04 you’ve been
0:24:05 doing, we’ve
0:24:05 got your
0:24:06 wallets, we’re
0:24:07 going to be
0:24:07 coming to talk
0:24:08 to you soon.
0:24:09 So it
0:24:10 was very
0:24:12 detrimental to
0:24:13 criminals, that
0:24:14 was a brilliant
0:24:15 operation in my
0:24:15 opinion.
0:24:16 And you
0:24:16 mentioned that
0:24:17 they had a
0:24:18 countdown timer
0:24:18 for when they
0:24:19 were going to
0:24:20 reveal the name
0:24:21 of Lockbit
0:24:22 Sup, the
0:24:23 person, although
0:24:24 you said there’s
0:24:24 people, but at
0:24:25 least one of the
0:24:26 people behind
0:24:27 this, behind
0:24:28 Lockbit, one of
0:24:29 the key Lockbit
0:24:29 players, did they
0:24:30 in fact reveal the
0:24:31 name of that
0:24:31 person?
0:24:33 They didn’t.
0:24:33 When the
0:24:34 countdown timer
0:24:34 they did not.
0:24:36 At that time
0:24:37 they didn’t, but
0:24:37 there’s a reason
0:24:38 that they didn’t,
0:24:39 but they did not
0:24:40 do that in
0:24:40 February.
0:24:42 The reason that
0:24:42 they didn’t is
0:24:44 because Lockbit
0:24:45 agreed to tell
0:24:46 them information
0:24:46 about some of
0:24:47 his adversarial
0:24:48 group.
0:24:48 There was a
0:24:48 group called
0:24:49 Black Cat who
0:24:50 he didn’t like,
0:24:51 and he agreed to
0:24:51 try and give
0:24:52 them information.
0:24:53 So they used
0:24:54 the thread of
0:24:55 naming him as
0:24:56 leverage and
0:24:57 getting him to
0:24:58 flip, basically.
0:24:59 That’s correct.
0:25:02 Do we know
0:25:03 who he is now?
0:25:04 Was he ever
0:25:04 named?
0:25:06 Yeah, it was
0:25:08 several months
0:25:08 later.
0:25:09 The site came
0:25:10 back online,
0:25:12 meaning the
0:25:12 law enforcement
0:25:13 version of the
0:25:14 site came back
0:25:14 online.
0:25:15 There was a
0:25:16 new timer, and
0:25:17 once again, they
0:25:18 said they were
0:25:18 going to reveal
0:25:19 Lockbit’s name,
0:25:21 and the timer
0:25:22 began again.
0:25:22 And on May
0:25:23 7th, when that
0:25:24 timer expired,
0:25:25 they did.
0:25:25 They released
0:25:26 his name and
0:25:26 his picture,
0:25:28 Dmitry
0:25:28 Koshev.
0:25:31 They put that
0:25:31 out there,
0:25:32 indicted him,
0:25:33 wanted posters,
0:25:34 the whole nine
0:25:34 yards.
0:25:35 Is that
0:25:35 grumpy pants?
0:25:37 That’s, well,
0:25:40 my opinion, my
0:25:41 opinion is that
0:25:42 that was the
0:25:43 younger person,
0:25:44 and the other
0:25:44 guy’s still out
0:25:45 there, but I
0:25:46 think law
0:25:46 enforcement might
0:25:47 tell you
0:25:47 otherwise, though
0:25:48 they do agree
0:25:49 with me that
0:25:49 there’s two
0:25:49 people.
0:25:50 So he’s been
0:25:51 indicted but not
0:25:52 arrested?
0:25:53 Is that what
0:25:53 you’re saying?
0:25:54 That’s correct,
0:25:55 because he’s in
0:25:56 Russia, and
0:25:56 there’s protections
0:25:57 there.
0:25:58 The law
0:25:59 enforcement just
0:26:00 can’t get their
0:26:00 hands on him,
0:26:01 unfortunately.
0:26:02 The criminals are
0:26:03 protected when
0:26:03 they’re in
0:26:03 Russia.
0:26:06 So is that the
0:26:07 end of Lock
0:26:07 Bit?
0:26:09 It’s not.
0:26:09 You would think
0:26:10 it is, but
0:26:12 almost every other
0:26:13 group that this
0:26:14 has happened to,
0:26:15 that’s the end of
0:26:16 the story, or at
0:26:16 least it causes
0:26:18 them to take that
0:26:19 operation down, and
0:26:19 they have to start
0:26:20 from scratch
0:26:21 somewhere else with
0:26:22 a new operation,
0:26:23 with a new name,
0:26:24 and a new
0:26:24 brand.
0:26:25 But Lock Bit
0:26:26 worked so hard
0:26:27 on that brand, I
0:26:28 don’t think he’ll
0:26:30 ever take it away
0:26:31 until they actually
0:26:32 arrest everybody.
0:26:34 But no, they
0:26:35 continued, but they
0:26:37 continued at a
0:26:38 much lower level.
0:26:39 They didn’t have
0:26:40 the quality of
0:26:41 hackers still working
0:26:42 for them.
0:26:43 They started having
0:26:45 to lie about
0:26:45 attacks to try and
0:26:46 stack the numbers
0:26:47 and things of that
0:26:48 nature.
0:26:49 Do you think the
0:26:49 law enforcement
0:26:50 officials campaign,
0:26:51 the whole thing of
0:26:52 naming the people
0:26:53 and doing all the
0:26:53 stunts on the
0:26:53 website, you know,
0:26:54 you think that
0:26:54 worked?
0:26:55 You think it was
0:26:56 sort of like Lock
0:26:57 Bit rose on
0:26:57 marketing and in
0:26:58 a way fell on the
0:26:59 marketing of the
0:27:00 government?
0:27:02 Yeah, well, was it
0:27:03 100% effective?
0:27:04 No, but it was
0:27:05 about 80% effective.
0:27:06 And prior to this,
0:27:07 I would say that
0:27:07 most of those
0:27:08 operations were like
0:27:09 40% effective.
0:27:11 And what I mean by
0:27:12 that is this
0:27:13 actually affected
0:27:14 the brand where
0:27:15 people, the
0:27:16 quality hackers,
0:27:17 the quality
0:27:19 affiliates, why
0:27:19 would they work
0:27:20 for this
0:27:21 organization with
0:27:21 all this heat
0:27:22 where they can’t
0:27:23 trust that they’re
0:27:23 going to be
0:27:24 protected when
0:27:25 they can go
0:27:25 work for some
0:27:26 other criminal
0:27:26 organization?
0:27:27 Yeah, like any
0:27:27 software company,
0:27:28 their biggest
0:27:29 problem is finding
0:27:30 and keeping good
0:27:31 people.
0:27:32 That’s right.
0:27:33 That’s exactly
0:27:33 right.
0:27:34 And by good
0:27:35 people, I guess,
0:27:36 in this case, it
0:27:37 means bad people.
0:27:38 Right.
0:27:39 So, okay, so this
0:27:40 is a year ago,
0:27:41 basically.
0:27:42 This is early
0:27:42 2024.
0:27:43 Lockbit gets
0:27:44 mostly taken
0:27:45 down, not
0:27:46 knocked out,
0:27:47 at least knocked
0:27:47 down.
0:27:49 Where are we
0:27:49 today?
0:27:50 Like, what is the
0:27:51 state of the
0:27:52 ransomware industry?
0:27:52 industry?
0:27:53 So, it’s
0:27:54 changed a bit.
0:27:56 You have, I
0:27:56 would say you
0:27:57 have more
0:27:58 groups, but you
0:27:59 don’t have sort
0:28:00 of these, you
0:28:00 don’t have as
0:28:02 many big
0:28:04 organizations that
0:28:05 sort of hold
0:28:07 the majority of
0:28:07 attacks.
0:28:10 You have smaller
0:28:10 to medium-sized
0:28:12 groups that work
0:28:12 more under the
0:28:13 radar, meaning
0:28:14 they’re not doing
0:28:15 the same volume
0:28:16 of attacks.
0:28:17 They’re also not
0:28:17 getting the same
0:28:19 amount of money
0:28:20 and ransom
0:28:21 extortions as they
0:28:23 did before, but
0:28:24 they’re still out
0:28:24 there.
0:28:25 They’re just
0:28:26 doing it.
0:28:27 The model just
0:28:27 changed a little
0:28:28 bit.
0:28:28 And so, is
0:28:29 part of the
0:28:30 idea that, oh,
0:28:31 maybe trying to
0:28:32 have a big name
0:28:33 and be, like, a
0:28:34 famous criminal
0:28:36 gang is not a
0:28:36 good long-term
0:28:37 strategy?
0:28:39 That’s exactly
0:28:39 correct.
0:28:40 I think that this
0:28:41 is what really
0:28:42 made them realize
0:28:43 that people are
0:28:44 sort of lower on
0:28:45 the radar, just
0:28:46 trying to get
0:28:46 money and
0:28:47 extort, but not
0:28:48 necessarily have
0:28:49 this voice that’s
0:28:50 heard across the
0:28:50 world.
0:28:53 What’s the big
0:28:54 lesson to you from
0:28:54 the LockBit story?
0:28:57 The big lesson
0:28:59 there is being
0:29:00 boisterous, having
0:29:01 this ego, is
0:29:02 actually a
0:29:03 downfall.
0:29:04 Being loud,
0:29:05 getting publicity,
0:29:07 getting your name
0:29:08 out there, while
0:29:09 that might help
0:29:09 attract people to
0:29:10 come work for
0:29:11 you, there’s the
0:29:12 opposite side of
0:29:13 that, where it
0:29:14 also attracts a
0:29:14 lot of attention
0:29:15 from law
0:29:15 enforcement.
0:29:16 And if you’re a
0:29:16 criminal group,
0:29:18 that’s not a good
0:29:18 thing, and I
0:29:19 think bad guys
0:29:21 have figured that
0:29:22 out between, mainly
0:29:24 from 2024, with
0:29:25 both the Black
0:29:26 Cat ransomware
0:29:27 group and with
0:29:27 LockBit, those
0:29:28 were your prominent
0:29:30 players, and those
0:29:30 guys both got
0:29:31 decimated by law
0:29:32 enforcement, and
0:29:33 that happened
0:29:33 because of the
0:29:34 attention that they
0:29:35 drew to themselves.
0:29:37 So I think that’s
0:29:37 the lesson that
0:29:38 adversaries have
0:29:39 learned, is you
0:29:41 have to be quieter
0:29:41 about what you
0:29:42 do.
0:29:45 We’ll be back
0:29:46 in a minute
0:29:46 with the
0:29:47 lightning round.
0:29:56 Something
0:29:56 unexpected
0:29:57 happened after
0:29:58 Jeremy Scott
0:29:59 confessed to
0:29:59 killing Michelle
0:30:00 Schofield in
0:30:01 Bone Valley Season
0:30:02 One.
0:30:03 I just knew him
0:30:04 as a kid.
0:30:05 Long, silent
0:30:06 voices from his
0:30:08 past came forward.
0:30:09 And he was just
0:30:10 staring at me.
0:30:11 And they had
0:30:12 secrets of their
0:30:13 own to share.
0:30:15 Gilbert King.
0:30:17 I’m the son of
0:30:19 Jeremy Lynn Scott.
0:30:21 I was no longer
0:30:22 just telling the
0:30:22 story.
0:30:24 I was part of it.
0:30:25 Every time I hear
0:30:26 about my dad, it’s
0:30:27 oh, he’s a killer.
0:30:28 He’s just straight
0:30:28 evil.
0:30:29 I was becoming
0:30:30 the bridge between
0:30:32 a killer and the
0:30:32 son he’d never
0:30:33 known.
0:30:34 If the cops and
0:30:35 everything would
0:30:35 have done their
0:30:36 job properly, my
0:30:36 dad would have
0:30:37 been in jail.
0:30:37 I would have
0:30:38 never existed.
0:30:40 I never expected
0:30:41 to find myself in
0:30:41 this place.
0:30:44 Now, I need to
0:30:44 tell you how I
0:30:45 got here.
0:30:46 At the end of
0:30:46 the day, I’m
0:30:47 literally a son of
0:30:47 a killer.
0:30:50 Bone Valley Season
0:30:50 2.
0:30:52 Jeremy.
0:30:53 Jeremy, I want to
0:30:54 tell you something.
0:30:55 Listen to new
0:30:56 episodes of Bone
0:30:57 Valley Season 2
0:30:58 starting April 9th
0:30:59 on the iHeartRadio
0:31:01 app, Apple Podcasts,
0:31:02 or wherever you
0:31:02 get your podcasts.
0:31:04 And to hear the
0:31:05 entire new season
0:31:06 ad-free with
0:31:07 exclusive content
0:31:08 starting April 9th,
0:31:09 subscribe to
0:31:09 Lava for Good
0:31:10 Plus on Apple
0:31:12 Podcasts.
0:31:16 Let’s finish
0:31:17 with the lightning
0:31:17 round.
0:31:18 It’s going to be a
0:31:18 little more random
0:31:19 and a little more
0:31:20 about you.
0:31:21 Okay.
0:31:23 What’s one thing you
0:31:24 learned when you
0:31:25 hacked into the
0:31:26 Pentagon as a
0:31:27 15-year-old boy?
0:31:30 Oh, man.
0:31:31 That’s the reason
0:31:32 that I talk to
0:31:33 these criminals and
0:31:34 I sometimes have
0:31:35 empathy to want to
0:31:36 help them change
0:31:37 what they’re doing
0:31:38 is because I got a
0:31:39 second chance and I
0:31:40 remember that fear.
0:31:42 and I want to
0:31:43 try to help some
0:31:43 of these young
0:31:44 kids to change
0:31:45 what they’re doing
0:31:46 and not continue
0:31:47 down this road.
0:31:48 What actually
0:31:48 happened there?
0:31:49 What was it that
0:31:49 happened?
0:31:50 Yeah, so my
0:31:52 stepfather worked
0:31:53 for Colin Powell
0:31:54 during the Iraq
0:31:54 War.
0:31:55 He was at the
0:31:56 Pentagon and he
0:31:56 had a classified
0:31:57 system in our
0:31:59 basement and I
0:32:00 had a friend over
0:32:01 and I was really
0:32:02 into computers and
0:32:02 hacking and
0:32:03 figuring things out
0:32:04 and I didn’t do
0:32:05 anything elaborate.
0:32:06 I just figured out
0:32:06 his credentials and
0:32:07 I logged in and
0:32:08 was poking around.
0:32:09 Nothing elaborate,
0:32:11 enough that it
0:32:12 got attention and
0:32:13 bad things happened
0:32:15 and the FBI showed
0:32:16 up and things.
0:32:16 The FBI showed up
0:32:17 at your house.
0:32:19 Yeah, they did.
0:32:20 It was not a good
0:32:20 day for me.
0:32:23 I’m glad it worked
0:32:24 out in the end.
0:32:25 It did.
0:32:26 It did.
0:32:27 It only worked out
0:32:28 though because of who
0:32:29 he worked for, my
0:32:29 stepfather and the
0:32:30 connections that he
0:32:31 had and the fact that
0:32:32 I had no prior
0:32:32 record.
0:32:33 That’s the reason
0:32:34 that it worked and
0:32:35 I had a summer where
0:32:36 I had to go work at
0:32:37 Fort Belvoir doing
0:32:38 community service but
0:32:39 I just did such a
0:32:40 good job they wanted
0:32:40 to hire me to work
0:32:41 there.
0:32:43 So it was definitely
0:32:44 a life-changing
0:32:44 experience and then I
0:32:45 joined the army and
0:32:46 became a military
0:32:47 police officer.
0:32:49 So that was my story
0:32:50 but it worked out
0:32:50 well for me.
0:32:52 So I understand that
0:32:53 when you were a
0:32:54 military police officer
0:32:56 you did undercover
0:32:57 drug buys.
0:32:58 I did.
0:32:59 What’s something you
0:33:00 learned doing
0:33:01 undercover drug buys
0:33:02 as a military police
0:33:02 officer?
0:33:04 What I learned is
0:33:05 it’s not black and
0:33:05 white.
0:33:06 It’s not just you’re
0:33:07 a bad guy or a good
0:33:07 guy.
0:33:09 They’re still human
0:33:10 beings.
0:33:11 What’s one thing you
0:33:12 learned pushing carts at
0:33:13 Home Depot?
0:33:16 That you should never
0:33:17 have an ego because I
0:33:18 did all that crazy work
0:33:19 and I got out and I
0:33:21 could not get a job in
0:33:22 law enforcement because
0:33:23 of my tattoos.
0:33:25 At the time you
0:33:26 couldn’t have visible
0:33:27 tattoos at least in
0:33:27 Virginia.
0:33:28 I tried to join the
0:33:29 FBI because I smoked
0:33:30 weed in high school.
0:33:31 At the time they had a
0:33:32 zero tolerance.
0:33:32 I couldn’t get into
0:33:33 that.
0:33:34 I couldn’t get a
0:33:35 job and I had to
0:33:36 start at the very
0:33:36 bottom.
0:33:38 I’ve been working
0:33:38 retail.
0:33:39 I’m not even in the
0:33:39 store.
0:33:40 I’m in the parking
0:33:40 lot.
0:33:43 I was living out of
0:33:44 my truck for a couple
0:33:44 weeks and then I
0:33:45 rented a room at a
0:33:46 house.
0:33:47 They were selling
0:33:48 drugs out of the
0:33:48 house.
0:33:49 The cops raided it,
0:33:50 arrested everybody
0:33:51 but me but I
0:33:51 couldn’t even get in
0:33:52 the house to get my
0:33:52 stuff.
0:33:54 It was a tough time
0:33:54 in my life.
0:33:57 I’m going to change
0:33:58 gears to talk about
0:33:59 something much more
0:34:00 pedestrian now.
0:34:02 What’s your
0:34:03 favorite depiction
0:34:04 of hacking in a
0:34:04 work of fiction?
0:34:09 Corey, there’s
0:34:10 an author, Corey
0:34:13 Doctro, brilliant
0:34:13 guy.
0:34:14 He’s one of my
0:34:16 favorite authors and
0:34:18 he does hacker
0:34:19 fiction if you will
0:34:21 and he’s got
0:34:22 probably 20 books
0:34:24 now but they’re
0:34:25 phenomenal, especially
0:34:25 the Homeland
0:34:26 series.
0:34:26 That’s one of my
0:34:27 favorites.
0:34:27 Okay, Homeland
0:34:28 series.
0:34:29 Who’s your favorite
0:34:31 cyber criminal in real
0:34:32 life?
0:34:35 Um, I would
0:34:37 probably say the
0:34:37 hacker known as
0:34:38 USDOD.
0:34:41 He is a, he is a
0:34:42 hacker who’s not
0:34:42 Russian.
0:34:43 He lives in
0:34:43 Brazil.
0:34:45 I became very good
0:34:46 friends with him.
0:34:47 I’ve never written
0:34:47 about him.
0:34:50 He wasn’t a target
0:34:51 of mine.
0:34:52 He helped me
0:34:53 actually when I was
0:34:54 going after Ransom
0:34:56 VC and he gave me a
0:34:57 lot of good inside
0:34:58 information and we
0:34:59 just became friends
0:35:00 for a long time
0:35:02 and we talked
0:35:02 and he was
0:35:03 somebody who I
0:35:03 really had wanted
0:35:04 to help.
0:35:05 He’s in jail now
0:35:06 so you can figure
0:35:06 out if I was able
0:35:07 to help him or
0:35:07 not.
0:35:09 Why?
0:35:10 Why him?
0:35:11 What was, what
0:35:12 was that relationship?
0:35:14 Um, you know, he
0:35:16 had issues like
0:35:18 everybody but, you
0:35:19 know, he was a, he
0:35:21 had a good side to
0:35:21 him.
0:35:21 He, there was a
0:35:22 side to him.
0:35:23 He was a decent
0:35:26 person and I really
0:35:27 thought if he hadn’t
0:35:28 become a criminal, he’s
0:35:29 somebody that would
0:35:29 have been in the
0:35:30 cybersecurity field.
0:35:32 Um, he, he, he did
0:35:33 have empathy for
0:35:34 people.
0:35:35 He hated law
0:35:36 enforcement and the
0:35:37 government but he did
0:35:38 have empathy for
0:35:39 people um and he was
0:35:40 somebody who I could
0:35:41 talk to and, and, and
0:35:42 actually feel like I
0:35:43 could, I could make a
0:35:44 difference with the
0:35:45 conversations that we
0:35:45 had.
0:35:52 John DiMaggio is the
0:35:53 chief security
0:35:54 strategist at
0:35:55 Analyst One.
0:35:57 Today’s show was
0:35:58 produced by Gabriel
0:35:58 Hunter Chang.
0:35:59 It was edited by
0:36:01 Lydia Jean Cott and
0:36:02 engineered by Sarah
0:36:02 Bouguer.
0:36:04 I’m Jacob Goldstein
0:36:04 and we’ll be back
0:36:06 later this week with
0:36:06 another episode of
0:36:07 What’s Your Problem?
0:36:25 Something unexpected
0:36:26 happened after Jeremy
0:36:27 Scott confessed to
0:36:28 killing Michelle
0:36:29 Schofield in Bone
0:36:30 Valley Season 1.
0:36:31 Every time I hear
0:36:33 about my dad is, oh
0:36:34 he’s a killer, he’s
0:36:35 just straight evil.
0:36:36 I was becoming the
0:36:37 bridge between Jeremy
0:36:39 Scott and the son he’d
0:36:40 never known.
0:36:41 At the end of the day
0:36:42 I’m literally a son of a
0:36:42 killer.
0:36:44 Listen to new episodes
0:36:45 of Bone Valley Season 2
0:36:47 starting April 9th on the
0:36:48 iHeartRadio app, Apple
0:36:50 Podcasts, or wherever you
0:36:51 get your podcasts.
A few years ago, a ransomware gang called LockBit rose from obscurity to extort over $100 million from organizations around the world. A security strategist named Jon DiMaggio wanted to understand how the organization worked. So he used the techniques of World War II-era spycraft to make contact with the hackers.
On today’s show, Jon tells the story of LockBit – from the way it borrowed techniques from mainstream companies to market itself and attract talent, to the response from international governments that used the gang’s own tactics against it. And he talks about how he got the hackers to talk to him.
Jon described the rise and fall of the company in a series of posts he called the Ransomware Diaries. You can read those here: https://analyst1.com/ransomware-diaries-volume-1/
Note: This bonus episode of What’s Your Problem? is sponsored by Microsoft.
See omnystudio.com/listener for privacy information.