Episode 100*!

Show Notes

In this special, celebratory 100th episode of the mnemonic security podcast, Robby speaks with author and industry legend - Jon DiMaggio.

Jon is the Chief Security Strategist at Analyst1 and has over 15 years of experience hunting, researching, and writing about advanced cyber threats. As a specialist in enterprise ransomware attacks and nation-state intrusions, Jon authored several investigative reports, including Robby´s favourite, “The Ransomware Diaries”, and also wrote the award-winning book “The Art of Cyberwarfare.” 

Jon has gone as far as to go develop relationships with some of the world’s most notorious ransomware gangs, for example LockBit, and exposed the interworkings of cartels behind major ransomware attacks. Their conversation explores the operational models of ransomware groups, which often function through a web of partnerships, specialised roles, and profit-sharing structures. DiMaggio provides his unique perspective on building relationships with cybercriminals to gather intelligence while navigating the ethical dilemmas and personal risks. 

Most importantly, he answers Robby´s burning question: “What’s your opinion of the bad guys?”

Chapters

• 0:37: Insider Perspective on Cyber Criminals
• 8:51: Navigating Career Transitions in Cybersecurity
• 13:55: Ransomware Negotiation Strategies and Challenges
• 21:46: Evolution of Cyber Criminal Tactics
• 27:33: Psychological Tactics in Cybercrime Warfare
• 38:24: Ransomware Trends and AI Usage

Transcript

Speaker 2: 0:37

Welcome to the Mnemonic Security Podcast. Security Podcast. Sales guy from Mnemonic, whether you've been following the show for a while now or if it's your first time tuning in, thank you for listening. It's a great honor to be in your ear right now. As gross as that may sound, I've learned a great deal over the past 100 episodes, and I hope you have too.

Speaker 2: 0:59

Drones, bots, darknets, the intricate interworkings of cryptocurrency exchanges and ransomware groups all the cool cyber stuff you can tell your friends and family about. One thing I haven't done, though, is to interview a bad guy or a bad girl, and given that I'm not a journalist or Jack Presider from the Darknet Diaries, that's not likely to change. That being said, from a network defender perspective, it would, of course, be beneficial to know what they're up to and how they operate. Know thy enemy is a part of the quote, at least right. Then one day, I'm introduced to something called the ransomware diaries and end up shaking hands with someone with real-life connections to these infamous cyber criminals and who spent years of his life studying them, defending networks from them and, more importantly, developing personal relationships with them. Perfect for the 100th episode, I thought, as I've always wanted to know what things are like on their side of the fence.

Speaker 2: 2:00

Anyways, thanks again for tuning in to the Demonic Security Podcast. It warms an old man's heart to know that someone like yourself chooses to tune into these conversations. So, without further ado, I bring to you the 100th episode with an industry legend, the man behind the Ransomware Diaries series and author of the Art of Cyber Warfare, mr John DiMaggio. Welcome to the podcast. Thank you for having me. Let me get my dumb question out of the way. No relation to John DiMaggio. Welcome to the podcast.

Speaker 1: 2:29

Thank you for having me. Let me get my dumb question out of the way. No relation to Joe DiMaggio. It's a big family debate. Growing up my grandfather he had a picture of him and Joe together and my grandfather's from New Jersey and he used to say they were cousins. My grandmother used to say he was full of it. So I honestly have never done the work to track it down because it doesn't really matter. But yeah, that's the family argument.

Speaker 2: 2:47

All right. Well, you're more famous in my circles much more relevant to my life than Joe DiMaggio anyway, so I'm glad to have you here for the hundredth episode.

Speaker 1: 2:56

Thanks, man, I'm excited to be here.

Speaker 2: 2:58

I had the privilege of shaking your hand physically in San Francisco, which turned out, by the way, to be by far the best thing I did at RSA, and I cannot understate it. The group of people that you had there. It was like the people you see on stage here and you read about on LinkedIn. I learned that you're never supposed to name drop or talk about the people there, so I won't do that, but really cool people that were a part of that event.

Speaker 1: 3:22

I saw you got some signed books as well and you traded your own book. Yeah, it was. Those are the times where you know, like it gets like a pulse check if you're doing good with your, with your work, and uh, what, what, whether you're, you know, hitting the bar and stuff. So I was, uh I was pretty humbled that, uh, you and a bunch of other you know folks actually came in person. So I was. That was a lot of fun, yeah that was awesome.

Speaker 2: 3:40

Before I move on, I just want to give a shout out Thank you for the awesome book. By the way, I'll plug that I was supposed to bring it home, or bring it here with me from home. The Art of Cyber Warfare. It's literally the first book that I've actually like held in my hand and read. It helped that I was on an airplane for 12 hours. But lots of fun facts about, you know, attacks that we've all heard about but never really understood, like the context too. Where'd you get all those fun facts from? Did you literally just had to deep dive in, like old articles, or how'd you get that?

Speaker 1: 4:08

I worked most of those personally, but because of the nature of the work I did, I wasn't allowed to talk about my perspective. So I knew about them and if I could find information publicly I could talk about it, but I wasn't allowed to talk about them from my actual experiences. So that's why it's written that way, and that was really hard and challenging because I knew so much. So I had to go and make sure that there was nothing in there that shouldn't be. And then, of course, you have to get it reviewed before you have anything put out. And you want to make sure, on top of that, that you're not biased, because I worked for a US intelligence agency back then. So you want to make sure you know that you're also giving the US as much shit as you are everybody else, because you're not writing a book for you.

Speaker 1: 4:49

You're writing a book that's going to be sold in different languages around the world, so that was a really interesting experience. I'm dying to write another one. Have no time, but have a lot of great stories now that I don't, that I can tell from my perspective, uh, that are even more interesting than what I have in that book, in my opinion. But I'll get there eventually. Just just don't have the time right now, but I would love to because I've got some really cool stories to tell.

Speaker 2: 5:14

You can just say no to podcasts after this one, right, but uh, anyway, john, this is our hundredth episode. Uh, and I've invited you here for a few reasons Obviously because I love your research and the ransomware diaries and now your book. I'm giving kind of a gift to all the listeners just by if they have not heard about the ransomware diaries or your book. There are two really good things that if you're into cybersecurity, you'll really enjoy them. And, last but not least, you are probably the most connected and respected security researcher that I can think of that has like contact with like that side of the other team.

Speaker 1: 5:49

Yeah, exactly the team.

Speaker 2: 5:51

The other team and I. Obviously it would be really cool if you're a podcast, you know, from a journalistic perspective to have those discussions with people. But you know I represent mnemonic and I'm not an analyst like you are, so I have no real like reason, good reason, to be talking to the other side and you and you have had those conversations and I've always wondered what is it like from their perspective?

Speaker 1: 6:14

Yeah, well, you know. First thing I just wanted to say for other people listening you know I try to make a very serious my job's extremely serious but I try to make it an exciting story when I write things. Often when I talk about them, I try to make it funny but at the end of the day the stuff that I do it literally can get can go South quick and be scary. So, um, you know, for some people that don't need to talk to bad guys, you know you you probably don't want to unless you're really careful or really have a good reason, because you know some of the people I talk to are literally mentally ill. Other ones are on all sorts of drugs, not all. And then there are other ones that are just like you and me that I'm like how are you? Uh, but are you? But point being, yeah, it can go south really quick. So when I do talk to these guys, you know it's not just a conversation, at least not at first.

Speaker 1: 7:08

I always have a ton of planning that I do in advance. You always go in with the goal and objective, the information that you want. Even think about the stuff like where you're going to talk to them at. You know your security aspect from it. You know, I'll just give you an example. You or at least I always prefer to not talk to them through their own platform, like, for example, lockbay does negotiations on their site. They've never asked me to talk to them through the negotiation chat portal, but if they were smart they would have, because they control all the logs and everything else. Not that I'm going to talk to them out of VPN, but you get the idea.

Speaker 1: 7:40

So just even those little things you always want to think about, the you know who, what, when, where and why, what you want to get and what you're going to get out of it. Now, what makes it interesting is when you have these long-term relationships or you actually, even if you don't want to start to become, you know friends because you grow this relationship and then you got to, at the end of the day, you got to remember okay, these are bad people. And then you still have to do your job and you basically drop a bomb in the middle of that relationship and now it's personal, because they actually know you and you've talked to them. So now you've got to do damage control because you've got some really bad criminal out there who has access to resources to do bad things, and you want to make sure that doesn't happen, so there's a lot of stresses that go into it. But having said that, I frigging love talking to bad guys.

Speaker 2: 8:24

Right, I totally get that and I want to say I'm glad you have, because the stuff you produce is just awesome. Just quickly for the listeners, I mean I could introduce you in the same manner that 60 Minutes did, but I picked up on the fact that you didn't like that. So who is John DiMaggio for people that live under a rock and haven't heard of you? And how'd you end up on my screen?

Speaker 1: 8:42

Yeah, so I started out a long time ago. I was in high school. I was a horrible student, came from a screwed up home, lots of problems. I went straight into the army, became military police, worked with the criminal investigation division, did some stuff. There was things going on with Iraq back then, so so did my thing got out. I've got tattoos all over me. I did from the age of 18.

Speaker 1: 9:03

I just started going nuts and when I got out I wanted to get a job being a cop. That's what I did in the army and I found. You know the first two police departments I applied to they said they had a no visible tattoo policy. Fbi at the time didn't allow anybody in if he'd smoked weed in your life and I had in high school. So I couldn't do that. Same with DHS. So I, like, started pushing carts at Home Depot. Talk about being humbled, going from doing like undercover drug buys to your, you know, running a room in this house where people are selling drugs and pushing carts in. So anyway, I'm getting off track here. I said I wouldn't do that. So I became really motivated, went in.

Speaker 1: 9:39

The tech bubble just popped and I went and bought a bunch of routers and servers and switches and firewalls for pennies on the dollar, bought books and I just started teaching myself everything humanly possible about Cisco networks, did network security for about three years and started writing blogs doing similar to what I do now, but at a much different level. And eventually I got recruited to go work for government intelligence agency where I became a signals intelligence analyst. I never looked back. While I was at that intelligence agency I learned lots of cool stuff. I learned how to write intelligence, learned how to do a lot of research with those secret squirrel tools. But when I left 14 years later and I went to the private sector to work for Symantec, you know, I learned quickly that I was going to have to start over again because without those tools I found out I was a lot less of an analyst than I thought that I was so and I still wanted to do nation state work, which takes being really good to find things in data that 99% of people can't find. But I was fortunate. I was on a great team. I was on the attack investigation team and I had a lot of people who wanted to teach me things. I learned. I stayed there for seven years. There were a bunch of their public nation state content that was released.

Speaker 1: 10:51

And in 2020, I came to Analyst One, where, once again, I found myself in a new situation. Now I went from having tons of data and telemetry at Symantec and lots of tools and resources and support to this small company where I had no data and I had to sort of reinvent myself again. And that's when I discovered that bad guys on the dark web will actually talk to you, and I started researching ransomware and I kind of never looked back and you know, the rest is history. Well, I thought it might have been this thing that wasn't gonna work and might've been a horrible mistake for my career and ended up being the best thing I ever did. So when people say you gotta bet on yourself, I gotta agree with that, damn John self-made awesome.

Speaker 2: 11:31

Such a cool story.

Speaker 1: 11:32

Thank you, man yeah.

Speaker 2: 11:33

I wanna get back to like Analyst One where you work now and like, well, why would they let you do everything you're doing? But we'll get back to that later. Sure, I want to dive into now is like I really I binged read slash listen to your voice when the ransomware diaries came out. So for those that have not heard of it, I know it's kind of really hard to sum up the ransomware diaries in like five minutes or whatever. But if you had to sum up ransomware diaries, what are they?

Speaker 1: 12:01

had to sum up. Ransomware diaries. Uh, what are they so? Essentially they are um, it's a. It's that they're a combination of cti, so cyber threat intelligence plus human, human intelligence combined into one. So I was already an expert at the cti aspect, you know, and I really wanted to add in missing pieces. So that human aspect is really what made the difference in this. And and then just great storytelling Every time. So the Ransomware Diaries is different than other work that I do.

Speaker 1: 12:23

If I write a Ransomware Diaries, I want it to read like a part CTI, part Tom Clancy novel. I want it to be exciting, I want it entertaining, I want it to have good, colorful artwork. I want to be creative, I want people to take something away from it, that it isn't just they read a CTI, but I actually want them to be able to want to turn to the next page. I mean, most of these are 60, 70 pages long, and there's been five of them. And the ransomware diaries won this year the same award that my book had won. So it's just been like I said. I know that's the only way I know things are doing good is people, and then, if it wins awards and I've just been really lucky to have both with us.

Speaker 2: 13:03

What I learned a lot about through those is like the operations right. They have an HR team, they have developers. I think it was you said that they were like the most important. Do you have any? Just have a quick overview of like how these ransomware groups are like operating, like their operational models?

Speaker 1: 13:16

Yeah, so they're all a little bit different, but the one that you're referring to, that a lot of people hear about, where they have, like you know, this big support team and HR and all these different roles. So that was mainly a group called Conti and they were literally run by a corporation. They were a little more organized than Lockbit was, but essentially, regardless, there are certain key things these guys have. They all need people to help support their program, support their infrastructure, develop new malware and ransomware and resources and sort of people to help with answering requests and issues and dealing with problems from the day to day. It's literally the ones that do it good, run it like a business.

Speaker 1: 13:55

So these ransomware groups, they're like a service service provider and the people who do the hacks are their partner clients. They call them affiliates and that's sort of the ransomware as a service model is. They share profit. One of them handles all the tools, resources, infrastructure and the other one handles using it to go conduct attacks and together they make money by extorting innocent victims and somehow they think that's okay.

Speaker 2: 14:20

Yeah, or pen testing their victims Right Post pen testers Yep, just for a small fee. They're just security researchers. How do they get people?

Speaker 1: 14:31

Well it's. You know. I always tell people who have only really spent time in the United States if you haven't really been like military or in some other job that takes you to places that you would never want to visit for a vacation and see how other people live you start to realize when you see that that there's people that really do have a different perspective on life because they literally you hear it but you don't understand it till you see it they literally don't have the same opportunities that we do, and when you don't have that, your entire life it doesn't exist. Just the way you think and operate is different, and so a lot of these guys.

Speaker 1: 15:08

It's even worse now with the war. A lot of these guys don't have the opportunity. They'd make great cybersecurity researchers but they either can't get jobs because it doesn't exist or they don't get paid well enough to support their families. And so they start looking at cybercrime, and ransomware is certainly the most profitable out of any cybercrime that you could do today as a whole. I'm sure there's one or two exceptions here or there, but as for the most, for the ease of work versus payout, you know it's very appealing. So that's why we have such growth and so many bad guys are interested in doing it.

Speaker 2: 15:42

Right when it comes to, like you said before, a lot of their money comes from well, they have different levels. They have somebody paying a ransom. I guess it's all paying a ransom, right, whether it's normal extortion, double extortion, triple extortion, whatever, somebody's paying a ransom, that's right.

Speaker 2: 15:57

And we extortion double extortion, triple extortion, whatever. Somebody's paying ransom, that's right, and you know we do instant response we don't deal with. We just say don't pay. But there's obviously a huge market for people that are going to pay and then they have to have an analyst or somebody to help them negotiate. Do you have any insights or what do you have to say about the negotiation strategies?

Speaker 1: 16:11

Yeah, so I work with negotiators fairly regularly and you know, I think, that anytime you're hit by a big name ransomware group and you know you're talking about a large sum of money, you have to one. You need a negotiator. But the biggest mistake that I see companies make is not trusting their negotiator. There's so many of them. They bring this person in who has this expertise in talking with these guys and then they micromanage them because they're worried about the money. Those are the ones that fail. The ones that sort of walk away and let that negotiator do their things are the ones who win.

Speaker 1: 16:43

And sometimes it's hard to stomach because it literally looks like it's all gonna fall apart and they're gonna release all your data and you just ticked them off by low-balling them. But what people have to remember is these negotiators and me. This is why I'm brought in is because I know a lot of these guys. But these negotiators talk to these people over and over again and a lot of times they work with the same bad guy who they're talking to and you know. You know what works, you know what doesn't.

Speaker 1: 17:11

But when you're sitting there and it's your money to stomach, it can be hard, but you have to. But yeah, that's a necessity as a good negotiator, if you want to make out of this thing in the best possible scenario. If you're going to pay. If you're not going to pay, then you can go tell them whatever you want. But if you are going to pay, you want to make sure you get the best deal you can, because it's not cheap spending many, many millions of dollars of your company's profit on paying these criminals and then you're still going to have to pay money. Even if they give you the decryption key, you're still going to have to spend a ton of money for time, loss repairing systems, bringing things up, restoring data all of that.

Speaker 2: 17:50

Is there anything that makes the ransomware groups you know, like you've spoken with? Is there anything that makes them especially angry? Because I'm thinking of this one tweet that my friend sent me a screenshot of. He works for a company. I don't know if I want to say their name, but anyway, the threat actor went out and said anybody using this company for incident response and negotiation, we're going to leak your data. And I didn't ask the specifics. But what happened there? What made him so angry?

Speaker 1: 18:16

I don't know that specific case, but it's a thing where a lot of ransomware groups don't want a negotiator there and they will say things like that. Here's what it comes down to at the end of the day. They want to get paid. They spent time, you know, maybe a few days, maybe a few weeks, getting into this network. They want to get paid. They don't get to choose who they talk to. At the end of the day, that's mostly talk, but I've seen negotiators just play with these guys. Before I saw a negotiator who pretended that he was just a guy who worked in the IT department of this multi-billion dollar company and they just grab a guy from the IT department to handle the negotiation. Yeah, that sounds right, but that's what he told the bad guys. And then they were talking during the weekend. It was Friday, it was like four o'clock and he's like all right, well, it's Friday, it's beer time, I'm going to go, I'm going to enjoy my weekend, I'll give you guys a shout on Monday.

Speaker 1: 19:10

And they were pissed and he literally did and he left them on hold until Monday, but he yeah, and I'm sure they were not happy about that, but it probably ended up being okay.

Speaker 2: 19:24

And also, that's a good tactic sometimes because you stall them.

Speaker 1: 19:26

Yes and no, but again that's where it comes down to a good negotiator who knows who he's talking to, has dealt with them before, knows how eager or how much leeway he has with them, how much they need the money or want the money. So all of those things play into it just having rapport with someone as well. But all these guys say, yeah, no negotiators, but again you have nothing to lose. They've already taken your data and locked down your system. They don't get to make that decision.

Speaker 2: 19:50

Yeah, who's usually the negotiator on their side?

Speaker 1: 19:56

Is that like a dedicated person? Or Well, different ransomware groups do it different ways, but often it's usually the affiliate, the one who's the partner, not the service provider. And then there were bigger name ones where, at least with LockBit you know LockBit sup the leader of the group would get involved with some of those negotiations, or often he would. He would give feedback and direction, but but it's usually the affiliate, and that was one of the big problems LockBit used to complain to me about was you know, once June 2022 is where they really updated their software and their panel that they used and added a lot of point and click stuff and they had this massive volume increase of people come into their criminals, come into their program, and because of that they had a lot of very smart young hackers working for them.

Speaker 1: 20:39

They were great from a technical hacking aspect, but they sucked at communication and they started getting lower ransom amounts even though they had higher volume of attacks. So that was something that they used to complain about and they had to deal with. But yeah, so amazing. You can be super technical but an introvert and then you don't do well with negotiations. So who?

Speaker 1: 21:04

would have thought it right.

Speaker 2: 21:06

It's not like you can use ChatGPT for the English part and you can't exactly send them to Harvard to go learn how to negotiate.

Speaker 1: 21:11

Right, right, it makes it a little difficult.

Speaker 2: 21:13

I think you mentioned it like the biggest challenge is their operations, like them storing data. They pop a company. You know they're leaking their data. I've heard that they usually would store it to some sort of you know. I'll just use Dropbox. I'm not sure if it's Dropbox, but they store it. They need to store the data somewhere and that's a struggle for them because you know if it's an American vendor they could just shut off that. What are some of the challenges that are the most prevalent challenges to ransom organizations in their operations?

Speaker 1: 21:44

Well, you know, just to tell me. Just touch on what you just said. First of all, you know that was one of the benefits that LockBit kind of introduced to something that at the time most of his criminal competitors did not do was actually creating a mechanism to steal the data and house it on attacker owned infrastructure. Up to that point, most bad guys were using legitimate data moving transfer tools to move that data, and while those are good at moving data, they're not necessarily good at doing it quietly. So he came up with that idea to build a panel with a tool built in that would grab the data and bring it to his servers, because before, when they were using things like Dropbox or mega uploads or any of the publicly available file storage resources, what would happen is either law enforcement would just take it down or the provider would take it down, and then you've lost access, as a criminal, to the data that you stole. So Lockbait was basically making money for himself by offering that as part of the service.

Speaker 1: 22:46

And then that's what I talked about, the Ransom Diaries 3, that was one of Lockbit's what I call dirty little secrets. He want people to know is that that was failing at a mass level and in like six months he hadn't actually leaked people's data, like he said that he was. Because it's hard to do, if you think about it. You've got this massive amount of data, you've got to put it somewhere, and now you throw in the latency and of the dark web on top of that, like it's not an easy solution and this guy can't just call in a consultant to help fix it when things don't work. So it was a big issue for them, but it still. You know it happens. So as a backup they would still use as file servers. But that's something that those guys do have issues with as part of their operation. Is the data? Where are we going to put it? So places like Lockbit when things are working the way they're supposed to work, is definitely a benefit for bad guys.

Speaker 2: 23:37

Is there any other challenges that are like? I want to get back to money laundering afterwards besides the storage of data, what else is there?

Speaker 1: 23:44

So the data leaking it, moving it obviously we touched on negotiation. That that is a big one. I think the other problem that you have is all these bad guys do their attacks a little bit differently. You had I referenced the whole Conti ransomware operation earlier they're one of the few ones that sort of had a manual that would guide them in how they did their attacks, and the benefit of that was for them anyway was that you had consistency where all the attacks looked the same as were with other bad guys like it. Once you start to get to know different affiliates and their preferred techniques, you can build out the attack chain and almost make a digital fingerprint of what they did and use that for assistance and attribution. And if you know who did it, you probably know who you're going to talk to. So there's lots of benefits from going that way.

Speaker 2: 24:36

Then it comes to the money, right, I'm thinking like ransomware groups, organized crime. They have a lot of overlapping needs. What can you say about the convergence of those? I guess ransomware groups are organized crime, but I'm thinking about the ransomware groups when you start talking to the Sinaloa cartel for some reason.

Speaker 1: 24:55

Yeah, there's your organized crime that relies on violence and drugs or gambling the human organized crime and you the human organized crime, and you have cyber organized crime and there is a pretty big difference. But, yes, they both are organized and they conduct criminal operations. I don't have a direct example, but I guess what I would say is, with the money laundering aspects, if there is a bridge for organized human crime and organized cyber crime, that bridge is really what it is, because the human side of it has much larger mechanisms to move and clean money. So most of the relationships that I've heard rumor of anyway, have been from that aspect of actually cleaning money and then they take a piece of that. But again, that's not something I have hard evidence of, but I'm sure it does happen.

Speaker 2: 25:47

I've also heard other rumors going around that, like the ransomware is getting more, um, not only say more violent, but they're much more like in your face. They're, they're threatening you a lot more, and I guess if that is a trend and they have some new friends, then they can can, you know, potentially combine the two, and that would not be a very good situation for us to be in.

Speaker 1: 26:04

Well, I also think things change once you start going. Right now, there's no violence in these crimes. Once you start making them crimes of violence, the whole way it's approached by law enforcement and governments also change. So I think it's also in their benefit to keep to making their money and you'll have a lot less problems if you're not invoking violence on top of it. That's like a whole new ballgame once you start introducing violence into things. So right now, these are not crimes of violence and my hope, obviously, is that it stays that way.

Speaker 1: 26:36

The funniest thing the biggest examples of violence that we've seen are not by the classic Russian cyber criminal that we see behind ransomware. It's by the Americans that have taken part in it that are far more violent than the Russians, and I look at the Russian culture. Behind ransomware is like what the, but like what the Italian mafia used to be. You know like there were rules and there was control. They still were cold hearted and they still did their thing. But you know, for the most part there were things like you wouldn't go. You know, do something to someone's kids or mother. And then that changed over the years. Street gangs became the predominant force and they'll kill and do things to anyone. That's kind of how I look at it with the American versus the Russian. The Russian are much more organized, there's more of a neighborhood culture between and amongst them and it's all about business and money. And you know, in America we've just got kids that apparently their mommies and daddies didn't hug them enough and they'll just do crazy things.

Speaker 2: 27:33

That's one thing I got from the ransomware diaries is there is like a code, like an ethics code, even though there an ethics code even though it's like yeah, there's an ethics code, but there actually is, you know, like no doxing people who stay away from a lot of things. What about the Americans? Because you're the first person that ever brings up like American threat actors, I've been like asking the industry, like why the hell are we not mentioning Americans?

Speaker 1: 27:59

to Scattered Spider who helped Black Cat in that whole MGM incident. You know, that was just a small part of that group. But those guys, they are very good at social engineering, which is why ransomware groups rely on them for that part of the attack, because they speak the language, they know the culture, they can do the research, they're here, close to the target. You know, the problem is that they're young kids that sort of watch too many movies of gangster movies and rap songs and they drive around shooting up houses, things of that nature, and they're already here in the US, which makes it a lot easier for them to reach people. And then they go post it on Telegram and things like that. You know, it's just the Russian guys. They're much more, much more calm. And again, it's just the Russian guys. They're much more calm. And again there's like a neighborhood culture within the Russian ransomware community.

Speaker 1: 28:45

And I know it sounds strange, but for somebody who spends a lot of time with bad guys, I have learned to appreciate that aspect of it. It makes my job easier, it makes it easier to talk to people and we all kind of know what we're getting when we have these engagements as work. You know, I don't even bother to look into the American side, just because it's so scattered probably why they call them scattered spider but it's so scattered it doesn't have that sort of central relationship amongst people and, like I said, it just goes south and gets violent. Too quick from my tastes so I leave that up for somebody else to deal with.

Speaker 2: 29:23

Your perspective on the bad guys. I mean, I think it was Bastard Lord that you were talking about. He was there in the early days of Russia invading Ukraine. His mom was sick. His situation was kind of like it's hard to not like, you don't have to like the guy, but if you have any sort of empathy yourself, you're kind of like you. It's hard to not like, not, you don't have to like the guy, but if you have any sort of empathy yourself, you're kind of like I get it right. Yeah, I'm just wondering what your perspective is, because, uh, I'm not necessarily mad at any of them or you know, like, uh, how should we be feeling? What's like? Uh, an empathetic, healthy way to look at that?

Speaker 1: 29:54

well, it's different for me because, again, I get to know some of the actual people, but it's one of those situations where Bastard Ward specifically. He was a lot different than many of the criminals that I talked to, and when he started out, you know he was in part of the Ukraine that had been invaded by Russia in 2014. He considers himself Russian, he's very pro-Russian, which is important to the story. But you know, there were literally jets flying over, bombs dropping, and this guy was trying to figure out a way to get his mom to the hospital and things kind of went from there. But it came down to his family. Their health, his lack of opportunity, that sort of drove him to the forums where a lot of the Russia ransomware guys grew from, and that's where he started getting work, which eventually went to pay for things they needed moving them out of that area, helping get the medical attention stuff that is, that is, family needed, which all of that's relatable, like I get it, like if I was in a situation where there were jets dropping, bombs in my neighborhood and everything had gone to hell, like I really wouldn't care what the laws were, I would just do what I had to do. But it's different now and he has continued to do it over the years because he likes the money.

Speaker 1: 31:08

So it's may have started out with a way that I could uh, you know I, I could understand a little bit more. Um, it didn't stay that way. He does it now because he's greedy and he wanted money and it hasn't worked out great for him. I mean, he's not in jail, but he's indicted. You know, the rest of and he's young, so the rest of his life if in 20 years the political climate changes in Russia, he's screwed. You know he'll end up spending the rest of his life in a jail, you know. So he made those decisions, though that's the bet he made and he's going to have to lie in it. And while right now he's got that protection again, he's in his 20s man. He's got a long life to have to worry every day that the political climate's going to change and when it does, he's going to find himself in a small, concrete world. Concrete words.

Speaker 2: 31:55

Yeah, Somebody always has something on him, I guess, from from here on out, yes, and that's a nice segue. The topic of ego, right, Because that's one thing that all of them have in common, I guess, is ego. If they didn't have an ego, they'd probably having an ego. It's like my dad said to me get rid of your fucking ego, Robby, Because if you don't, you're going to pay for it at some point in your life.

Speaker 1: 32:14

That's definitely true. One of the many good advice he's given me, which is hard to listen to.

Speaker 2: 32:17

But I mean, and going to ego the US, you just wrote a paper about this published it this week, I believe about the way the US government is handling ego, like posting. Can you just run through what that paper was about so everybody else can understand what I'm trying to describe? I'm doing a horrible job.

Speaker 1: 32:34

Oh, tim's paper. Yeah, yeah, yeah. So I hired a former FBI profiler so he did like behavior profiling of criminals. He was just sort of comparing how criminals act and the mindsets that they have has sort of changed over time.

Speaker 1: 32:50

Extremist groups in the Middle East it doesn't really matter whether who it is, you can apply. There's always sort of this reason and, in effect, something that happened to that, to someone that caused them to do a certain thing, influences in their life. They continue to enable that and then long-term effects from conducting that and that becoming sort of who you are and what you do. But yeah, I think you can see a lot of that also plays out with on the law enforcement side, you know, with with the whole takedown with Lockbitt and the NCAA. You know this was the first time we've seen them use psychological operations, uh, as part of their tactics and it was massively successful. So, um, I think you see it on both sides.

Speaker 1: 33:36

Uh, you know bad guys do things like threaten to expose sensitive pictures. Whether it's there was an incident with Black Cat and one of the execs was a female and whether it was true or not. You know they claim they got access to photos of that. Mind game aspect is a big part of the ransomware thing. It's your reputation is going to be hurt. We're going to tell everyone. That's not something that's necessarily tangible, that's something that we're making you feel so that you pay us. So I just felt like having somebody who's an expert on the whole profiling would really sort of bring light to an area that doesn't get talked a lot about today with cybercrime.

Speaker 2: 34:22

Do you think there'll be more of that psyops coming from our side towards their side moving forward?

Speaker 1: 34:27

I do. It would be crazy if there wasn't right. Like, this was clearly hands down the most successful takedown operation that law enforcement has conducted. So it would be crazy if they don't. I just I got to meet some of those guys in person last week and you know I asked them. You know so what happens? Like, do they? Is it like here in the U? S where they move you guys around every few years soon as you can go to your job? And the guy was like, yeah, I'm probably going to have to move on soon. So I really hope that trade craft doesn't go with the personnel, because I think it's very important to our success against fighting ransomware to continue using that tactic.

Speaker 2: 35:02

Oh well, shit, we got to use their. If it's working against us, we should use it back there, I guess. Yeah, yeah, yeah, well, it's effective getting in their head.

Speaker 1: 35:10

I'm not going to say which piece it is, but I literally intentionally wrote something. Out of the many things I've written, there was one thing I wrote over the past a couple of years. That was it was public and it looked like I wrote it for the public, but I wrote it 100% just to get in this adversary's head and I wanted to kind of measure that cause and effect and see where I could sort of push that line and what would happen. And so I do think that it's important to leverage that, because these guys again, not only are they human, most of them have had a lot of screwed up, bad things happen to them and they have a lot of anxieties and stresses. And we can push those buttons if you know how to do it. Well. You screw it up, you end up in a really bad situation where you might be getting targeted, but if you do it right, then I'll never see it coming and you can have a good effect with it.

Speaker 2: 36:05

Yeah, in terms of like advice for like network defenders. What else can they actually get in terms of value for the organizations by putting themselves into the immersing themselves into this world that you're a part of?

Speaker 1: 36:17

Well, I guess the first thing I'm going to say is it's not for everybody to do, just somebody needs to do it. So I think it's important that more organizations are open to do it. But the thing is you don't need to have 20 voices. You need to have one or two strong voices that have a network, who you can talk to in the criminal world when you need to get information that you can apply to the information you already have to create actionable intelligence, and I used to be one of those guys.

Speaker 1: 36:47

I remember at Symantec, an endpoint protection company, I'd see ransomware guys live on networks and we'd be chasing them in real time, and I just remember those days where everything sort of becomes zeros and ones and you forget that not only uh are these guys human, but every single victim is going to have to talk to their attacker.

Speaker 1: 37:08

Uh, so, so for that reason alone, I just felt like we needed to change our approach or what we're doing.

Speaker 1: 37:13

I wrote a paper called um ransomware centric threat profiling, and the reason I did that is you know, threat profiling has been something that's been done in CTI for years, but ransomware is just so different and unique and you have the ability to reach out and touch these people.

Speaker 1: 37:28

You have the ability to go and figure out who they are without even engaging with them, often by things that they post on these forums and things of that nature. So I basically I was like, okay, well, we need to profile these guys differently and collect data on them differently. And I think that, when it comes to your question with network defenders, I think that you know they need to be able to leverage a source that knows some of the human information, knows some of the storyline, knows some of the negotiation characteristics, all of those things about these people. It's only gonna help you in what you're doing and the mindset of oh, no, talking to bad guys, that you never do that just needs to change, because the bad guys don't care what your, whether you think it's safe to talk to them or not, the victim's going to have to. So because of that, the more we know about them, the more effective we can be in making the victim come out as unscathed as possible.

Speaker 2: 38:24

Wouldn't it be a dumb idea to start sending the ransomware diaries to? Like you know, c-level people like to read and that reads like a novel. It's really interesting. Maybe they'll actually understand half of what we're doing if we send them that.

Speaker 1: 38:33

Right, right, right. Well, again, that's also part of it is I wanted to. I wanted you know Right, right, right. Well, again, that's also part of it is. I wanted to take a topic that many people think would be too technical, or some people might even think it's boring, and I wanted to make it something that's easily congestible and that you'd want to read and hear. Even on that note, I keep talking about the human part, from the aspect of you're going to have to negotiate with them.

Speaker 1: 38:56

But I've also had bad guys. They tell me how they get into networks. They'll show me screenshots. I've even had bad guys talk about targets before they're actually victims that they've gotten inside, but they're. They're telling me like, oh man, these guys their passwords suck. They literally have default credentials on some of their domain servers, you know, and things like that. And you know it's like this is great information. I'm able to and I did, was able to stop the attack before they could complete it, and it's, of course, like then they get mad. I'd say what did you expect, man? Like you know who I am, and you're telling me this like, yes, we might be friendly but, at the end of the day, just like you're going to do your job, I'm going to do mine, and that's kind of how I approach it. But but again, if you didn't, if I didn't talk to them and build those relationships, I never would have got that, that information. So there's lots of good reasons to talk to bad guys, but if everybody's trying to do it, then it doesn't work.

Speaker 2: 39:48

Oh, you're my, yeah, you're my guy for that, at least, john. Uh, two more questions, like in which direction do you see this going? Ransomware in particular, obviously. And then the last one is like analyst one. Like every time you guys post something, I have that on my list, I'm going to read it and it's really interesting. I love the work you're doing. So those are the two things how can analyst one, what should people listening know about it and how can you help? And which way do you see ransomware or digital crime moving?

Speaker 1: 40:20

digital crime moving? Yeah, so, uh, let me do the easy one first. So analyst one is is the meat of the company, is their threat? Intelligence platform? Essentially, it takes a lot of data and it makes it easily consumable for human researchers Uh, cool. But putting that aside, um, yeah, I rent ransomware. Is the? That's a really easy question to answer. Where it's going?

Speaker 1: 40:36

We're going to see a lot. We're going to continue and to see more of data theft data theft where it's at, whether I'm not saying ransom. You know, encryption of of data being used for extortion is going to go away, but at the end of the day, what makes victims pay is data theft. That is far more damaging than just having your systems encrypted, and bad guys know it, and some have already changed their model where they're just doing that. So I think we'll probably see more of that.

Speaker 1: 41:03

Clearly, as we started this conversation, there's lots of issues with infrastructure, like VPNs and things of that nature. So I think that I've been seeing more and more over the past couple of years of where they've gotten away from phishing being their primary tactic and now they're leveraging all these vulnerabilities and public facing infrastructure and software. So I think we're gonna keep seeing more of that as well, but we just did this ban with Lockbit. I think that's gonna be a really interesting use case. Companies can't pay on that ransom anymore. They're one of the highest volume ransomware attackers. What happens now On paper? With no one being able to pay, people won't want to work for LockBit and they'll go do something else and he'll die off, whether he wants to or not. That's on paper. It's going to be interesting to see how this actually plays out.

Speaker 2: 41:54

But that's just LockBit right.

Speaker 1: 42:21

They didn't put a blanket ban on ransomware groups that are doing the most damage with that. You still don't have to do a ban across the board, but you now is the government. They may not do it well, I admit, but if they do it well, they get to decide who pays and who doesn't. And it's not that I want the government to be in control of it, but I'm tired of seeing insurance companies be the ones that are dictating whether a victim pays, and they often will make the decision based on what's cheaper the ransom or what it's going to cost to rebuild. And I want I get when a company needs to do it because it's the livelihood of their employees and their customers.

Speaker 1: 42:55

You know private data, why they pay. I have no problem with that. But when it comes down to some third party who holds the influence of where the check comes from, I don't think they should. So I do think that he's a little bit more government control on that side. But yeah, I think that the banning of individual groups for payment works, at least for this time, a lot more effectively than a total ban, because we'd bleed out for a while. It would probably work, but a lot of companies would probably go under in the meantime.

Speaker 2: 43:28

Yeah, interesting, I still have four more minutes. I have to ask you the bad guys' use of AI? I know you're talking to that side a lot. Is that just marketing from our side? The bad guys are using AI, Like I know you have. You're talking to that side a lot, are they? Is that just marketing from our side, like the bad guys are using AI, or how real is that? Yeah, from your point of view.

Speaker 1: 43:46

I honestly have not had a single conversation where a bad guy has bragged to me about something that he did with AI. Certainly it's talked about from the aspect of how to get you know through. You know, like whether it's creating some. From the aspect of how to get you know through, um, you know, like whether it's creating some of the things that they need to get on exchanges, like when you have to take a picture or do video stuff. You know there's things like that that they try and do, but and and I'm sure that it's used to to build uh. I mean, I've read about where it's been used to create tools and scripts and other things, but again, I've never had a bad guy come to be bragging to me about how great AI did something for them. I'm sure it has happened, but as far as being like a predominant thing, it's just not there.

Speaker 2: 44:27

From what I've seen with ransomware anyway, you're pretty comfortable that you would probably hear that by now. Right, if that was actually a big thing.

Speaker 1: 44:34

Well, where it is used, though, is for phishing emails, and that's where it really helps is the language barriers. We used to be able to very easily identify. This is clearly someone whose first language is not English, and I don't usually talk to people from this area. It's probably a phishing email. As we're now, it's perfect writing, so that's where it's mostly used.

Speaker 1: 45:02

Certainly, again, there there are criminals that are using AI. I mean, I use I use it to make my job and my life easier. Uh, so definitely do see it, probably the same for bad guys. I'm sure there's ways that they're going to want to use it to make their life easier. So it's definitely coming, but, um, and shouldn't be something we're scared of? Uh, the people who want to advance and move forward need to be open to that technology and leverage it. You can't fight it. You got to go with it. Don't be a boomer Not a thing wrong being a boomer but you got to have the right mentality. You got to go open-minded. I mean, I'm 47 years old, and if I can hang with all this, young bucks can too.

Speaker 2: 45:34

Well, I'm actually more worried about what the good guys are going to do with their hair than the bad guys. That's a whole other discussion, right, that is.

Speaker 1: 45:40

You got to talk to somebody who didn't work for an intelligence agency for that conversation.

Speaker 2: 45:48

Mr DiMaggio, thank you so much for being a part of, first of all, for everything you do for the community. Thank you. I know there's thousands of me out there that really appreciate it and, based on all the podcasts, you know this is interesting. It's fun. Thank you for bringing fun into a gloomy part of the world. That's the goal. Thank you for being a part of our 100th episode.

Speaker 1: 46:07

Absolutely, rob. I appreciate you having me man. This has been good and I hope I'm on for episode 200.

Speaker 2: 46:14

That'd be awesome. I'm going to take that as a sign up for now.

Speaker 1: 46:17

All right, thank you, john.

Speaker 2: 46:18

You take care of yourself, don't work too much, and we'll talk to you soon.

Speaker 1: 46:21

All right, man Sounds good.

Speaker 2: 46:23

Ciao. Well, that's all for today, folks. Thank you for tuning in to the Mnemonic Security Podcast. If you have any concepts or ideas that you'd like us to discuss on future episodes, please feel free to.