Infiltrating ransomware gangs on the dark web
This week on 60 Minutes, correspondent Bill Whitaker reported on ransomware attacks. In the last year, hackers from around the world have teamed up to attack tech companies, hotels, casinos, and hospitals in the United States, taking their data hostage by encrypting it and demanding ransom for the keys to unlock it.
Jon DiMaggio, a former analyst who worked for the National Security Agency, now investigates ransomware as chief security strategist for the cybersecurity firm Analyst1.
"We're just getting destroyed," he told Whitaker in an interview. "The amount of money that's going out of our economy, going into the hands of criminals, is astronomical."
DiMaggio said he has spent years developing relationships with ransomware hackers on the dark web and worked his way up to the leadership of the ransomware gang LockBit.
"I realized these guys are touchable…I can pretend to be someone else and go out and actually talk to them and extract information," he told 60 Minutes.
DiMaggio said he develops fake online personas by creating social media and email accounts, and then posts and communicates with people online to create a "wide footprint that only a real person would have."
He then communicates with individuals that are "on the scene," and works his way up from lower-level hackers to the leadership of ransomware gangs.
"Sometimes it can take months. Right now, I've got a relationship with a threat actor that's going on over a year and a half," he said.
"What I realized is there are real people just like you and I that are behind this. Many of them have stories…that backstory helps you understand that criminal and understand what drives them."
DiMaggio said he will sometimes communicate with hackers as himself— taking a more "honest" approach that can give the hacker a chance to "open up."
He makes his reports and findings publicly available online in a series he calls, "The Ransomware Diaries."
One of the world's most notorious ransomware gangs is LockBit. They've been behind the ransomware hacks of over 2,000 victims and extorted more than $120 million from victims around the world since they first began operating.
Last fall, LockBit was responsible for the ransomware attack on the Industrial and Commercial Bank of China, affecting the settlement of over $9 billion worth of assets. They also went after American aerospace giant Boeing, stealing its data and later publishing it on LockBit's leak site.
LockBit is what DiMaggio calls a "ransomware-as-service" gang. They offer their services—like the malware used in attacks, ransom negotiation support, infrastructure, and ways to store and leak data—to affiliate hacking groups, who conduct the actual attacks. If a victim pays a ransom, the affiliate gang and LockBit split the funds.
In February, the Department of Justice, in partnership with the United Kingdom and other international law enforcement agencies, seized control of LockBit's servers and several of its websites.
The DOJ also unsealed an indictment charging two Russian nationals, Artur Sungatov and Ivan Kondratyev, with deploying LockBit ransomware against numerous victims throughout the United States, as well as victims around the world.
DiMaggio said he was close with one of them, Kondratyev, also known as Bassterlord, and knew his backstory.
He said Kondratyev grew up in a region of the Ukraine that was taken over by Russia in 2014. His mother was ill at the time, and he needed a way to support his family and pay the bills.
"So, he used what was available to him, and that is what led to him being a cybercriminal. He needed to help his family," DiMaggio explained.
DiMaggio said he was also able to communicate with the leader of the LockBit gang, one of several people who uses the alias "LockBitSupp," which is shorthand for "LockBit Support."
In January, LockBit claimed responsibility for an attack on Saint Anthony Hospital, a nonprofit, community hospital in Chicago. LockBit copied the hospital's patient and administrative data and threatened to publish it if they were not paid a ransom.
DiMaggio said LockBit affiliates encrypted the entire network of the hospital, which is used to treat patients, and he worried that could hurt people who needed treatment.
He reached out to "LockBitSupp" and tried to convince him to give up the decryption key so the hospital could get their systems back online.
"I believed that I could get him to do the right thing and give the decryption key back…unfortunately, I was wrong," DiMaggio explained.
Saint Anthony Hospital acknowledged a "data security event" had occurred, and that files containing patient information had been copied, but said they were able to "continue providing patient care without disruption." They also said they reported the attack to the FBI, and regulators like the U.S. Department of Health and Human Services.
DiMaggio told 60 Minutes that while the successful seizure of LockBit's servers and takedown of their websites was an important step in the right direction, there are ways the U.S. can "do better" in addressing the scourge of ransomware.
"If we were to use the authorities that the NSA, for example, has, where you don't need a judge to sign off on it and you can do things that law enforcement can't do in some of these operations, we'd be much more effective," he said.
"We're under-manned. We're under-powered. We're under-resourced, compared to what we're up against."
The video above was produced by Will Croxton. Georgia Rosenberg was the broadcast associate. It was edited by Sarah Shafer Prediger.
