Aug 15, 2024 23:00:00

A security researcher reveals how he became acquainted with the administrator of the ransomware group LockBit and extracted details of the cyber attack

A person who was able to extract detailed information about the cyber attack while independently communicating with the administrator of the ransomware group 'LockBit,' which has been involved in numerous cybercrimes, talks about how he became close with the administrator.

How a cybersecurity researcher befriended, then doxed, the leader of LockBit ransomware gang | TechCrunch

https://techcrunch.com/2024/08/09/how-a-cybersecurity-researcher-befriended-then-doxed-the-leader-of-lockbit-ransomware-gang/

In February 2024, the operator of the ransomware group 'LockBit,' known for forcing the container terminal at Nagoya Port to suspend operations andlaunching cyber attacks against aerospace equipment developer Boeing , was arrested by international law enforcement forces from the United States, the United Kingdom, Japan, and other countries. Prior to this, the LockBit website had been seized by international law enforcement forces.

International law enforcement forces arrest two LockBit operators suspected of attacking Nagoya Port and create a tool to recover encrypted files for free - GIGAZINE

On May 6, 2024, international law enforcement agencies announced that they would update the website they had seized from LockBit to reveal the identity of LockBit's administrators. The former LockBit website included statements such as 'Who is LockBitSupp (LockBit's administrator)?', 'What have we learned?', 'Further exposure of LockBit hackers', and 'What have we been up to?'.

John DiMaggio , a researcher at the cybersecurity firm Analyst1 , saw the post and wondered, 'Is this person they're identifying the same person I know?'

DiMaggio claims that he was not a security researcher but rather an 'up-and-coming cybercriminal interested in joining LockBit,' and that he had been in contact with LockBitSupp for a long time and had been able to independently identify the group.

In a speech at Def Con in August 2024, DiMaggio talked about how he gained the trust of LockBitSupp and how he managed to obtain details of LockBit's operations. Lorenzo Franceschi-Biccherai of the news site TechCrunch reported on the speech.

NEW: This is how a security researcher was able to befriend and then dox LockBitSupp, the founder and admin of the notorious ransomware gang. @Jon__DiMaggio says he figured out the identity of the hacker before the NCA and law enforcement revealed it. https://t.co/UiBfxKpzW6

— Lorenzo Franceschi-Bicchierai (@lorenzofb) August 9, 2024

DiMaggio first created the spoof accounts by communicating with people he believed to have direct ties to LockBitSupp. His goal at this stage was to create spoof accounts of cybercriminals with some history at LockBit. He thought that if he could create spoof accounts of cybercriminals, he would be more likely to be trusted when contacting LockBit and its administrators directly.

'The key to creating these accounts was to monitor seemingly unrelated conversations, when they were letting their guard down and chatting with other hackers,' DiMaggio said. 'By listening to their chatter, I could learn about their likes and dislikes, their political views, and so on. I needed to understand the context before I got involved with them. Because if I just jumped in and started asking questions about the attacks and their activities, I would quickly give away that I'm a researcher.'

DiMaggio also revealed that he was rejected when he first tried to join LockBit, but as he continued to talk to LockBitSupp and built a direct friendship with them, he felt comfortable asking questions about what types of cyber attacks LockBit uses, how it communicates with its victims, and how it sets ransoms for victim companies.

In January 2023, DiMaggio published a report summarizing the information he obtained during his undercover investigation. DiMaggio thought that this leak marked the end of his relationship with the impersonation account he created and LockBitSupp. However, LockBitSupp did not end its relationship with the impersonation account. DiMaggio said about LockBitSupp, 'The person I knew was certainly motivated by money, but he was not a flashy person, and I don't think he was obsessed with material things.' 'So I felt that there was a big difference between the attitude and personality he showed on the hacking forum and the person I actually spoke to in person.'

LockBitSupp then began using the photos DiMaggio had uploaded to LinkedIn on hacking forums to poke fun at him. DiMaggio said, 'It was a game of cat and mouse with LockBitSupp. To be honest, LockBit loved to play with me, and I loved to play with them.'

In August 2023, DiMaggio posted on X (formerly Twitter) that 'If you don't want the details of my investigation into LockBit's hidden secrets to be made public, pay me $10 million (approximately 1.47 billion yen) by August 15th.' DiMaggio wrote that this was a joke.

#LockBit , You have until 15 August to pay $10 million for my research conducted to infiltrate and identify the secrets you have been hiding. ALL AVAILABLE DATA WILL BE PUBLISHED! (in the #Ransomware Diaries Vol 3 -LockBit's Secrets!) Its time to pay!😛 pic.twitter.com/SAKty4SD6n

— Jon DiMaggio (@Jon__DiMaggio) August 3, 2023

Regarding the threats, DiMaggio said, 'Some cybercriminals believed my threats and were worried about being exposed.' 'LockBitSupp seemed shaken up, but we never lost contact with him.'

After that, DiMaggio put all his efforts into identifying LockBitSupp and asked for information together with researchers. He managed to obtain a Yandex email address that LockBitSupp was using from an anonymous person. DiMaggio then identified LockBitSupp as a person named Dmitry Khoroshev. However, DiMaggio was not sure if this was true.

At this time, international law enforcement agencies updated the website they had seized from LockBit and announced that they would reveal the identity of LockBit's administrator. DiMaggio reported to the FBI that they had identified Khoroshev as the administrator of LockBit. He also asked the FBI whether they should wait to release information about Khoroshev, and the FBI told him to wait.

The US Department of Justice subsequently indicted Dmitry Khoroshev as the mastermind and administrator of LockBit, and DiMaggio subsequently released information he had collected about Khoroshev in the form of a report.

Regarding his activities, DiMaggio said, 'I wanted to show how security researchers can find information about cybercriminals by infiltrating their groups, not just by collecting data from hacks and infiltrating forums.' However, there are rumors that Khoroshev is planning retaliation against DiMaggio, so he said, 'I want researchers to understand that there is a possibility that they will be repaid in some way.'