This week on 60 Minutes, correspondent Bill Whitaker reported ransomware attacks. Last year, hackers from around the world teamed up to attack tech companies, hotels, casinos and hospitals in the United States, holding their data hostage by encrypting it and demanding a ransom for the keys allowing them to be unlocked.
Jon DiMaggio, a former analyst who worked for the National Security Agency, now investigates ransomware as chief security strategist for cybersecurity firm Analyst1.
“We are being destroyed,” he told Whitaker in an interview. “The amount of money flowing out of our economy and into the hands of criminals is astronomical.”
DiMaggio said he spent years developing relationships with ransomware hackers on the dark web and worked his way up to running the LockBit ransomware gang.
“I realized these guys are touchable… I can pretend to be someone else and go out and talk to them and extract information,” he told 60 Minutes.
DiMaggio said he developed fake online personas by creating social media and email accounts, then posting and communicating with people online to create “a large footprint that only a real person would have.”
He then communicates with the individuals who are “on site” and works his way up from lower-level hackers to running the ransomware gangs.
“Sometimes it can take months. Right now I have a relationship with a threat actor that has lasted for over a year and a half,” he said.
“What I realized is that there are real people like you and me who are behind this. A lot of them have stories…this story helps you understand this criminal and what is causing him motivates.”
DiMaggio said he sometimes communicates with hackers as himself, taking a more “honest” approach that can give the hacker a chance to “open up.”
It makes its reports and findings publicly available online in a series it calls “The Ransomware Diaries.”
One of the most notorious ransomware gangs in the world is LockBit. They have been behind ransomware hacks against over 2,000 victims and have extorted over $120 million from victims around the world since beginning their operations.
Last fall, LockBit was responsible for the ransomware attack on the Industrial and Commercial Bank of China, affecting the settlement of more than $9 billion in assets. They also went after US aerospace giant Boeing, stealing its data and later publishing it on the LockBit leak site.
LockBit is what DiMaggio calls a “ransomware-as-service” gang. They offer their services, such as the malware used in the attacks, assistance with ransom negotiations, infrastructure and means of storing and disclosing data, to affiliated hacking groups, who carry out the attacks themselves. same. If a victim pays a ransom, the affiliated gang and LockBit split the funds.
In February, the Department of Justice, in partnership with the United Kingdom and other international law enforcement agencies, took control of LockBit’s servers and several of its websites.
The DOJ also unsealed an indictment charging two Russian nationals, Artur Sungatov and Ivan Kondratyev, with deploying LockBit ransomware against numerous victims across the United States, as well as victims around the world.
DiMaggio said he was close to one of them, Kondratyev, also known as Basserlord, and knew his story.
He said Kondratyev grew up in a region of Ukraine taken over by Russia in 2014. His mother was ill at the time and he needed a way to support his family and pay bills.
“So he used what was available to him, and that’s what led him to become a cybercriminal. He needed to help his family,” DiMaggio said.
DiMaggio said he was also able to communicate with the leader of the LockBit gang, one of several people who use the alias “LockBitSupp,” which is shorthand for “LockBit Support.”
In January, LockBit claimed responsibility for an attack on Saint Anthony Hospital, a nonprofit community hospital in Chicago. LockBit copied the data of patients and hospital administrators and threatened to publish it if a ransom was not paid.
DiMaggio said LockBit affiliates had encrypted the hospital’s entire network, which is used to treat patients, and he was concerned it could harm people in need of treatment.
He contacted “LockBitSupp” and tried to convince them to give up the decryption key so the hospital could bring its systems back online.
“I thought I could get him to do the right thing and hand over the decryption key…unfortunately, I was wrong,” DiMaggio explained.
Saint Anthony’s Hospital acknowledged that a “data security event” had occurred and that files containing patient information had been copied, but said it was able to “continue to provide uninterrupted patient care. They also said they reported the attack to the FBI and regulators like the U.S. Department of Health and Human Services.
DiMaggio told 60 Minutes that while the successful seizure of LockBit’s servers and takedown of their websites was an important step in the right direction, there are ways the United States can “do better” to combat the scourge of ransomware.
“If we were to use the powers that the NSA has, for example, that you don’t need a judge to sign off on all of this and you can do things that law enforcement can’t do in some of these operations, we “would be much more efficient,” he said.
“We’re undermanned. We’re underpowered. We’re underresourced for what we’re facing.”
The video above was directed by Will Croxton. Georgia Rosenberg was the broadcast associate. It was edited by Sarah Shafer Prediger.
Grub5
