WEBVTT 1 00:00:01.200 --> 00:00:03.060 Mathew Schwartz: Hi, I'm Mathew Schwartz, with Information 2 00:00:03.060 --> 00:00:06.900 Security Media Group, and it's my pleasure to welcome to the 3 00:00:06.900 --> 00:00:11.730 ISMG studios, Jon DiMaggio, chief security strategist at 4 00:00:11.760 --> 00:00:16.140 Analyst1, to talk ransomware. Jon, thank you so much for being 5 00:00:16.140 --> 00:00:16.890 here today. 6 00:00:17.310 --> 00:00:20.550 Jon DiMaggio: Hi, Mat. Thanks for having me. I'm always 7 00:00:20.580 --> 00:00:23.760 excited to come talk to you about chasing bad guys. 8 00:00:23.000 --> 00:00:23.750 Mathew Schwartz: It's really interesting to hear your 9 00:00:24.500 --> 00:00:28.940 insights on the bad guys. And I know that we're going to be 10 00:00:29.060 --> 00:00:33.950 talking about one of the most notorious ransomware groups that 11 00:00:33.950 --> 00:00:39.530 continues to be in existence, LockBit, and LockBit in the past 12 00:00:39.530 --> 00:00:44.150 has attempted to recruit affiliates, business partners, 13 00:00:44.150 --> 00:00:47.930 bring them into its orbit, by trumpeting the speed and the 14 00:00:47.930 --> 00:00:52.940 technical savvy of its crypto locking malware. But Jon, I know 15 00:00:52.940 --> 00:00:56.780 you've had a look under the hood, and from what you've seen, 16 00:00:57.080 --> 00:01:02.840 it sounds like there's less than meets the eye. Victims not 17 00:01:02.840 --> 00:01:06.740 getting listed on the data leak site, for example; the code 18 00:01:07.160 --> 00:01:11.300 you've written in your new report has problems. What's 19 00:01:11.300 --> 00:01:12.140 going on with LockBit? 20 00:01:13.260 --> 00:01:17.970 Jon DiMaggio: Yeah, it's really amazing. You know, there's a lot 21 00:01:17.970 --> 00:01:21.930 of issues under the hood, and, you know, the most amazing part 22 00:01:21.930 --> 00:01:25.860 is that no one's really noticed. And that just goes to show how 23 00:01:25.860 --> 00:01:30.090 strong the propaganda is that LockBit puts out there, both to 24 00:01:30.090 --> 00:01:33.480 the general public media and in the criminal community, because 25 00:01:33.480 --> 00:01:37.410 for the most part, nobody's noticed this. And you know, it's 26 00:01:37.410 --> 00:01:39.330 not that they don't list victims, it's that they can't 27 00:01:39.330 --> 00:01:42.270 publish their data. They'll threaten victims, and they post 28 00:01:42.300 --> 00:01:44.760 this information, and then it says, all your data is 29 00:01:44.760 --> 00:01:48.690 published. But what I found is about 60% of the time, it 30 00:01:48.690 --> 00:01:52.200 wasn't, and that was pretty amazing. I was shocked at that. 31 00:01:52.000 --> 00:01:55.630 Mathew Schwartz: So definitely, if you've fallen victim to 32 00:01:55.630 --> 00:01:59.950 LockBit, previously or in the future, there's a real 33 00:01:59.950 --> 00:02:04.030 cautionary note here. As you said, this doesn't seem like 34 00:02:04.690 --> 00:02:08.710 common knowledge. I know from looking at various ransomware 35 00:02:08.710 --> 00:02:12.190 groups, Tor-based data leak sites, it can be very difficult to 36 00:02:12.190 --> 00:02:17.290 figure out what's going on with any given victim. If information 37 00:02:17.290 --> 00:02:21.310 is being leaked, even if it is supposedly leaked, it's 38 00:02:21.310 --> 00:02:24.940 difficult to even know if it's real or not. I mean, they've 39 00:02:24.940 --> 00:02:27.310 been found in the past to be making stuff up, right? 40 00:02:27.690 --> 00:02:30.330 Jon DiMaggio: Well, so LockBit, for the most part, 41 00:02:30.330 --> 00:02:32.160 traditionally, they've always been good on the board. And 42 00:02:32.160 --> 00:02:34.500 they've always leaked data and things like that. That's why I 43 00:02:34.500 --> 00:02:37.050 know it's a technical issue that they're having, and if you think 44 00:02:37.050 --> 00:02:41.130 about it, it's got to be hard to host all this data over Tor. And 45 00:02:41.130 --> 00:02:43.380 if you think about it, they really blew up when they came 46 00:02:43.380 --> 00:02:48.930 out with LockBit 3.0 last year in June of 2022. And, you know, 47 00:02:48.930 --> 00:02:52.320 they've grown so fast and so quick, just like a legitimate 48 00:02:52.320 --> 00:02:54.390 company. If you grow too fast and too quick, and you don't 49 00:02:54.390 --> 00:02:56.940 have the infrastructure to support it, you have problems. 50 00:02:57.060 --> 00:03:00.300 And, you know, that's just one of several key issues that I 51 00:03:00.300 --> 00:03:03.120 found that that's the most impactful. And, you know, 52 00:03:03.120 --> 00:03:05.760 they're posting these victims, they're going to post data, 53 00:03:05.880 --> 00:03:09.750 either the data isn't there, or at all, or you're seeing it 54 00:03:09.750 --> 00:03:12.750 showing up on third-party sites, and there are also these 55 00:03:12.750 --> 00:03:17.610 affiliates, their "partners" are paying them, you know, 20% of 56 00:03:17.610 --> 00:03:21.270 their profit. And, you know, part of that is that the data is 57 00:03:21.270 --> 00:03:23.970 hosted, so they don't have to worry about using a legitimate 58 00:03:23.970 --> 00:03:28.410 file data sharing provider who could just take it down, and 59 00:03:28.410 --> 00:03:32.610 you've lost access. So, you know, both affiliates, and like 60 00:03:32.610 --> 00:03:36.180 I said, the public didn't know about this. And I talked to 61 00:03:36.180 --> 00:03:39.090 affiliates directly during this. I talked to LockBit directly 62 00:03:39.090 --> 00:03:42.900 during this. LockBit didn't like my questions on what affiliates 63 00:03:42.900 --> 00:03:47.430 did, you know. And I talked to several who actually left the 64 00:03:47.430 --> 00:03:50.820 program and gone to competitors because of this. So I know, it's 65 00:03:50.820 --> 00:03:53.880 not something that I just got wrong, because the guys inside 66 00:03:53.880 --> 00:03:56.040 are confirming it for me, but it was pretty amazing. 67 00:03:56.660 --> 00:03:59.330 Mathew Schwartz: So when you say LockBit's been growing? Do you 68 00:03:59.330 --> 00:04:02.900 mean in terms of the number of affiliates that they've managed 69 00:04:02.900 --> 00:04:06.470 to successfully recruit? Lke you say, ransomware-as-a service 70 00:04:06.470 --> 00:04:09.950 program, they've recruited them in exchange for sharing the 71 00:04:09.950 --> 00:04:12.740 profits, and by sharing the profits, the affiliates are 72 00:04:12.740 --> 00:04:16.670 meant to be getting some services, like this victim data, 73 00:04:17.210 --> 00:04:19.460 possibly getting automatically - I don't know if I have that 74 00:04:19.460 --> 00:04:22.100 right - automatically listed if the ransom isn't paid within a 75 00:04:22.100 --> 00:04:22.970 certain timeframe? 76 00:04:23.380 --> 00:04:26.020 Jon DiMaggio: Yeah, so the way it works is there's the backend 77 00:04:26.020 --> 00:04:30.580 interface that basically the hacker affiliate uses, and in 78 00:04:30.580 --> 00:04:33.700 that they set a timer essentially, and the victim's 79 00:04:33.700 --> 00:04:36.160 information is pulled from their website automatically and it's 80 00:04:36.160 --> 00:04:40.090 posted on LockBit's leak site, and when that timer expires, if 81 00:04:40.090 --> 00:04:43.270 they have not paid the ransom, all their data is supposed to be 82 00:04:43.300 --> 00:04:47.230 made public and leaked. And that's the threat but what I 83 00:04:47.230 --> 00:04:50.950 found like I said, it's often been an empty threat lately and 84 00:04:50.950 --> 00:04:54.940 just no one has actually noticed. There are many, many 85 00:04:55.360 --> 00:04:57.970 interesting posts where it says that data is leaked but it's 86 00:04:58.000 --> 00:05:00.940 not. And LockBit tried to quietly address this. It did an 87 00:05:00.940 --> 00:05:03.640 infrastructure update that you only know if you're, you know, 88 00:05:03.670 --> 00:05:06.610 really monitoring that on the inside with them. But he did 89 00:05:06.610 --> 00:05:09.310 that to address this specific problem. And he talked, you 90 00:05:09.310 --> 00:05:11.800 know, about this specific problem. However, he really 91 00:05:11.800 --> 00:05:14.200 didn't fix it, he made it a little bit better. And he did 92 00:05:14.200 --> 00:05:18.160 some marketing around it to try to hide the fact that the real 93 00:05:18.160 --> 00:05:21.610 data wasn't there, but he didn't fix it. And then there's other 94 00:05:21.610 --> 00:05:25.210 problems behind the scenes in the system that he uses to 95 00:05:25.210 --> 00:05:28.360 communicate with his affiliate partners. There's just too many 96 00:05:28.360 --> 00:05:30.880 of them. They've grown; there's over 100 affiliates, you know, 97 00:05:30.880 --> 00:05:33.430 in the admin panel, now, at any given time, which, you know, 98 00:05:33.430 --> 00:05:37.960 last year at this time, it was around 50. So he's just growing 99 00:05:37.960 --> 00:05:41.170 so fast, and his ransomware makes it so easy for them to 100 00:05:41.170 --> 00:05:44.410 conduct attacks, that it is really, you know, made the 101 00:05:44.410 --> 00:05:47.650 volume - how many attacks, how many people are working it - all 102 00:05:47.650 --> 00:05:50.380 of it together has just been the perfect storm. And, you know, 103 00:05:50.410 --> 00:05:53.710 the gang itself is struggling to, you know, support that 104 00:05:53.710 --> 00:05:55.420 infrastructure and those services. 105 00:05:56.110 --> 00:05:57.730 Mathew Schwartz: One of the other things you mentioned, is 106 00:05:57.730 --> 00:06:01.360 not just trying to keep affiliates happy. But victims 107 00:06:01.390 --> 00:06:04.990 have also reported that when they are trying to make contact, 108 00:06:04.990 --> 00:06:09.070 perhaps to negotiate, they're not able to get through. I mean, 109 00:06:09.100 --> 00:06:11.770 it's the virtual equivalent of the phone ringing and nobody 110 00:06:11.980 --> 00:06:12.670 picking up. 111 00:06:14.100 --> 00:06:18.300 Jon DiMaggio: So victims are able to communicate with the 112 00:06:18.330 --> 00:06:21.600 affiliate, that's ransoming them for LockBit. But what they're 113 00:06:21.600 --> 00:06:27.270 not able to do is affiliates and researchers and even media, if 114 00:06:27.300 --> 00:06:30.630 they're trying to communicate or talk, most of the time, the 115 00:06:30.630 --> 00:06:34.830 victims will have, you know, an easier time communicating with 116 00:06:34.830 --> 00:06:37.980 them, as they have a different system that hosts that 117 00:06:38.010 --> 00:06:41.670 communication. And that actually pushes alerts, just like you get 118 00:06:41.670 --> 00:06:43.710 to your cell phone when a victim is there to let you know they're 119 00:06:43.710 --> 00:06:47.760 ready. So that part isn't falling apart. It's other 120 00:06:47.760 --> 00:06:50.910 aspects of it. But where they are losing is in the 121 00:06:50.910 --> 00:06:53.790 communication. It's almost like - if you think about it, if you 122 00:06:53.790 --> 00:06:56.850 were service provider and all of your customers needed to talk to 123 00:06:56.850 --> 00:06:59.220 you and you had too many customers and not enough people 124 00:06:59.220 --> 00:07:03.060 to answer the tickets, you would have a lot of unhappy customers. 125 00:07:03.060 --> 00:07:05.760 Well, affiliates are basically the customer. And when they have 126 00:07:05.760 --> 00:07:08.400 problems, they're trying to communicate that to LockBit or 127 00:07:08.460 --> 00:07:10.710 they need help with an extortion or there's a problem with a key 128 00:07:10.710 --> 00:07:14.040 or whatever it is, and LockBit takes over a week to get by, to 129 00:07:14.040 --> 00:07:17.940 get back to them, well, that timer on the ransom is ticking 130 00:07:17.940 --> 00:07:21.990 down. And now they're not able to facilitate, you know, the 131 00:07:22.020 --> 00:07:26.010 full ransom in the transaction. So it's costing them money. And 132 00:07:26.040 --> 00:07:28.200 you know, like I said, it's a big problem. But more 133 00:07:28.200 --> 00:07:31.320 importantly, if you don't pay and they can't post it, I mean, 134 00:07:31.320 --> 00:07:35.250 you can roll the dice, but you've got a good chance of them 135 00:07:35.250 --> 00:07:38.640 not actually leaking your data. Now I get that they probably do 136 00:07:38.640 --> 00:07:41.880 have it. But if they can't post it, and they can't host it, and 137 00:07:41.880 --> 00:07:43.950 they have to use file sharing servers, and you have the 138 00:07:43.950 --> 00:07:46.830 ability to use law enforcement, other legitimate services to 139 00:07:46.830 --> 00:07:49.530 shut that down, that may change your mind if you really want to 140 00:07:49.530 --> 00:07:52.680 pay them or not. But no one has known about it. So that sort of 141 00:07:52.680 --> 00:07:56.100 is the biggest secret that I would call a secret because 142 00:07:56.130 --> 00:07:59.310 LockBit, like I said, has done a lot to cover this up. And they 143 00:07:59.310 --> 00:08:01.170 did things like instead of making the data available on 144 00:08:01.170 --> 00:08:05.460 some post, they'll say, 'Oh, you can buy it for $100,000.' Well, 145 00:08:05.580 --> 00:08:07.560 you know, there's a big difference from everybody in the 146 00:08:07.560 --> 00:08:10.290 world being able to see your data versus someone wanting to 147 00:08:10.290 --> 00:08:13.050 pay $100,000 for it. There's a good chance that it's going to 148 00:08:13.050 --> 00:08:16.260 sit there and not ever get exposed. 149 00:08:17.170 --> 00:08:20.260 Mathew Schwartz: So one of the other challenges that I found 150 00:08:20.290 --> 00:08:25.420 was fascinating from your report seems to be recruiting and 151 00:08:25.420 --> 00:08:30.490 keeping technical talent. It seems like LockBit had a real 152 00:08:30.490 --> 00:08:33.820 challenge getting the development expertise that it 153 00:08:33.820 --> 00:08:37.480 requires. Now this dovetails as well with another question, 154 00:08:37.480 --> 00:08:43.570 which is LockBit's different colors, which are versions. So 155 00:08:43.600 --> 00:08:49.240 could you talk me through where we are in the color coding, and 156 00:08:49.300 --> 00:08:52.090 what's been happening on the development front and why that 157 00:08:52.090 --> 00:08:53.980 has been problematic for LockBit? 158 00:08:55.010 --> 00:08:57.750 Jon DiMaggio: Yeah, absolutely. No, it's a great question. So 159 00:08:57.809 --> 00:09:01.191 you know, they use different colors for internal names. So 160 00:09:01.249 --> 00:09:04.631 publicly, they use numbers, internally they use colors. So 161 00:09:04.690 --> 00:09:08.305 LockBit Black was the original variant of LockBit that you saw 162 00:09:08.364 --> 00:09:12.096 that originated in 2020. Then we had LockBit Red, which was June 163 00:09:12.154 --> 00:09:15.653 of 2021. And that was known as LockBit 2.0 publicly and each 164 00:09:15.711 --> 00:09:19.269 one of these, they update the iteration of ransomware and new 165 00:09:19.327 --> 00:09:22.767 features. Sometimes it's even mostly new code. And then you 166 00:09:22.826 --> 00:09:26.325 had LockBit 3.0 which came out in June of 2022. Now that was 167 00:09:26.383 --> 00:09:29.824 their biggest update and that was the one where they really 168 00:09:29.882 --> 00:09:33.206 put them on the map because it made it so easy to conduct 169 00:09:33.264 --> 00:09:36.938 attacks. Well, we had something interesting happening. In March 170 00:09:36.996 --> 00:09:40.554 they introduced what they called LockBit Green, but it wasn't 171 00:09:40.612 --> 00:09:43.878 really the ransomware. They took a leaked builder from a 172 00:09:43.936 --> 00:09:47.318 competitor Conti and they basically just altered it to use 173 00:09:47.376 --> 00:09:51.050 their ransom note and they made a few small changes to the code 174 00:09:51.109 --> 00:09:54.724 but for the most part, it's just their leaked builder. I mean, 175 00:09:54.782 --> 00:09:58.515 I've had it on a virtual machine of mine. Since last February of 176 00:09:58.573 --> 00:10:02.247 2022. I mean, it's nothing new to get excited about if you're a 177 00:10:02.305 --> 00:10:05.746 criminal. You know, it's the same old thing that's been out 178 00:10:05.804 --> 00:10:09.070 there. So I was surprised to see them do that. And their 179 00:10:09.128 --> 00:10:12.744 developer had a falling out with the leader of LockBit back in 180 00:10:12.802 --> 00:10:16.417 September of 2022. So it makes sense that what we see in March 181 00:10:16.476 --> 00:10:20.150 of 2023, when they released this new variant, and it's simply a 182 00:10:20.208 --> 00:10:23.532 competitor's leaked ransomware, it sort of confirmed that 183 00:10:23.590 --> 00:10:26.914 they're having technical development issues. So now we're 184 00:10:26.972 --> 00:10:30.471 really seeing that transcend across their infrastructure and 185 00:10:30.530 --> 00:10:33.854 their other resources that they're using as services they 186 00:10:33.912 --> 00:10:37.702 provide in their program. But it all comes back to the same issue 187 00:10:37.761 --> 00:10:41.435 is lack of development, whether it's your ransomware developer, 188 00:10:41.493 --> 00:10:45.167 whether it's having the proper technical expertise to host your 189 00:10:45.225 --> 00:10:48.374 infrastructure over Tor and support all this data. And 190 00:10:48.432 --> 00:10:51.990 there's also been some issues with their admin panel. I mean, 191 00:10:52.048 --> 00:10:55.430 they've just had a lot of problems, like I said, that most 192 00:10:55.488 --> 00:10:57.530 of the public hasn't been aware of. 193 00:10:58.500 --> 00:11:01.710 Mathew Schwartz: So stepping back, it often seems to me like 194 00:11:01.740 --> 00:11:04.980 ransomware groups, the successful ones, are almost 195 00:11:04.980 --> 00:11:09.780 Harvard Business Review case studies, in how to criminally 196 00:11:09.960 --> 00:11:14.550 use technology to make lots and lots of money. Are you able to 197 00:11:14.550 --> 00:11:19.920 hazard a guess as to what the underlying problem might be? 198 00:11:20.070 --> 00:11:24.570 You've previously characterized the head of LockBit as being an 199 00:11:24.600 --> 00:11:29.820 ego-driven CEO, basically. Why is this technical talent so 200 00:11:29.820 --> 00:11:34.860 hard, do you think, for them to keep a hold of or recruit, given 201 00:11:34.920 --> 00:11:38.940 the potentially massive profits for everybody involved? 202 00:11:39.440 --> 00:11:41.840 Jon DiMaggio: Well, and that's just it. It all comes down to 203 00:11:41.840 --> 00:11:45.080 the money. The previous developers have had agreements 204 00:11:45.080 --> 00:11:48.380 with LockBit or LockBit hasn't come through and paid them or so 205 00:11:48.380 --> 00:11:52.400 they say, that's what they've said, have not not paid them as 206 00:11:52.400 --> 00:11:55.610 they were promised - percentage of the program, for example, 207 00:11:55.670 --> 00:11:58.430 releasing a new code for LockBit and saying, 'Okay, well, you 208 00:11:58.430 --> 00:12:00.860 need to remove your own code, and then I get 10% of the 209 00:12:00.860 --> 00:12:03.050 profit.' I'm using it as example. Well, if you keep the 210 00:12:03.050 --> 00:12:05.300 old code up there, and people are still using that, that's 211 00:12:05.300 --> 00:12:08.780 taking money out of your pocket. There's been several things, but 212 00:12:08.780 --> 00:12:12.440 the point is that they lost their developer and they missed. 213 00:12:12.470 --> 00:12:15.710 So if you notice the dates when I was talking earlier, they were 214 00:12:15.710 --> 00:12:18.830 in except for LockBit Green, which isn't their ransomware, 215 00:12:18.890 --> 00:12:21.320 they've always come out in June for their updates. And this is 216 00:12:21.320 --> 00:12:24.650 the first year that they didn't do that out of the past several 217 00:12:24.650 --> 00:12:29.870 years. So you know, again, missing the refresh date, having 218 00:12:29.870 --> 00:12:33.560 the issues hosting in leaking data, having issues 219 00:12:33.560 --> 00:12:37.970 communicating with their hacker partner affiliates, you know, 220 00:12:38.180 --> 00:12:41.750 when you put this all together, LockBit's in trouble. 221 00:12:43.610 --> 00:12:47.060 Mathew Schwartz: That's great news, and so I'm wondering, is 222 00:12:47.060 --> 00:12:50.450 there anything that network defenders, people such as 223 00:12:50.450 --> 00:12:53.600 yourself who are working to combat ransomware can do with 224 00:12:53.600 --> 00:12:57.110 this? I mean, obviously, we can luxuriate in the karma of it 225 00:12:57.110 --> 00:13:00.020 all, knowing full well, that probably somebody else will 226 00:13:00.020 --> 00:13:03.080 attempt to step forward and take LockBit's place should they 227 00:13:03.080 --> 00:13:06.620 fall, but anybody in this sphere, who's infecting 228 00:13:06.620 --> 00:13:10.940 networks, infecting systems, hacking into networks, this is 229 00:13:10.940 --> 00:13:13.430 great, right? What do we do with this, if anything? 230 00:13:13.000 --> 00:14:41.440 Mathew Schwartz: So where there's smoke, there's fire, we 231 00:13:13.020 --> 00:13:15.546 Jon DiMaggio: Yeah, well, you know, so the bad part is the 232 00:13:15.603 --> 00:13:19.163 guys that are actually doing the compromises and the breaches, 233 00:13:19.221 --> 00:13:22.493 you know, that game is still going well for them, because 234 00:13:22.551 --> 00:13:25.938 that's not using the LockBit services, necessarily. So that 235 00:13:25.996 --> 00:13:28.867 part's still going well for them. But we do make a 236 00:13:28.924 --> 00:13:32.369 difference, though, is, you know, when you are a victim, and 237 00:13:32.427 --> 00:13:36.101 you're looking at 50 million, or like Royal Mail for 80 million, 238 00:13:36.159 --> 00:13:39.719 something crazy like that, you know, you at least now have the 239 00:13:39.776 --> 00:13:43.049 opportunity to say, you know, am I going to be one of the 240 00:13:43.106 --> 00:13:46.781 percentage that they can't post my data. And you know, depending 241 00:13:46.838 --> 00:13:50.398 on what that is, I think that will make ... even if it makes a 242 00:13:50.456 --> 00:13:53.614 difference and 30% of the companies that pay, you know, 243 00:13:53.671 --> 00:13:57.346 you're talking of anywhere from hundreds to hundreds of millions 244 00:13:57.403 --> 00:14:01.135 of dollars over a year that they could lose based off of that. So 245 00:14:01.193 --> 00:14:04.466 it will affect their program, affiliates will continue to 246 00:14:04.523 --> 00:14:07.738 leave. And while it's not something specific that oh, we 247 00:14:07.796 --> 00:14:10.896 can defend against x, information is power. And we can 248 00:14:10.954 --> 00:14:14.399 use that against this group - spreading that word continuing 249 00:14:14.456 --> 00:14:18.016 to watch and see these programs and where they're failing. And 250 00:14:18.074 --> 00:14:21.519 hopefully, I hope that 2023 is going to be the last year for 251 00:14:21.576 --> 00:14:25.193 LockBit. They're in trouble and they're either going to turn it 252 00:14:25.251 --> 00:14:28.639 around or they're going to go down but based off of some of 253 00:14:28.696 --> 00:14:32.256 the things affiliates have said to me, I think there's more to 254 00:14:32.313 --> 00:14:35.012 this than I was able to necessarily prove in my 255 00:14:35.069 --> 00:14:38.400 reporting, but I think things are going south for LockBit. 256 00:14:41.440 --> 00:14:45.220 see a brand in difficulty and because that brand happens to be 257 00:14:45.220 --> 00:14:48.850 ransomware, we can all take away a little bit of joy from that. 258 00:14:48.850 --> 00:14:52.540 Well, Jon, thank you for your efforts to investigate all this 259 00:14:52.570 --> 00:14:56.290 and to share what you've learned for combating not just LockBit 260 00:14:56.290 --> 00:14:57.940 but ransomware in general. 261 00:14:57.000 --> 00:15:00.750 Jon DiMaggio: Yeah. Well, thank you, Mat, for having me on the 262 00:15:00.750 --> 00:15:03.660 show. I love talking about this stuff. So appreciate it. 263 00:15:04.290 --> 00:15:06.030 Mathew Schwartz: Maybe when we have you back next, we'll be 264 00:15:06.030 --> 00:15:09.000 talking about the death of LockBit. We can cross our 265 00:15:09.000 --> 00:15:09.660 fingers. 266 00:15:10.260 --> 00:15:13.260 Jon DiMaggio: We can always hope. It's definitely not going 267 00:15:13.260 --> 00:15:15.780 to be good news for them moving forward unless there's big 268 00:15:15.780 --> 00:15:16.560 changes. 269 00:15:18.030 --> 00:15:20.310 Mathew Schwartz: Excellent. Well, Jon again, I am speaking 270 00:15:20.310 --> 00:15:24.480 with Jon DiMaggio of Analyst1, about ransomware, in particular 271 00:15:24.510 --> 00:15:28.410 LockBit. I'm Mathew Schwartz with ISMG. Thank you for joining 272 00:15:28.410 --> 00:15:28.890 us.