This week on 60 Minutes, correspondent Bill Whitaker reported on ransomware attacksOver the past year, hackers from around the world have teamed up to attack technology companies, hotels, casinos and hospitals in the United States, holding their data hostage by encrypting it and demanding ransom for the keys to unlock it.
Jon DiMaggio, a former analyst who worked for the National Security Agency, now investigates ransomware as chief security strategist for cybersecurity firm Analyst1.
“We’re being destroyed,” he told Whitaker in an interview. “The amount of money that’s going out of our economy and into the hands of criminals is astronomical.”
DiMaggio said he spent years developing relationships with ransomware hackers on the dark web and rose through the ranks to become the leader of the LockBit ransomware gang.
“I realized these guys were touchable… I can pretend to be somebody else, go out and talk to them and get information out of them,” he told 60 Minutes.
DiMaggio said he develops fake online personas by creating social media and email accounts, then posts and communicates with people online to create a “large footprint that only a real person would have.”
He then communicates with individuals who are “on site” and gradually progresses from low-level hacker to ransomware gang leader.
“Sometimes it can take months. Right now, I have a relationship with a bad actor that has been going on for over a year and a half,” he said.
“I realized that there are real people like you and me behind this. Many of them have a story… that story helps you understand this criminal and understand what motivates him.”
DiMaggio said he sometimes communicates with hackers by pretending to be himself, taking a more “honest” approach that can give the hacker a chance to “open up.”
He makes his reports and findings publicly available online in a series he calls “The Ransomware Diaries.”
LockBit is one of the most notorious ransomware groups in the world. Since the start of their activities, they have hacked over 2,000 victims and extorted over $120 million from victims around the world.
Last fall, LockBit was behind the ransomware attack on the Industrial and Commercial Bank of China, which affected the settlement of over $9 billion in assets. They also attacked American aerospace giant Boeing, stealing its data and later publishing it on LockBit’s leak site.
LockBit is what DiMaggio calls a “ransomware-as-a-service” gang. They offer their services—like the malware used in the attacks, ransom negotiation assistance, infrastructure, and ways to store and leak data—to affiliated hacker groups, who carry out the attacks themselves. If a victim pays a ransom, the affiliated gang and LockBit split the funds.
In February, the Justice Department, in partnership with the United Kingdom and other international law enforcement agencies, took control of LockBit’s servers and several of its websites.
The Justice Department also unsealed an indictment charging two Russian nationals, Artur Sungatov and Ivan Kondratyev, with deploying the LockBit ransomware against numerous victims across the United States, as well as victims around the world.
DiMaggio said he was close to one of them, Kondratyev, also known as Bassterlord, and knew his story.
He said Kondratyev grew up in a region of Ukraine that was taken over by Russia in 2014. His mother was ill at the time and he needed a way to support his family and pay the bills.
“So he used what he had at his disposal, and that’s what led him to become a cybercriminal. He needed to help his family,” DiMaggio said.
DiMaggio said he was also able to communicate with the leader of the LockBit gang, one of several people who use the alias “LockBitSupp,” which is short for “LockBit Support.”
In May, the Justice Department indicted a Russian national who allegedly used the pseudonym “LockBitSupp,” Dmitry Yuryevich Khoroshev, accusing him of being the creator, developer, and administrator of LockBit. DiMaggio believes he is the man he spoke to during an attack on a U.S. hospital.
In January, LockBit claimed responsibility for an attack on Saint Anthony Hospital, a nonprofit community hospital in Chicago. LockBit copied the hospital’s administrative and patient data and threatened to publish it unless it paid a ransom.
DiMaggio said LockBit’s subsidiaries have encrypted the hospital’s entire network used to treat patients, and he fears that could harm people who need treatment.
He contacted “LockBitSupp” and tried to convince him to give the decryption key so the hospital could get its systems back online.
“I thought I could get him to do the right thing and give me the decryption key… unfortunately, I was wrong,” DiMaggio explained.
Saint Anthony Hospital acknowledged that a “data security incident” had occurred and that files containing patient information had been copied, but said it was able to “continue to provide patient care without interruption.” It also said it had reported the attack to the FBI and regulators such as the U.S. Department of Health and Human Services.
DiMaggio told 60 Minutes that while the successful seizure of LockBit’s servers and takedown of their websites was an important step in the right direction, the United States can “do better” in combating the ransomware scourge.
“If we were to use the powers that the NSA has, for example, where it doesn’t require a judge to approve and we can do things that law enforcement can’t do in some of these operations, we would be much more effective,” he said.
“We are undermanned, underpowered and under-resourced compared to what we are facing.”
The video above was originally released on April 14, 2024. It was produced by Will Croxton and edited by Sarah Shafer Prediger. Georgia Rosenberg was the broadcast associate. It was edited by Sarah Shafer Prediger.
