Episode Nine - FBISupp

FBI Assistant Director Bryan Vorndran: Welcome back to Ahead of the Threat. Bryan Vorndran here with the FBI Cyber program, as well as Jamil Farshchi, the chief technology officer of Equifax. Jamil, welcome back.

FBI Strategic Engagment Advisor Jamil Farshchi: Thank you very much. Looking forward to the conversation today.

Vorndran: All right. Well, we have a special guest ahead in a prerecorded episode. But first we're going to do our Top Three, as always. And first we're going to talk about the expiration of CISA 2015 in September 30th of this year and the reauthorization and the value of that reauthorization. Second, we're going to talk about Oracle. And last, we're going to talk about information stealers, credential theft. That is a continuous topic on this podcast.

So, CISA 2015, what is it? CISA 2015 is the Cybersecurity Information Sharing Act of 2015 and it includes very valuable protections for industry to share with the U.S Government—cyber threat intelligence, cyber threat indicators, as well as defensive measures. But it expires this September, and there's a reauthorization effort underway and we wanted to raise it here to our audience because we think it's immensely valuable for all of you in terms of what it provides you in terms of protections. And I'll go through some of that.

So, it does provide antitrust liability exemption. It does provide exemption from federal and state disclosure laws, including FOIA, exemption from certain state and federal regulatory uses. As well as treatment as commercial, financial and proprietary information. I'm not going to go into tremendous detail here about the definitions of cyber threat indicators that are provided in the legislation, nor the defensive measure, but it would be aligned with your interpretation, your natural and logical interpretation of what those terms mean.

So, this is a public service announcement to all of you out there that there is expiring legislation, and we would encourage you to contact your local elected representatives, to encourage them to reauthorize this, because it provides protection to all of you.

Jamil, any thoughts?

Farshchi: It's actually a question for you. Has there been any examples in the past where not having this protection has actually led to any meaningful litigation or risk, or otherwise other types of risk, as a result of it? It feels like a feel-good kind of thing. But I’m, off-the-top, I'm not aware of any actual issues that have arisen as a result of not…this not being in place prior to it.

Vorndran: Yeah. I get this question a lot about what is the FBI's relationship with regulators, both state and local? And we have examples, you know, I'm not going to name the regulators here, where they have said in orders, hey, listen, anything that you've provided to the FBI, will trigger a regulatory requirement that you have to share that in parallel with the regulator, whether that's a state regulator or a federal regulator. That's usually problematic for us.

Because, as you know, we invest a lot of time in people and building the right relationships. And we don't want those relationships and the trust that exists between us and in this case, a victim or someone who's targeted as an organization to be impacted by a parallel sharing requirement. And CISA 2015, shores that up a little bit and this is an issue that all of the attorneys in this space look at very, very closely in conversations that those attorneys are having routinely, with their clients.

Farshchi: Yeah, I think it is. And it's certainly beneficial. There's no question about that, because it sort of, it eliminates any of the potential risks that one might have. And you guys do build strong relationships with the private sector. And we do trust and hope to trust that those discussions and relationships remain confidential, certainly, given the topics that we oftentimes communicate about with respect to this. So hopefully it'll get renewed.

But I think either way, the trust and sort of veracity of the confidentiality of that information, I mean, it's got to remain at the utmost level of sensitivity given the types of things that we that we typically work on.

Vorndran: Yeah. And so, for our audience, we'll drop a link to the existing legislation in the comments section of the YouTube feed, and we'll keep everybody updated. Alright, Jamil, over to you for Oracle.

Farshchi: Yeah. So, the…there, you know, news recently is that Oracle…of an Oracle breach. Oracle came out thereafter and said we were not breached. And then there were some researchers who did some analysis and, are claiming that, you know, there's up to 6 million records that have been compromised. Typical single sign-on credentials and things like that. So, it's caused a dust-up within the security community and CISOs like myself, you know, are having a lot of discussions around what to what to do about it.

But my angle on this one isn't really that. It's not the incident itself. To me, it's the way you respond to incidents as an organization.

You know, there's multiple ways to sort of approach this thing, but there seems to be amongst some organizations as of late, this approach of ‘it's not me,’ you know, ‘look elsewhere’ kind-of-thing. And it's really frustrating to see that kind of approach from organizations where they try to get out of it, via some sort of technicality. We saw it last year with Snowflake. We saw it in years prior, I think it was LastPass, that password manager one, where the companies are just deny the fact that they were involved in this situation at all. And at some level, there may not be culpability directly because maybe there is some other nuance there that's involved.

But to just come out right and say it's not us and you know and try to wall off everything and kill any type of, sort of analysis that anyone would try to do is frustrating. And I think…it erodes the credibility, I think, of these organizations, but it also makes it so much more difficult for all of us to be more secure and more prepared, because if one were to take these statements at face value, then you just eliminate the investigation. “Okay? Nothing to see here. So, we'll just move on with our business.” Meanwhile, there could be like in this potential case, there might be actual residual risk that's still hanging out there that potentially impacts your organization, your customers, access to your environment, and things like that. And so, I just think we need to do better as a community.

And I would just plead to the organizations out there that would maybe find themselves in this situation today or in the future to just be more transparent. It pays off in the end and the erosion of that credibility, it’s not good. And I can tell you firsthand, I talk to security, to CISOs, in a huge peer group and…across a variety of different industries.

And this one in particular, just like Snowflake last year and just like LastPass and several others, there is a ton of discussion going on that where trust is not there. I do not, there’s people saying, “I do not trust this vendor anymore.” You know, “I don't believe what they're saying. They're not being transparent, giving us the information.” And it just puts us all on our heels.

So, my advice is, be as open and honest as you possibly can and help your customers, help us all get a better handle on what exactly happened. Instead of leaning on some technicality to suggest that, hey, you're clean as a whistle and, you know, nothing-to-see-here kind of approach.

Vorndran: Got it. Just to double down real quickly on the transparency piece. My experience in my job over the past four years has been that those companies that are transparent fare the best. Right. I'll just leave it at that.

Farshchi: Yeah.

Vorndran: All right. Well, one of the benefits of this podcast is that every time we do Top Three, we seem to talk about stolen credentials. So, there's a great article on Flashpoint from earlier this month, and I just have some data here that I'm going to read to my right. So, “info stealers were used to steal 2.1 billion credentials last year, accounting for nearly two thirds of 3.2 billion credentials stolen from all organizations.” And just in the first two months of 2025, there's been 200 million additional credential thefts from info stealers. And the most prolific ones are a group of info stealers called RedLine, RisePro, SteaC—S-T-E-A-C—a Lumma stealer. And so, this becomes just a routine conversation for us on this podcast about static credentials that lead to intrusions, right?

And one of the best cases we've done here in the last couple of years is Genesis Marketplace, which is the same thing—theft of essentially stored history in a cache, on a URL cache, and leading to stolen credentials because they're stored there. And that led to massive, massive, losses across industry—various parts of industry.

So, Jamil, I'm not sure what to do. Maybe a public service announcement to go passwordless. But this conversation continues to come up over and over and over again. And the Flashpoint article highlights it yet again.

Farshchi: I mean, you said it and we've talked about it countless times. A lot of the security controls within the space, EDR…you know, endpoint detection and response being number one, have matured massively. Organizations have implemented them ubiquitously in most cases. And as a result, what do the attackers do? What they always do, which is to try to move on to the next weakest link within the chain. And that weakest link today, and has been for, you know, at least a few years now has been credentials. Identity.

And this is just yet another case—it actually ties back to the one I was just talking about before with Oracle—I mean, that was the same situation there. Credentials are everywhere. It's a super easy path for bad actors, and for the most part, most organizations will continue to be reliant on them in some shape or form.

So, my recommendation is the same one that you just gave. We went passwordless for the user space at Equifax last year. It is a huge difference maker, not just from security, but also from a usability standpoint. But until and unless we start taking this seriously on a more broad basis, then we're going to continue to see more and more incidents like this.

It's just not going to go away. It's too easy.

Vorndran: Okay. Well, that completes our Top Three for today. CISA 2015, Oracle, and a call to arms to go passwordless. So, we are going to a previously recorded episode. We have a tremendously unique guest today, so I'll let the episode speak for itself.

________


Vorndran: Welcome back to Ahead of the Threat. As always, I'm Bryan Vorndran, assistant director of the FBI's Cyber Division. And joining me is Jamil Farshchi of Equifax as the chief technology officer. Today we're talking about LockBit. Since 2020 and then continuing all the way through its disruption in February of 2024, LockBit was the most prolific ransomware variant used across the world. They have hundreds of affiliates to their ransomware-as-a-service model, and they targeted entities and organizations both for-profit and not-for-profit throughout the world to include even in China, which we'll talk about here in a little bit.

Joining us today, is a person we're referring to as “FBISupp.” One of the primary case agents for the FBI investigating LockBit, and an individual who has had direct communications for an extended period of time with the administrator for LockBit. Based on that individual's current role we are obfuscating his image and his voice to protect his identity and for his safety. So, let's get into it. So, FBISupp, talk to us about LockBit and how you first became involved in the investigation.

FBI Cybersecurity Special Agent “FBISupp”: Thanks, Bryan. Hello, Jamil. Thank you, guys, for having me. LockBit originated right around the beginning of 2020. And most of our investigations, just like LockBit, start with one victim. And that's what happened in, I believe in, January or February of 2020. There was one victim in New Jersey that had several servers that were encrypted with the first variant of LockBit, came to our attention. One of my colleagues actually opened a case on it. Started investigating. And that's how our case really began.

Vorndran: Okay. So those early days, right, you're trying to get your hands around everything—talk to us about what those early days look like for the FBI. Who are you working with? What are you trying to figure out? What are your priorities?

FBISupp: So, we're trying to figure out everything. We're starting with just this grain of sand, and we have to explore the rest of the beach. So, we gather as much information as we can from that initial victim and put the pieces together and start, you know, piecing this entire puzzle together. And you start getting what we refer to as IOCs, or indicators of compromise. And that starts leading us down a path to our adversaries.

Now there's several different adversaries that I refer to within LockBit. There are the ‘affiliates,’ which are the actors that actually deploy the malware, deploy the lockers, deploy the ransomware on the computer systems. And then there's the administrators and the developers, who are more of a lead role in this ransomware-as-a-service variant. So, what we're doing first is tracking or following the breadcrumbs to that first affiliate to see who is responsible for actually pushing the button to deploy this malware on the system.

Vorndran: Got it. So, I'm going to jump in here with a little bit of background on ransomware as a service. And I know Jamil was chomping at the bit to have some entertaining conversation here. But you know, for our audience, ransomware as a service, we live in this world day in and day out. But at its core, you have your most sophisticated malware developers, all of whom have safe-haven status in Russia, almost entirely.

And then you have an affiliate model, right? And those affiliates are trusted partners of the malware developers. Again, those developers have safe-haven status. Some of the affiliates are in Russia, but some of them are not. And it's those affiliates who essentially create the initial access to a victim's environment. And then really try to extort the victim after an encryption event. We have seen right—this is very well known in industry—we have seen a movement to double extortion with data exfiltration first as an extortion lever and then an encryption event after for a second lever. And we are also starting to see, you know, very, very aggressive calls from…to CEOs, to other executives of organizations, to essentially provide a third extortion lever because nobody wants to live in that world.

It's an extremely, extremely mature business environment for the ransomware actors and one we, contend with and contest every day.

Farshchi: All right, I’m going to... I want to go back a little bit here. So, first, FBI… first, for anyone who's listening, our guest here is all obscured and has the name FBISupp. So, FBI Supp: Can you give us some background on what's the origin of this name?

FBISupp: It's a great question because it's an interesting name, right? FBISupp, it's short for FBI Support. Not for my colleagues, but really just for the administrator of LockBit. And the reason why I chose FBI Supp is because the administrator of LockBit goes by LockBit Supp. So essentially, I'm mocking him. And there's some other things too, such as his start date, how he puts it in his tox channel, we began at this time, and I did the same thing when the FBI began. So, it's just mocking the name, and it's become a bit of a brand. We have tip lines that you know, go into an FBI Supp. We have email accounts for FBI Supp, and it is a reporting mechanism and a brand for the FBI to, you know, combat the adversary who is LockBit.

Farshchi: I think Bryan and I should get coffee mugs made with that. All kinds of gear would be fantastic. But, so, okay, so when you first got this case and this is just a total layman's question, do you—are you working multiple of these at the same time? Did this one just drop down and it was, you know, hey, this is hair on fire, your primary focus. How does that work?

FBISupp: So, Jamil, I'll be honest, I tried to avoid ransomware cases with everything I had. I saw my colleagues working them, you know, pulling their hair out. I obviously had my own cases where I pulled all my hair out, and, you know, it was just...it got to the point where it was unavoidable. A colleague of mine opened the case and moved elsewhere, so I inherited the case shortly after it was opened. Several months, actually.

At that point in time, it was still LockBit 1.0 and a month after I took it over, I was planning on closing it down. It became very sparse with attacks. There wasn't a lot of activity. And like I said, 30 days after I opened it, LockBit 2.0 was born. And that escalated quickly.

And my life changed quickly because it was now life-consuming. It was all that I was doing. I was eating, sleeping, drinking, LockBit. And there were many attacks. There were up to 10 attacks a day that we were managing and responding to and assisting with. And it just kept going from there. So, I thought I was closing the case. I ended up just moving all my other cases forward to either completion or handing them over. Because this was the primary case, it became a very high priority for not only my squad, but the Bureau as a whole. And that's what I really started focusing on 100%.

Farshchi: What—why is it, you said at the top that you try to avoid ransomware cases at all costs? What is it about them, that makes them…that you want to avoid them?

FBISupp: With ransomware, it's a lot of rinse and repeat, because you see the same thing happening over and over again. You see an attack, you gather the data, and you see where it leads you. Nothing wrong with that. It's just, I had other interesting cases that were very different. Maybe I just like to be different. And I saw everybody else working on ransomware. But, I just didn't want to dip my foot in that pond just yet.

But it was unavoidable, like I said. And it actually ended up being, I hate to use the term fun, but, you know, that's what I do for a living is I solve cases, I solve problems. And this was a big case and a big problem.

Farshchi: So, it sounds like you stepped in at the exact right time, right? When 2.0 got released. Can you tell us about sort of the next step, the evolution of this thing? And, really getting into to tracking this guy and trying to, like, unravel this case.

FBISupp: Yeah. I think, Bryan described it very well before. It’s a business. It's a business in the criminal world. It's an enterprise. You know, they don't pay the taxes, but they run everything else just like a business. So that's what we're hunting. And we need to identify all the employees in this business.

It's run as a business also in the fact that or the sense that they expand, and they grow, especially LockBit. The head of LockBit is likely more of a businessman than a developer or anything like that, or a coder. The goal on the criminal side of this case was to grow this brand and offer as many tools as possible to the criminals that are within that world, and that's where 2.0 kind of really blew things up. They started offering more tools, more encrypters.

You know, like, LockBitSupp always said that he wants to defeat his enemies, and all of his enemies. He wants to crush it. He wants a million victims on his blog site. And that's his childish goals. And he started working towards that and he started offering these additional encrypters, these data-stealing tools to really make it a one-stop shop where you just sign up as an affiliate and hit a few buttons, and all of a sudden, you're in a negotiation for millions of dollars. So that was his ultimate goal.

Vorndran: So, FBISupp, those who know me best internally and externally, know how important it is to me that the FBI and our personnel engage so well with victims, right. That's just part of the FBI's DNA for 115 years is that we're victim-centered. Talk to us about what those engagements actually look like from your perspective as a case agent. What do you learn? What can the FBI share with the victim? And perhaps from my perspective, what is most important that we're asking the victim for, that's most impactful to our investigations?

FBISupp: Thanks, Bryan. Like you and I both, we both hold victims to…put them on a pedestal really because it's the most important part of our investigations. One, it's where they start. And two, that's really what drives these investigations forward. Without the information we get from them, it's like ground zero. We don't have any of that data. Then it's very difficult to move forward. So, it's very important to interact as soon as possible with victims.

And I say that to victims. I'm looking at you to come to us as soon as you possibly can. As soon as you understand that there's a problem, even if it's not a problem that's on the scale of, you know, an FBI investigation. We're more than happy to talk to you about it and point you in the right direction.

But the sooner we can get some of that initial data from the attack. One, it could be a new case. We'll open it up. We'll start investigating and hopefully get that justice for you. Two, it's likely a case that we already have opened. So, we're going to get the experts in front of you immediately. And we have case teams for every different variant of ransomware and every different type of cybercrime. So, you're going to get to talk directly to a cyber expert with the attack you're just experienced. And the data that you give us in the form of IOCs, or indicators of compromise, that is where we can start or compare to the rest of the data.

But it's typically where we start to track down our adversary, whether that's the affiliate or a developer or just the infrastructure in which they're operating from. That's all paramount information for us. That's very important, and it’s what drives our cases forward.

Vorndran: So, let's go back to even a little bit more basic. So, the question I get asked all the time is, ‘Hey, Bryan, we want to engage with the FBI post-intrusion. We're a victim. Are they going to show up in black Suburbans, raid jackets, and guns?’ What is the reality of that perspective from a field agent about how you actually engage with the victim once you learn they’re a victim?

FBISupp: You know, I joined the FBI to get that, you know, black Suburban and wear a suit every day and have that image like you see on the movies. But it's not like that at all.

You know, I encourage every company out there to engage their local field office and talk directly to or invite a cyber agent or cyber agents to either your organization or go visit them to have a personal phone number that you can call when something happens. That's the best way to engage with the FBI. You don't want to call the main number, because you might have to go through a few people to get to the right person. If you start that relationship early and cultivate it and stay in touch, it's going to pay off in dividends in the future. If there's ever a time that you need to call us for an issue.

And it’s polos and khakis. Not really suits all the time anymore, but it's very important to make that relationship solid.

Vorndran: But post-intrusion generally. And don't let me put words in your mouth but post-intrusion generally phone call, Teams call, Zoom call, some type of virtual engagement to make sure that the victim is comfortable with the terms in which we’re engaging, correct?

FBISupp: That's absolutely correct. And there's many different mechanisms to do it nowadays. Some more secure than others. It all depends on what's happening on their network and in their organization.

Vorndran: So let me just stay on this point for two more seconds. So, y’know, a PSA for our audience, right? You suffer an intrusion. We do recommend the sooner the better, you engage with the FBI. We would recommend that it not be on corporate infrastructure, because the chances of that infrastructure being compromised do exist. So, go to out-of-band communications, right, as quickly as possible.

The second thing is this and we can move off the victim engagement. When I get asked the question, ‘What does the FBI actually need from a victim?’ I give them two answers. number one, we need logs as quickly as possible. And number two, if you plan to pay the ransom, we need virtual currency addresses as quickly as possible.

FBISupp, from your years of experience, do you agree with that? Please feel free to say no. But what are the most timely piece of intelligence you actually need?

FBISupp: That's absolutely correct. The logs are typically paramount. That gives us the information we really need to identify infrastructure. And then it all depends on the rest of the attack. Sometimes there's phone calls, emails. Obviously, those are very important tidbits for us. So, anything you really have that is of importance, anything that can be considered an identifier, pass it over. It may be a lot more important than you even consider.

Farshchi: Yeah, and I’ll attest. As being on the other side of that, when you do provide that information, the engagement from you all is fantastic. I mean, during our incident here at Equifax, I mean, the amount of engagement and insight that you guys were able to provide to myself as well as the entire executive leadership team with briefings and stuff, was second to none.

All right. So, I want to go back, FBISupp, I want to go back to the question…to the topic around the investigation that you're doing. So, you're in the heat of this thing, you must have some level of engagement with the ringleader here. I don't know what his name is. This LockBit dude. Tell me about your…the discussions you have with him or any interactions like what’s it like as you go through that process?

FBISupp: Right. So, LockBitSupp or Dmitry Khoroshev or any other actor that may decide to sit down at that computer and administer LockBit for however long. This was something kind of new. This isn't a typical way to go about investigating. We usually don't contact our adversaries until we're ready, you know, to put the silver bracelets on.

But this…it was an interesting circumstance that required a unique approach. And we reached out directly to LockBitSupp and contacted him on his well-known Tox address, which is a secure communication platform, and started chatting. And after several iterations of proving that we actually are the FBI. Which is funny because that is the most difficult part of my job in most engagements. We started talking and developing, let's call it a business relationship.

So, we understood that this was a game of cat and mouse, yet we still were able to talk about our different positions. And, you know, he thought that this was a business relationship where he would be able to benefit from it. I knew this was a business relationship where I would be able to benefit from it.

Just from the first couple days of chatting, I had intel that I didn't have earlier, and I'm talking to the other person that is in charge of the most prolific ransomware variant in the world. And just by talking day-to-day and asking simple questions and talking about current attacks that his affiliates have been performing, I would extract pieces of intel that would go directly into our indictment against him, and that would relate directly to one of the victim attacks that could help them.

And in a few instances, I was able to negotiate with him. And I guess take advantage of the softer side of LockBitSupp to provide decrypters to specific victims. I think some of those are clear from the blog site that there was apologies and, he actually reversed some of the attacks.

Farshchi: So, wait a minute, wait a minute, wait a minute. So you convinced him to back off a little bit? Is that what you're saying?

FBISupp: Yeah, there were certain victims that, I convinced him it was not in his best interest to continue with that victim. Or you know, it's victims such as schools, hospitals, police departments, things like that, that would really negatively impact, you know, our country. And the reason why I went that route is because LockBitSupp would often say things like, ‘I do care about people, and I don't like when people get hurt or people die. This is all business.’ You know, he didn't support the war against Ukraine. He loves people. And that's what he claims. Now, most of the things he claims I take with a grain of salt or just don't believe. But there were certain instances where, you know, we did have a mutually beneficial relationship.

Vorndran: So, talk to us quickly about what you learned from him personally. We look at these individuals, even myself, as essentially very, very significant criminal leaders, right? And making tens, if not hundreds of millions of dollars in revenue or profit by doing this. What do you learn about personally? Got a family? Married? Where does he live?

FBISupp: So that's funny. This is, I compare him to an angry little child that has these hopes and dreams to take over the world. It's actually kind of comical the things that he would say about his plans with LockBit. You know, like I mentioned before, he wants a million victims on his blog site. He wants to crush all of his competition in the ransomware world. Like, these are just silly comments. But he keeps repeating them.

And as far as we know, he lives in China. He lives in the Netherlands, he's in New York City. He's given many interviews before, and these are all the places that he's claimed to live. I think the only one he has not claimed to live in is Russia. And we know exactly where Dimitri lives. And we know he's married. And there's been a lot of talk on the internet about him with the threat researchers and security researchers out there that got to look into his name a little bit.

But he's very childish. And that's who's leading the most prolific ransomware variant in the world and making all that money. But he stays in the shadows. He's protected by his country. And, you know, we're searching for ways around that.

Farshchi: How do…so, will you tell me more about the monetization aspect of this? So how does he generate the revenue? Does he go through some mechanism to be able to sort of clean the money, or is it does it matter given where he's at and some of the financial or lack of financial controls that are in place?

FBISupp: He thinks he's very good at cleaning his money, it's all crypto. The majority is bitcoin when it comes in from his victims. But he's actually pretty terrible at it. Which is most of the reason why we found out who he was, anyway, if that wasn't clear to him, that's exactly what I'm talking about.

He's not very good at it. He will intake, or actually not he, his affiliates. So, Bryan mentioned before, there's hundreds of affiliates for LockBit, and they're all using their own motives and tactics to infiltrate victims and deploy the malware. They will negotiate which LockBitSupp is often untrustworthy or untrusting of his affiliates and will monitor the conversations that they're having with the victims.

And he’ll a lot of times jump in and take over because he doesn't like the way the negotiation’s going, and he'll set a hard bottom line and let that attack go if he doesn't like, you know, the number it came to. But he'll often take over. He'll negotiate for a certain price, however many millions of dollars it is, or hundreds of thousands that will come into the affiliate, and then he will get 20% of every deal that's done, every attack that there is. And we're upwards of three, four, 5,000 attacks since the inception of LockBit.

Farshchi: So, the money comes into the affiliate first and then it trickles back down to the to the ransomware provider at this point?

FBISupp: Basically, that's how it flows. There were some changes along the way where if it's over a certain amount of money, there would be two different transactions from the victim. But essentially the affiliate does the work, gets the payment and then gives the cut to the administrator.

Farshchi: Does it ever happen where the affiliate decides to just keep the money themselves? Like what's their obligation to pay it back to the other criminal arm?

FBISupp: No, I find that they are very, very ethical in this world. That was sarcasm. Yes, it happens all the time. There are no ethics, even though they claim that there are ethics. But, you know, it's trust amongst thieves, though. It happens quite often, and you'll read about it in forums. You'll see outbursts of administrators and affiliates about not getting their fair share. So yeah, absolutely. It happens.

Vorndran: So, kind of dig in a little bit deeper because I think it's really interesting. The negotiations with the victim, is that happening with visibility for both the affiliate and the malware developer through the infrastructure so that both understand what's being negotiated so they understand what payment they should likely receive?

FBISupp: That is exactly right. In the case of a LockBit, but now LockBit, as I mentioned before, is a full-stop shop and everything is done through its infrastructure. Not every ransomware variant operates the same way. But that was a big marketing piece for LockBit. So yes, LockBitSupp, the administrator, can see all the chats going on, can monitor all the affiliates, and can monitor the access to the LockBit website. And he does and he treats it like his baby and he watches it every day. And takes over when he feels that somebody is not doing their job.

Farshchi: You know, is…on the negotiation side. So, you're a victim, for example, and they throw out some random number that you're supposed to pay, that they want you to pay. Do you know—how much goes into what number they choose to throw out there as the ransom, as the extortion payment number, that they're seeking to achieve?

FBISupp: Zoom info, that's pretty much the shop that they go to determine what the initial ransom amount is going to be. They'll take a look at the revenue for the company that they've just attacked, and they'll typically take between 2% and 5% of that revenue and call that the ransom payment. I find that these criminals don't typically know the difference between revenue and profit, and they don't know what non-profits are, how they operate. So, their numbers are typically way off the mark when it comes to what companies can typically afford.

But there is a negotiation, and that has evolved as well. That started with the affiliates being able to negotiate whatever they wanted to, kind of strict guideline that they had to be within that 2 to 5% as an initial ask, and then they couldn't down or depart more than 50%. And that was the standard for a while, and it constantly changes depending on, you know, what's going on with that variant.

Farshchi: And so, they’re… at that point they'd be locked in, and they can't go lower than the whatever 2% or whatever that threshold is that you're suggesting?

FBISupp: That's correct. And there's an actual rulebook right on the site that anybody can really go take a look at. There are rules for affiliates to abide by. And if they don't, they could essentially be fired. They can be cut from access to the LockBit site. But, you know, if that means not getting that 20% for the next attack, you know, what's LockBit Supp going to do? Let them try again or really cut them off?

Vorndran: All right, so, I'm going to switch gears and talk geopolitics. All right. So, you already said that LockBitSupp was not supportive of the war in Ukraine, which I think is fascinating to learn. You know, when it comes to targeting, right? We've heard, and I believe—we truly believe, those of us in the FBI, that all Russian-based organizations are off limits for ransomware attacks or Russian-based organizations conducting ransomware attacks.

But I think with LockBit, when you look at the victimology, it's really, really interesting. So, FBISupp, take us through what you know about the victimology. Which countries were targeted the most, which countries surprised you that the y were on the top five or top six list of organizations targeted by LockBit?

FBISupp: Sure, and you know, just to describe how this team was that was combating LockBit. But it wasn't just, you know, me and my colleagues. This was an international effort. We had the NCA, we had Germany, we had France, we had many different organizations that would come together to combat this at the same time. And we have heat maps and we have, you know, statistics and metrics of the victim pool. The United States being the top, we were attacked the most and it's in, you know, over 3 or 4,000 just for the United States from LockBit alone.

And what was interesting is we saw that there were other countries that we did not expect to be on the victim list, such as China, Russia, which is…that is actually in the rulebook, is off limits. However, there were victims in Russia and their subsidiaries outside of Russia that were connected. Iran—there were there were countries there that we didn't expect and were very surprised to see. And also surprised to see that those affiliates were still operating, even though some of those were against the rules.

Vorndran: Those affiliates and if you don't know, that's fine. But those affiliates that you saw conduct those attacks or lead those attacks against Iran-based organizations, China-based organizations, specifically Russia-based organizations; most of these affiliates based in Russia or other countries?

FBISupp: Some of them were based in Russia, which, what… that's what made it most surprising. But it was kind of a mixed bag. There were affiliates that were in other countries also attacking China and Russia.

Vorndran: Okay.

Farshchi: So, take us to the finale here. Can you get us to the final moments of your investigation? As you're closing in on this guy?

FBISupp: Yeah, absolutely. We, working very closely with what is referred to as Operation Kronos or Op Kronos, and that is the collaboration of several different countries, especially the NCA from the United Kingdom. The National Crime Agency took a large part in the technical disruption back in February of this year, and there were many different elements to this disruption.

Now, we obviously didn't take them down in the general sense of, you know, when folks use the term takedown because they're still operating. That's no mystery. And it was a multifaceted approach to disrupt and create this distrust within this criminal organization. And it's ongoing, and it's going to continue. And we will continue just as long as the criminal organization continues.

But working with the other partners and taking different roles and dividing the responsibilities as far as infrastructure, crypto, you know, the adversary themselves, the psychological element; we put all of our powers together, created this army and started to attack, which led to February 20 of 2024, where we took over the LockBit leak site, made it our own.

The NCA did a fantastic job of putting that together and preparing for it. And it was then a law enforcement-controlled site. So, when the affiliates or the administrator went to their LockBit onion site on Tor on the dark web, they were led to our site, and it gave us the opportunity to build some anticipation for what was to come next and what we would leak.

So, the tables turned a bit, and we started putting identities on this site and some of the backend data that we've discovered. We were also able to obtain over 2,500 decryption keys for victims that were previously attacked and able to assist them, which is one of the highlights of this operation is being able to give that back to our victims.

And it was just a culmination of all those different elements that severely impacted the criminal organization, as we now see with the numbers, how they have drastically dropped. When I say numbers, the amount of attacks that LockBit is responsible for now, they're just not trusted anymore. It's not a significant brand anymore. And, you know, the team really came together and we’re proud of those efforts.

Farshchi: So, you went on the offensive and you took ‘em out. Kind of, so to speak, I guess. Did the…did all of the other affiliates and everyone just scatter like a bunch of rats on a ship? I mean, it must have been pure chaos, I would assume, if they were on the receiving end of that thing.

FBISupp: Yes, there was a lot of chaos. There were several accounts of us contacting some of those rats that you described. And they're shaken very easily. And honestly, they're scattered like rats all the time. You know, there's overlaps with different ransomware variants. It's the flavor of the day for them. You know, it's just a matter of what technology they're using to attack a different victim.

But they did scatter, and a lot of them go into hiding for some time after that. And then they come out of hiding once again and we do it all over again. So, it's something we're getting very good at, and it's an army that we're building every day, a larger army to combat this criminal enterprise. And, you know, we're getting much better at it.

Vorndran: So, FBISupp, so you mentioned 2,700, I think decrypter keys. I just want to, again, a PSA here. You know, recently, we took the time to actually tally the approximate value of the decryption keys that we provided to victims since 2021. And, the FBI director really sent a public statement in September, but that number is, north of $600 million in relief that we’ve potentially provided to global victims. Just a really, really good measure of one piece of success and how we're trying to support victims. So go ahead, Jamil.

Farshchi: I was just going to say that's huge.

Vorndran: Yeah, it is.

Farshchi: So, the one question for me is the selfish one, which is what have you learned throughout all these investigations and interactions that you have with all these folks that us on the corporate side could apply as a lesson learned for us to avoid getting ourselves in that situation.

FBISupp: Oh, that's kind of an easy one. Don't be the low-hanging fruit. Don't be the easy target. That’s tough. The larger the organization, the harder it is to not be the low-hanging fruit. You need to patch things, and you need to patch it timely because these actors, I'm telling you, they use Shodan to their advantage. They scan the internet for known vulnerabilities and then just… they have their target list. They go down the list, start hitting them, and then they have a vulnerable target list and know where they can get into. And there's different structures such as, data brokers and initial access brokers, where they'll just get into as many companies as they can and then start selling that access to the ransomware actors.

So don't be that, you know, Shodan return that is going to show that you have a vulnerable system, you know, accessible from the internet. Social engineering is another big one. So that type of training and awareness is paramount in your organization, so people can identify when something's a little off and it can be reported. So, it's things like that, which companies can take away and become so much more secure just by doing those little things.

Vorndran: Jamil every one of our episodes comes back to this, right? And FBISupp, Jamil and I have moved away from language that says cybersecurity basics, cybersecurity fundamentals, because we've all agreed that, while these, tried and true practices, right, MFA, password management, vulnerability and patch management, right, air-gapped encrypted backups, real-time backups are all vital. It's really, really hard to do them at scale across a large organization. I find it fascinating that every conversation we have with a guest, it comes back to these tried-and-true principles, but those tried-and-true principles are hard.

So, Jamil, I'll go over to you for any closing thoughts or closing comments?

Farshchi: I…This has been super interesting. One thing, I would love as we conclude here, FBI Supp, can you give us some stats? Number of victims that LockBit was able to target? You mentioned the $600 million potentially saved, at least cost avoidance on that front. Any other meaningful stats that you have? Because the scale of this thing was monumental.

FBISupp: Yeah, you're absolutely right. I can give general stats from what I remember. I don't have the stats in front of me, but the attacks, the global attacks were well over 5,000 attacks. The money or the ransom payments, let's start with the 20% that went to the administrator…that was upwards of $100 million in itself. You extrapolate that out and multiply that by what the affiliates got as well, we’re over, you know, a half a billion dollars.

And then you take into account the losses to the actual companies when it comes to incident response, mitigation, hours, you know hours spent on this and the actual ransom payments, we’re in the tens of billions of dollars at that point. And I think there are some studies out there that dive into that a little deeper. But those are some of the serious stats that, you know, the ransomware world yields and it's scary and it's sad as well.

Vorndran: All right, FBISupp, well, we appreciate you joining us and allowing us and our audience to continue to try to get ahead of the threat. For the audience out there, again, primary takeaway for all of you is these tried-and-true cybersecurity practices really, really do matter. Doing them at scale across any organization is difficult, but they really, really do matter and probably are the number one way to lower risk.

So, Jamil, thank you. FBISupp, a huge thank you. We love the brand. We love the work you do. And, for everybody else out there, have a great day.