Under Cover. Exposing LOCKBIT Ransomware Gang.

Under Cover. Exposing LOCKBIT Ransomware Gang.


Jon is a master of telling stories. Especially true, mind-blowing ones that could be an A-List Action Film.

From a weathered-faced fisherman’s tale of the “one that got away” to legendary tales of mafia figures taken down from under covered wiretaps, we all benefit from storytelling. There is great importance in understanding the inner working of ransomware cyber crime gangs.

Understanding through storytelling how intelligence gathering is critical to security.

Stories are what makes cyber crime and cybersecurity relatable. Real. It’s why we socialize security. Translating the complex into understandable language.

How Intelligence Gathering Is Critical To Security

Intelligence gathering is critical to effective cybersecurity. It involves collecting and analyzing information about potential threats, including cyber crime gangs. This information can be used to identify vulnerabilities in an organization's systems and develop strategies to mitigate risk.

Intelligence gathering can take many forms, including monitoring social media, analyzing network traffic, and conducting penetration testing. It requires a deep understanding of the tactics and techniques used by cyber criminals, as well as access to the latest threat intelligence.

Why Security Research Is Important

Why? Because like all companies, all groups, they are, at the end of the day, people. The more we understand the people behind the mask, the safer we become.

Understanding the MO or modus operandi of a criminal organization lets us protect ourselves better than ignorance. Each cyber crime gang has certain nuances, idiosyncrasies and MO’s that show us how to deal with them and how to better protect ourselves from their TTPs (tactics, techniques and procedures).

Going Undercover: A Friend’s Journey Inside a Cyber Crime Gang

Going undercover inside a cyber crime gang was not an easy decision, but friend Jon DiMaggio felt it was necessary to gain a deeper understanding of their operations. He spent months carefully crafting his persona, creating a backstory that would allow him to infiltrate the group.

Wait. Is "Lockbit" the Code or the Gang? Well, the answer is both. For those unfamiliar, often cyber crime gangs also carry the monicker of the Code they deploy. LockBit 3.0, also known as “LockBit Black,” is more modular and evasive than its previous versions and shares similarities with Blackmatter and Blackcat ransomware. The gang operates under the same name(s) and the top leader is commonly known in the underground as Mr Lockbit.

What We Learned from Speaking with Security Researcher, Jon DiMaggio

Of all the people we have had the great fortune to speak with this year, one has incredible stories that border on the surreal. Legendary Security Researcher Jon Dimaggio, with Analyst 1, has shared incredible stories on research he uncovered with notorious crime gangs like REVIL. Once the most powerful cyber gangs in the world, taken town is an international cyber crime bust and massive take-down led by the Kremlin last winter. It made news across the globe as one of the first major widespread arrests by Moscow of a cyber crime syndicate.

But nothing compares to Jon’s recent blockbuster report from his year-long efforts undercover with today’s most notorious ransomware gangs, LOCKBIT 3.0/Lockbit Black ("Lockbit").

LOCKBIT is behind the biggest ransomware attacks worldwide in the last few years. They deploy the double extortion tactic made famous by REVIL.

They pressure victims to pay the ransomware ransom through extortion methods of threatening to publish the stolen data if they do not pay the ransom.

In the last few weeks they attacked the California port city of Oakland.

Lockbit is brutal. Aggressive. Highly well-funded. And seemingly...untouchable.

Jon got inside. He spoke to the very top leaders. All undercover.

Scouring the dark web site and applying to join the LOCKBIT cyber crime gang, Jon met resistance when challenged in the technical assessment the gang leaders put him through. It proved too much to overcome. But Jon was not done. He has a knack, and is a specialist, in one thing even more important. Understanding people.

Once Jon had gained their trust, he was able to observe their activities firsthand. He saw how they communicated with each other, how their egos were fragile, and they had even lashed out against other crime gang competitors.

He began to understand how they planned their attacks, and how they laundered their money. It was a fascinating and eye-opening experience. And also a dangerous one. Understanding the people behind ransomware groups is critical and his story paints quite a picture.

There were moments after he released his written findings and appeared on TV and publicly in many interviews that he even feared for his life and those of his loved ones.

Jon is not a hacker.

He does not speak Russian.

But his superpower is trust and likeability.

I argue that those two superpowers transcend cybersecurity into every field as two of the most powerful traits anyone could have.

Jon is a master of both.

How he did it and the technical ramifications of what he learned are laid out in an incredible report released recently to widespread acclaim and relied upon by investigative sources worldwide.

This is a summary of Jon’s incredible research. It’s merely to draw your attention to Jon and his remarkable work. And, to offer you the chance to check out his work and experience the story for yourself.

You can find Jon’s full report on his under cover investigation into cyber crime gang LOCKBIT here:

In Jon's work, you will find a treasure of insight and shocking information you could never imagine. The newest findings on ransomware cyber crime gangs like LOCKBIT are critical to protecting ourselves. Some of Jon’s key findings in his investigation worth mentioning:
    • It’s not just a lot of money they pay their affiliates, it’s “buy an island” type money
    • What makes LOCKBIT unique is that they allow the affiliates to handle the money and pay Lockbit their share, very rare in the RaaS criminal industry
    • There is 1 main leader at the very top who most call “Mr Lockbit” and one other trusted deputy who also controls the main account when the leader is unavailable.

    • The group leadership is bold, flamboyant and resemble the Jon Gotti-like approach to crime. They hold Lockbit Tattoo contests
    •  Lockbit has offered Bug bounty programs and even scholarships…leaders have boasted that they use Elon’s STARLINK to access online at times. Very Bold claims…


    “I have already said more than once that I use Starlink, because it increases the radius of my search.” — LockBitSupp 

    • Lockbit does not rely solely on spear phishing tactics to gain entry into targets, they purchase through IABs (Initial Access Brokers) and even launch through the Lockbit platform, identifying vulnerabilities in networks and attacking direct.
    • Like All RaaS gangs they post their trophies on their Leaked Site and draw victims to that site so they can watch their reputations get destroyed.


    • They have Mission statements and “values” (odd and hypocritical yes) where they claim they are not going to harm children or healthcare and that they are simply Money-driven. They famously returned the encryption key and publicly fired an affiliate who violated their “values” by locking down the Canadian Children hospital earlier this year. A good PR move though they have hit other healthcare targets…so….
    • Their platform/portal is state-of-the-art and very user-friendly to ran a massive criminal operation. It’s point-and-click from scanning/launching into targets, to exfiltration to ransom handling. This makes it very easy for criminals. And is by far the worst aspect for those in charge of cybersecurity.

    • They recruit massively and test their potential affiliates in technical skills to demonstrate they have the needed chops to handle it all. They also are loyal to Mother Russia and often ask questions on Russian folklore often known only to locals which weeds out foreigners and potential law enforcement.
    • While growing and desiring to be global crime leaders, they have expanded their recruiting efforts beyond the motherland and advertise worldwide, openly for affiliates. In their recruiting efforts they also throw rivals under the bus and disparage them.


    • Their ransomware tests the language of the target and if it is found to use Russian, Syrian and a few others the ransomware is designed to automatically NOT launch upon the target. Naturally, UK and American English are not one of the protected targets. So we are Prime Targets.

    Lockbit is notorious, as mentioned. So much so that the FBI recent issued a #STOPRANSOMWARE: LOCKBIT 3.0 alert on March 16, 2023


    The FBI advisory includes recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. The FBI, CISA, and the MS-ISAC recommend organizations implement several best practices they list in the recent formal advisory. Doing so will improve an organization’s cybersecurity posture on the basis of LockBit 3.0’s activity.

    • Their best practices with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs listed are to be considered a minimum baseline as practices that CISA and NIST recommend for everyone and all organizations..

    You can view the full report here: https://www.fbi.gov/

    Watch For Yourself

    Jon was featured recently, along with the LOCKBIT gang leader, on the hit TV show “Trafficked” streaming everywhere on the Nat Geo Channel:

    • S3E7Cyber Pirates

    TV-14 | 03.01.23 | 44:26 | CC

    Under Cover Investigation Ransomware. Meet Jon DiMaggio

    We sat down with Jon and got an inside look at what it was like to both be on the TV show as well as how he handled speaking directly with leaders on the Cyber Crime Gang LOCKBIT.


    We urge you to connect with Jon and follow his insight.


    Jon DiMaggio even has more shocking investigative reports coming soon…follow him and Analyst 1 to be notified when released.


    If you are interested in any Managed IT services or Cybersecurity services, reach out to me for an independent holistic perspective on your state of risk. We are here to help. Our team at All Covered-Konica Minolta is a Top-rated Cybersecurity Firm covering all of North America, located right here in the US.


    David Mauro

    Regional Manager US Central Region

    All Covered, Konica Minolta Business Solutions, US

    Contact David Mauro and the All Covered Team to learn more. @dmauro@allcovered.com

    To See more inetrviews with Security leaders across the globe check


    Please Share & Follow


    David Mauro

    Improving Client Security🛡Leading Konica/All Covered’s MSSP/MSP Growth🛡Content Hacker & Speaker🛡Voice of Security Awareness 💎Podcast/YouTube @CyberCrimeJunkiesPodcast

    Back to blog