Stay Ahead of Ransomware: The Humans Behind Ransomware: Insights from a Threat Actor Researcher

In the June 2026 episode of the SANS Stay Ahead of Ransomware livestream, we explored an often-overlooked aspect of cybercrime: the human beings behind ransomware attacks. We were joined by special guest Jon DiMaggio, who is a threat intelligence researcher and author of "The Art of Cyber Warfare." We discussed his unique approach of directly engaging with ransomware actors and the invaluable insights this methodology has produced.

Jon DiMaggio’s Approach to Threat Actors

Jon brings a unique perspective to threat intelligence. With a background that includes military police work, government intelligence, and private sector security research, he developed what he calls a "human intelligence" approach to understanding cybercriminals. His Ransomware Diaries series, which began in January 2023, put him into the spotlight, which has sometimes also included the same threat actors he researches.

When LockBit’s operators began using Jon's LinkedIn headshot as their profile picture on a Russian criminal hacking forum, Jon reached out to them directly and began building relationships with them.

Jon’s approach was to engage criminals by communicating as himself, which he emphasizes is a choice that carries significant risks. He has received multiple FBI notifications about death threats and attempts to hire "violence as a service" against him. However, he noted one key advantage: "There's no doxxing me and putting my stuff out there. It's all on the table."

This approach has built trust that has proven valuable, with threat actors sometimes providing information about planned attacks on hospitals and charitable organizations before they occur.

Through our conversation, we found out that some of these threat actors are surprisingly young, sometimes under 18. We also discussed several notable figures in the ransomware threat actor community, and discussed some of the disparities with sentencing, i.e., whether the punishments fit the crime. We suggest watching the episode in full to understand the nuanced opinions and thoughts on these topics offered by Jon, me, and Ryan.

Learn More About Jon

Jon announced the launch of his new venture, Arkem Cyber, focused on consulting, advisory services, and independent research. He plans to release guidance on conducting human intelligence operations against threat actors, sharing lessons he learned through trial and error.

For those interested in learning more, Jon's book, "The Art of Cyber Warfare," from No Starch Press, covers attribution methodology and threat intelligence, while his Ransomware Diaries series provides detailed accounts of his interactions with major ransomware operations.

Learning More and Looking Forward

To learn more, we recommend that you listen to our full conversation in the June 2026 episode of the SANS Stay Ahead of Ransomware livestream.

Join us next month on the first Tuesday at 1:00 PM Eastern for the next SANS Stay Ahead of Ransomware livestream.

Mark your calendars also for the upcoming SANS DFIR Summit in Arlington, VA this October, which now combines the Ransomware Summit, Threat Hunting Summit, and traditional DFIR content into one comprehensive event.

And remember to check out our upcoming SANS training events, including FOR528: Ransomware and Cyber Extortion, where we dive into the technical details of preventing, detecting, and responding to these types of attacks.