The news this week about our release of a decryptor for Darkside in January 2021 has sparked a conversation about whether researchers (including those who work for cybersecurity companies) should communicate the release of ransomware decryptors to the public. In the security industry, debate helps us all improve our defense, and we encourage and welcome this dialog.
As one of the industry’s largest and most active research teams involved in anti-ransomware activity (both from a decryptor/technology perspective and our work partnering with law enforcement investigations), we wanted to take the opportunity to discuss a few key points on this topic.
Publicly–released decryptors provide widespread assistance – especially for organizations that don’t have dedicated security professionals (which aremost companies). There’s an implicit assumption in those advocating for no public notice of a decryptor that every company has someone who is tightly plugged into threat research who will know a decryptor is available and where to go to find one. It reflects an unrealistic bias toward large enterprises with substantial security team investments. But in the case of a victim that is a company with 100 employees and a part time IT person who also “handles security”, how would they know such a decryptor was available? How would a cybersecurity company or researcher discreetly let them know there is a decryptor available?
Ransomware is widespread and, unfortunately, it’s the smaller companies who are most often hit. A recent survey found that the average size organization who had a ransomware attack is just 234 employees. If you follow the “be discreet” path for decryptors, you will likely only touch the largest, most savvy security teams proactively and then those who publicly disclose a ransomware attack reactively.
Organizations are desperate for help. The inquiries we get from organizations who are under attack is growing. Their companies are losing money, phones are ringing, and jobs are at stake. The ability to help them – because they know who to call from our public disclosures – is why we do it.
Most organizations don’t disclose ransomware attacks – If the onus is on security companies and researchers who have decryptors to reach out privately to businesses who have been attacked to provide help, huge swaths of businesses and organizations won’t get it because they don’t publicly disclose that they have been attacked.
Benefits of public disclosure far outweigh the risks – Yes, there is a risk to “tipping off” the ransomware actor by publicly announcing a decryptor, but these groups regularly change their keys and other methods anyway because they know researchers are constantly going after them.
Our decryptors have saved organizations millions in ransoms, have helped rescue critical data and have kept organizations open for business. From the many “thank you’s” we have received from desperate business owners who didn’t know where to turn until they saw our public post, we know this work is worthwhile and we plan to keep it up as long as there are still adversaries to fight. If we can help one company avoid the problem of ransomware with a decryptor, we strongly feel it is worth it.
If you are a victim of a ransomware attack, you can reach out to us at [email protected] or [email protected]. We do our best to help everyone if they need support with the decryptors – free of charge.