Bitdefender’s Position on Ransomware Attacks and Decryptors

This week Bitdefender was named in a press article regarding our decision to release a free decryptor in January 2021 to help those affected by Darkside ransomware. The authors of the article assert that publicly releasing a ransomware decryptor enables malicious actors to modify their methods to evade future decryption, thus increasing the risk of successful future attacks.

This assertion is flawed from a common sense perspective and is contrary to the principles that the cybersecurity community operates under. From a common sense point of view, the assertion is akin to saying that if someone releases a video with self-defense tips then this enables muggers to modify their tactics to thwart such tips – ignoring the fact that posting the video is beneficial to would be victims. From a cybersecurity community perspective, the global community of defenders, which Bitdefender is proud to be a part of, thrives on knowledge sharing. As cyber-attacks become more frequent and sophisticated, it is harder for individual organizations to defend themselves; therefore, the established practice of sharing attack knowledge is only gaining in importance.

In this context, the public disclosure process via communication channels (blog, media, social media) is critical to making more organizations aware, especially those who have been attacked but who have not publicly disclosed it. At a minimum, it also disrupts the attacker for a period of time, which benefits the global community as well.

Clarifying Bitdefender’s Mission

Bitdefender’s mission is and will always be to battle cybercriminals and adversaries bent on causing harm. Like others in our industry, our researchers spend many long hours year-round tracking malware campaigns, assisting law enforcement and decrypting ransomware to help organizations stand up and fight the bad guys, because we care. Over the years as we have released decryptors, we have received many positive comments from organizations who were able to avoid paying ransoms (amounting to over $100 million) in addition to undisclosed business benefits from faster and more effective recovery.

The article in question, which we prefer not to link to because of its inaccuracies and inherent anti-vendor biases, attempts to shift blame away from Darkside, whose sole purpose as a ransomware-as-a-service organization, is to profit from others’ misery and, instead, attempts to find fault with cybersecurity professionals who work tirelessly to help organizations deal with such malicious actors. Stated simply, the article is misinformed and sets a bad precedent for cybersecurity journalism.

Sadly, while the article characterizes releasing free tools as purely “self-promotional,” the authors’ attributions indicate they have a book coming out on ransomware that will be published soon.

Our Position on Ransomware Decryptors

We will continue our work to release ransomware decryptors as soon as available and offer them free and indiscriminately to anyone who needs them. We take this approach because it is impossible to assess how many have been affected since most ransomware attacks are not made public.

By way of another analogy appropriate during these times, developing ransomware decryptors is similar to developing a vaccine for a virus likely to mutate, it will still help those affected by the current variant. Knowingly withholding knowledge of a cure that could potentially help many, in the hope that the vaccine developer can identify and contact everyone individually who might fall ill, is not good health policy and, in the ransomware context, is against what the cybersecurity community stands for.

Strong cybersecurity comes from sharing of knowledge and open communications and is widely encouraged across the industry. That is why consortiums like nomoreransom.org and the Common Vulnerabilities and Exposures (CVE) for disclosing new vulnerabilities exist – both of which Bitdefender actively participates in. If we follow the logic in this story, it means the security industry should only disclose ransomware decryptors to organizations who are publicly known to have been attacked or only disclose vulnerabilities for which patches have been provided by vendors (which is not always the case), thereby putting organizations running such software at greater risk.

Moving Forward

We view the research into ransomware groups and development of decryptors as our duty and we take this role very seriously. Our effort to disrupt Darkside is just one example of a single company making a difference. Ransomware operators have taken notice and are deeply concerned (as they should be) at the notion of the cybersecurity community coming together and standing shoulder to shoulder to fight. That is the way we win.