How much can vulnerability alerts help hackers?

Sheila Zabeu -

June 04, 2021

The recent attack on Colonial Pipeline, responsible for supplying fuel to the US East Coast, has given headlines in May to the DarkSide group, which has become known for compromising the IT infrastructures of large companies and subsequently asking for ransoms to restore continuity of operations. In the case of Colonial Pipeline, the company’s CEO confirmed to the Wall Street Journal that DarkSide was paid $4.4 million in bitcoins for a decryption key that would allow data to be restored.

However, the story has an earlier chapter dating back to January. Earlier this year, cybersecurity firm Bitdefender released a decryption tool that would exploit a flaw in the ransomware used by Darkside to give victims back control over encrypted data. According to MIT Technology Review, the flaw involved using the same digital keys to encrypt and decrypt data for multiple victims. Result: the next day, DarkSide declared that it had fixed its own vulnerability.

It turns out Bitdefender wasn’t the first to identify DarkSide’s weakness. Two other researchers heard from MIT Technology Review, Fabian Wosar and Michael Gillespie, have started looking for victims to help them without fuss. Both belong to a worldwide group of volunteers from the US, Spain, Italy, Germany, Hungary and the UK called the Ransomware Hunting Team, which claims to have broken more than 300 types of ransomware.

The point is that the vision of groups like this and cybersecurity companies is not always convergent. Both sides seek to offer a solution to the greatest number of victims of ransomware attacks, but perhaps in different ways: one calling attention to the problem and promoting its tools; the other working discreetly, publicizing actions in support forums and through announcements about where to find help, avoiding describing how the tools work as well as the vulnerabilities found.

Bitdefender acknowledges that DarkSide was able to fix the flaw after the decryption tool was released, but argues that the group would have detected its problem anyway. It also says it doesn’t believe in ransomware-fighting tools offered on the quiet, as cybercriminals can participate in these help forums or pose as home users or businesses in trouble, while the vast majority of victims will have no idea they can get their data back without paying any ransom.

Who is right? You decide.