The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: Could less publicizing of ransomware fixes have prevented the Colonial Pipeline attack?

with Aaron Schaffer

The first rule of blocking ransomware attacks is: Don’t talk about how you blocked ransomware attacks. 

Or, on the other hand, maybe you should shout it from the rooftops.

That’s a debate that’s roiling the cybersecurity community after a deep dive story from ProPublica and MIT Technology Review revealed that an ill-timed cybersecurity company news release may have helped a ransomware gang launch a devastating attack against Colonial Pipeline. That attack caused fuel shortages across the eastern United States and a spike in gas prices.

In the news release in question, the Romanian cybersecurity firm BitDefender touted a digital tool it had developed to unlock computers that were locked by the ransomware gang DarkSide without the victim paying a ransom. BitDefender was offering the tool free to all DarkSide victims. 

That news release helped a lot of DarkSide victims. But it also gave the gang a chance re-engineer its ransomware based on what BitDefender published in ways that ultimately made the tool ineffective

A few months later, when DarkSide’s ransomware hit Colonial Pipeline, there was no easy fix. Ultimately, Colonial paid a $4.4 million ransom to regain access to its computer systems. 

The article accuses BitDefender of being a “secret weapon” for the ransomware gang and valuing its own self-promotion over public safety

If the company had just quietly shared its tool with DarkSide victims rather than publishing it online, the tool might have still worked when Colonial was hacked, the authors Renee Dudley and Daniel Golden argue. Indeed, two other researchers, Fabian Wosar and Michael Gillespie, had been doing just that with a similar tool they discovered. 

“The incident…shows how anti-virus companies eager to make a name for themselves sometimes violate one of the cardinal rules of the cat-and-mouse game of cyberwarfare: Don’t let your opponents know what you’ve figured out,” Dudley and Golden write. 

But BitDefender sees it differently. 

By publicizing its tool, the company helped far more DarkSide victims than it could have by simply scouring news reports about victims and quietly reaching out, the company’s director of threat research Bogdan Botezatu told ProPublica. 

And even if the company had kept mum, DarkSide might have figured out the flaws in its ransomware on its own

“We are well aware that attackers are agile and adapt to our decryptors,” Botezatu said. “[But] we don’t believe in ransomware decryptors made silently available. Attackers will learn about their existence…while the vast majority of victims will have no idea that they can get their data back for free.”

Here’s more from CyberScoop reporter Sean Lyngaas: 

Cybersecurity venture capitalist Bob Ackerman, meanwhile, called the story a warning that “the cybersecurity community can sometimes do as much harm as good" by publicizing their work. 

Ransomware hackers can be voracious consumers of news about their exploits, noted Allan Liska, senior threat intelligence analyst at Recorded Future.

The dispute is a twist on a familiar debate in cybersecurity — whether it’s better to gather more information about the bad guys or to stop them in their tracks. 

“The security researcher angle says, ‘Don’t disclose any information here. Keep the ransomware bugs that we’ve found that allow us to decode the data secret, so as not to notify the threat actors,’ ” Rob McLeod, senior director of the threat response unit for the cybersecurity firm eSentire, told ProPublica.

On the marketing side, however, “you are singing that song from the rooftops,” he said. 

U.S. intelligence agencies have similarly struggled to strike a balance between gathering more information about hacking groups backed by foreign governments and using what they know to prevent future attacks

An added danger in that case is that actions that disrupt other governments' hacking groups may reveal the sources and methods by which intelligence agencies know what they do — and cut off those sources of information in the future. 

The keys

More than 100 U.S. municipalities bought Chinese surveillance equipment that the U.S. government says was used to repress Uighurs.

Local governments have continued to purchase the technology even though Congress banned federal agencies from buying it, TechCrunch’s Zack Whittaker reports

The local governments have purchased the cameras — which are made by Chinese firms Hikvision and Dahua —  for use in public schools, probation departments and other places.

Dahua has denied U.S. government allegations that its equipment helps spy on China’s Uighur Muslim population. “Contrary to some reporting in the media, our company has never developed any technology or solution that seeks to target a specific ethnic group,” the company said in a statement. Hikvision didn’t respond to TechCrunch’s request for comment.

A Commerce Department security unit collected information on hundreds of people with questionable authority.

The Investigations and Threat Management Service monitored Asian American employees because they used Chinese-language keywords in email correspondence, former investigators and documents obtained by Shawn Boburg say. It also scoured social media for people criticizing the decennial census. Critics said the unit’s operations looked more like a counterintelligence agency than a small agency tasked with protecting Commerce officials and facilities.

The Biden administration suspended the agency's criminal investigations March 10 and suspended all activities earlier this month. That came  two days after The Washington Post presented its findings about the agency.

The unit has behaved as if “someone watched too many ‘Mission Impossible’ movies,” said Bruce Ridlen, a former supervisor. Investigators had complained about the unit to their supervisors and the department’s internal watchdog had launched multiple inquiries into it. 

Republicans who boosted unfounded election fraud claims are trying to become their states’ top election officials.

Trump allies in Georgia, Arizona, Nevada and Michigan — which were all sites of unsuccessful legal challenges to 2020 election results — are running to be those states’ secretaries of state, Politico’s Zach Montellaro reports

The races raise the possibility that the most vocal proponents of baseless theories that the 2020 election was stolen could be put in charge of running future elections. If elected, the officials would have broad authority over elections including, in many cases, vetting voting machines for cybersecurity and other issues. 

“Someone who is running for an election administration position, whose focus is not the rule of law but instead ‘the ends justifies the means,’ that’s very dangerous in a democracy,” Bill Gates, the Republican vice chair of Maricopa County, Arizona’s Board of Supervisors, said. “This is someone who is trying to tear at the foundations of democracy.”

Chat room

Secretaries of state who are running now could play a vital role if there's a Georgia-like dispute in a future presidential race. Olivia Troye, a former aide to former vice president Mike Pence:

Georgia Public Broadcasting’s Stephen Fowler:

Government scan

Russian to be deported after failed Tesla ransomware plot (Ken Ritter and Scott Sonner | AP)

IRS Wants Tools for Cracking Crypto Wallets (NextGov)

Industry report

Huawei to move toward software development in wake of US restrictions (The Hill)

Global cyberspace

A new hacking group is hitting Israeli and other Middle Eastern organizations, researchers say.

The group, which may be tied to Iran, is masking its operations behind ransomware, researchers from cybersecurity firm SentinelOne said.

Russian to be deported after failed Tesla ransomware plot (Associated Press)

Alleged North Korean hackers scouted crypto exchange employees before stealing currency, researchers say (CyberScoop)

Cyber insecurity

A massive Russian cybercrime marketplace has postponed its global expansion.

Transactions on the Hydra dark web marketplace rose to $1.37 billion last year. But the marketplace is delaying expansion plans, blaming external issues and the coronavirus pandemic, according to a new report by cybersecurity firm Flashpoint and blockchain analysis company Chainalysis.

Crime App Citizen Exposed Users' COVID Data (Motherboard)

Japan’s Biggest Dating App Hack Exposes Two Million Accounts (Bloomberg)

Cohen Milstein says cyber incident may have affected 'small subset' of firm's data (Reuters)


  • Retired Gen. Keith Alexander, the former commander of U.S. Cyber Command and director of the NSA, speaks at a cybersecurity conference hosted by the U.S. Chamber of Commerce at 9:15 a.m. today.
  • Ben Bernstein, senior special counsel at the Securities and Exchange Commission, discusses cyber governance at a Cyber Crossroads event at 11:35 a.m. today.
  • A House Science Committee panel holds a hearing on software supply chain security in the wake of the cyberattack on SolarWinds and other companies today at 2 p.m.
  • Former Undersecretary of Defense for Policy Michèle Flournoy, the co-founder of WestExec Advisors, speaks at the Institute for Security and Technology’s Strat-Tech conference at 2:10 p.m. today.   
  • Amb. Tobias Feakin, Australia’s cyber ambassador, and a White House official speak at a Center for a New American Security event today at 6 p.m.
  • Secretary of Homeland Security Alejandro Mayorkas testifies before House and Senate Appropriations Committee panels at 10 a.m. and 2 p.m. on Wednesday. 
  • Former Director of National Intelligence Adm. Dennis Blair and former Homeland Security Secretary Michael Chertoff speak at a Center for Strategic and International Studies launch event for the Multilateral Cybersecurity Action Committee on May 26 at 2 p.m.
  • The Senate Homeland Security and Governmental Affairs Committee holds a confirmation hearing for top nominees to the Department of Homeland Security on Thursday at 10:15 a.m.
  • Retired Adm. Michael Rogers, the former commander of U.S. Cyber Command and director of the NSA, discusses critical infrastructure supply chain security at an event hosted by the Israeli Economic Missions to North America and Team8 on Thursday at noon.
  • Anne Neuberger, the deputy national security adviser for cyber and emerging technology, and Jeffrey Greene, the National Security Council’s acting senior director for cybersecurity, speak at a Center for Strategic and International Studies event on Thursday at 2 p.m.

Secure log off