Five months before the ransomware gang DarkSide shutdown the Colonial Pipeline, two cybersecurity researchers discovered that DarkSide was using the same digital keys to lock and unlock multiple victims. The researchers, who work with a volunteer group called the Ransomware Hunting Team that has cracked more than 300 major ransomware strains and variants, were quietly looking for victims to help.
However, one month later, on Jan. 11, 2021, the antivirus company Bitdefender made a public announcement that it had discovered a flaw in the ransomware that DarkSide was using to shutdown dozens of businesses in the U.S. and Europe. Bitdefender provided a free tool that companies could use to unlock their networks and avoid paying millions of dollars in ransom.
By publicizing its discovery, Bitdefender alerted DarkSide to the issue. The following day, DarkSide announced that it had fixed the problem and "new companies have nothing to hope for." The hacking group even thanked Bitdefender for helping them fix the issue.
Some experts believe that if Bitdefender had not made its announcement, the Colonial Pipeline could have been discretely restored with the decryption tool provided by the two researchers, which would have prevented panic gas buying and the $4.4 million ransom in Bitcoin that Colonial paid to DarkSide.
Ransomware hunters try to keep hacking groups in the dark as long as possible so that they can continue to decode the ransomware, even if it means being able to contact and help fewer victims.
According to one of the researchers, ransomware creators can reverse engineer decryptors that are made publicly available to figure out how cybersecurity experts can decrypt their files. The cybercriminals will then fix their ransomware so that it can no longer be decrypted.
On the other hand, the director of threat research at the Romania-based Bitdefender said it published its tool "because most victims who fall for ransomware do not have the right connection with ransomware support groups and won't know where to ask for help unless they can learn about the existence of tools from media reports or with a simple search."
He argued that DarkSide might have discovered the flaw anyway and that the "vast majority of victims" would not know that they could get their data back for free if the decryptor was not made publicly available. Renee Dudley and Daniel Golden "The Colonial Pipeline Ransomware Hackers Had a Secret Weapon: Self-Promoting Cybersecurity Firms" propublica.org (May 24, 2021).