If ransomware security experts or an AV company discover a flaw in a ransomware groups encryption and create a decryption tool — should they try to find and notify victims first before going public and risk tipping off ransomware gangs?
An article recently discussed this in the Washington Post’s Cybersecurity 202 column. An AV company created a decryption tool after Colonial Pipeline was hit and issued a press release potentially tipping off the DarkSide group. DarkSide quite possibly could have discovered the flaw over time. When the Oil Pipeline received the tool, it was useless. DarkSide had re-engineered the encryption schema. But the tool was helpful to others. According to ProPublica investigative news journalists, the next day DarkSide gave a shout out to the AV company for helping to fix their issues.
The CyberSecurity 202 article noted:
“The dispute is a twist on a familiar debate in cybersecurity — whether it’s better to gather more information about the bad guys or to stop them in their tracks”.
The "No More Ransom” project, https://www.nomoreransom.org/ has offered free decryption tools for several years along with several AV companies. Recently, several gangs have pulled their public press sites making identification of victims harder.
What’s your take?