The spread of many ransomware families has been blunted by security researchers who found a bug in the malware and subsequently developed what has become known as a vaccine.
These cures can in some cases create conditions on the target machine that fool the ransomware into thinking the computer has already been infected, since most ransomware contains a check preventing it from trying to infect computers where files are already encrypted.
While a short-term godsend for victims, vaccines that are introduced with marketing fanfare and ego-inflating pats on the back on social media also come at a cost that researchers need to consider. Chiefly, there is the real possibility that a malware author could use the public disclosure as a bug report and patch his malware—the vaccine obviously helps existing victims but it instantly becomes obsolete once the malware is fixed and redistributed.
This creates a tug-of-war for researchers with a moral compass. Unlike the industry standard of coordinated disclosure that applies to software vulnerabilities, disclosing a malware exploit may not have the same benefits for the greater good. Malware authors do shift their behaviors and operations in response to such public reporting, and researchers must weigh these factors and the potential loss of intelligence when deciding how and when to disclose, if at all.
Malware Authors are Watching
It’s no secret malware authors keep a close watch on the research community and public reporting on their work. In August 2017, collaborative work by Flashpoint and other tech companies, including some competitors, resulted in the takedown of the WireX botnet. WireX was the largest mobile botnet on record, and the Android devices corralled into WireX were used in large-scale application-layer DDoS attacks. Although the individual behind that botnet is still involved in malicious activities, they appear to have veered away from activities that attract this much attention.
Another example is the original 2016 Mirai attacks where connected DVRs and security cameras were herded into a botnet and used in DDoS attacks against DNS providers, webhosts, and news sites. It was shut down after public reporting by journalist Brian Krebs identified details about the botnet and the infrastructure hosting it. The operators then published the source code for the Mirai malware that was used to exploit the vulnerable IoT devices used in the attacks. The subsequent federal charges filed against the operators confirmed they shifted their activities toward ad fraud after that incident.
These relationships can quickly become adversarial too. Some researchers have been subject to harassment from criminals, facing low-level annoyances all the way to DDoS attacks, and even swatting. Krebs, a longtime investigative journalist with the Washington Post and his own site Krebs on Security, suffered perhaps the most high-profile retaliatory attack from a threat actor when he was swatted in 2013.
Malware Exploit Disclosure: A Tough Call
Unlike the coordinated disclosure of a software vulnerability, there may be relatively little to gain by publicly dropping an exploit that shuts down malware. Researchers who publicly disclose will risk altering an attacker’s behavior to the point of losing valuable intelligence about their greater operations. The decision to release a malware vaccine, for example, must be weighed against the existence of a highly damaging botnet or technique, and the public’s need to know.
Part of the problem is that disclosure processes or centralized clearinghouses don’t yet exist for benevolent malware exploits. Having a valid outlet for these types of disclosures would minimize the risk that an existing law enforcement operation into a botnet would not be disrupted by a public disclosure, for example. Researchers who are connected to a trusted community, and have law enforcement relationships, might avoid such a misstep and instead opt to contact victims, help them recover data, and keep a malware exploit private.
When it comes to malware exploits, researchers need to act carefully. If the malware is actively maintained, the author—like any developer faced with public exploit disclosure—is extremely likely to patch the flaw. So when the flaw is an encryption bug in ransomware, for instance, the public announcement can potentially help existing victims; however, the ransomware author may be able to patch the flaw for future targeting, rendering the vaccine obsolete. Ultimately, the decision to release information publicly or withhold it is heavily dependent on the nature of the activity, its targeting, potential impact, and on how much progress an investigation has made. Researchers weighing such decisions should factor in the potential intelligence gain and loss from choosing to disclose publicly, and only make a public disclosure after such an evaluation has taken place.