Cybersecurity experts, tech companies, and hackers are all going to compete over the next data leak from the infamous hacker group Shadow Brokers, which poses a rather difficult moral dilemma.
To start things off, we should mention that the hacker group known as the Shadow Brokers first appeared a year ago, in the summer of 2016.
In the beginning, the group dropped off three leaks – all containing tools and exploits of the Equation Group, as well as a list of servers that had supposedly been compromised by this hacker group.
Starting with the fourth leak, things started getting interesting. On April 8th, 2017, the Shadow Brokers posted the password to encrypted files that were originally released last year, files revealing NSA hacking tools. The next leak, a week later, revealed damaging files from the NSA’s own coffers – a series of exploits the agency used to target Windows operating systems. This is the leak that ultimately led to hackers creating WannaCry, the ransomware that infected over 200,000 computers worldwide.
The ransomware was extremely dangerous because it also carried a worm-like component, helping it spread across networks without as much as someone needing to make a mistake, like clicking on an infected link or downloading a malicious file. It is estimated that WannaCry might have caused losses of $4 billion across the world, especially since it infected countless company networks, in some places stopping production.
What’s more interesting, however, is how the Shadow Brokers went about things. Before dumping the decryption key online, they had tried to auction off the content, trying to raise a lot of money for the information. When very few showed interest, the idea was set aside. The data dump on the NSA, however, showed that the Shadow Brokers hackers have managed to get their hands on some serious classified documents. This has earned them a lot of credibility across the board.
Using this credibility to their advantage, the Shadow Brokers recently announced that they were setting up a subscription program that would release more zero-day exploits once per month. The subscription would see anyone interested paying north of $21,000 in Zcash, a cryptocurrency that promises complete anonymity.
According to that announcement, anyone willing to pay would get access to these files, regardless of who they are. The dump will be made via mass email containing a link and password for the June 2017 dump sometime in July.
To pay or not to pay
Here lies the moral dilemma. Cybersecurity researchers and companies, hackers and tech companies alike are interested in what these leaks are, but not all of them want to pay up because paying would equal giving in to blackmail. On the other hand, others believe that $21,000 is nothing compared to the damage that these exploits could do – and WannaCry’s $4 billion effects are there to show for it.
Let’s say the exploits involve a Windows problem. Microsoft would, obviously, want to get its hands on those files so it can patch things up.
Talking of which, it was rumored that Microsoft may have very well been tipped off about the April leaks because it released a Windows patch for that particular exploit a month before the data was dumped. Whether it was the Shadow Brokers or the NSA figured out some of their files had been stolen and decided to share the information with Microsoft so the exploit could be blocked, it is unknown. The timing, however, is quite suspicious.
This subscription program the Shadow Brokers set up, however, creates a race between all these actors – the hackers want to quickly build an exploit, the tech companies want to patch things up, while the cybersecurity companies want to create solutions to protect users.
The moral conflict here is pretty much the same as when one becomes infected with ransomware – you know that by paying them off you’re only encouraging the hackers to continue doing this, but on the other hand, you really need those files. Also, the phrase “we don’t negotiate with terrorists,” comes to mind.
The hackers interested in making a good penny with exploits based on whatever 0-day the Shadow Brokers want to dump next month aren’t so concerned with morals – they just want to have enough money to pay the price and work quickly to get ahead of all the rest.
Therefore, if there will be no representation of the “good guys,” be them security researchers, security companies or tech companies, paying the Shadow Brokers before sharing the files with the affected company, the world will be in grave danger. While this “no negotiations” policy is admirable, we’re talking about the cybersecurity of millions of people in a good scenario and billions in a “worst scenario” kind of situation.
It’s a difficult decision to make, but in the end, we may not have much of a choice if we want to keep the world safe.
Of course, paying off the $21,000 will mean nothing if people don’t update their systems with the necessary patches. For instance, with WannaCry, Microsoft had released the patch a full month before hackers even had access to the exploit and two months before the ransomware even started spreading. Even so, most of the affected systems had not been updated, nor did they have any antivirus protection set in place; and with so many free options available out there, there is no excuse for this.
In the end, this stems from a lack of education regarding cybersecurity. This, however, is a different discussion, one best left for another time.
On the other hand, there’s a separate dilemma here. There are firms out there that offer various company-clients access to zero-day exploits, malware that affects their systems and so on. Basically, everything a hacker has access to on the dark web, these companies have too. They also pay fees that go way above what ShadowBrokers are requesting to deliver such information, alongside security solutions. In the end, it’s just a nicely-packaged service that revolves around the same idea – zero-day sharing.
In the end, we’ll just have to wait and see what the “good guys” will do, because we certainly know what the black hats will choose to do.