Kaseya, the IT service provider compromised in a high-profile ransomware attack earlier this month, is reported to have asked affected customers to sign a non-disclosure agreement (NDA) before sharing the decryption key it has secured to unlock their data. At a time when law enforcement agencies are scrambling to stem the ransomware epidemic, commentators have asked whether such NDAs help the criminals evade detection.
Last week, Kaseya revealed that it had acquired a global decryption key for the ransomware that criminals had used on its VSA remote monitoring software, attacking over 1,400 of Kaseya’s customers. The company, which previously said it refused to pay the $50–70m ransom, did not disclose exactly how it acquired the key. A spokesperson told the Guardian that it came from a “trusted third party”.
On Friday, CNN reported that Kaseya was asking affected customers to sign an NDA before sharing the decryption key. This is standard practice in the industry, explains Chris Morgan, threat analyst at security provider Digital Shadows. “Typically, NDAs are signed to minimise the chance of sensitive information being breached, which would have a detrimental impact if the information was made public.”
Toni Vitale, partner at law company Gateley Legal, suspects that Kaseya’s NDA may also be an attempt to prevent customers from publicly criticising Kaseya, which had previously been hacked in 2019. “What I would suggest they’re probably doing is trying to get people to stop talking about it, [halting] discussion from lots of clients about how badly their systems were affected, some of whom may be blaming Kaseya for not having the right security in place,” he says. (Kaseya declined an invitation to comment on this or the CNN report.)
Ransomware NDAs: More harm than good?
Either way, Kaseya’s NDA demand has thrown light on a practice that some argue is detrimental to the fight against ransomware, which is now so prevalent that 40% of IT decision makers surveyed by Sophos consider it inevitable that they will get hit.
“If the NDA prevents people from reporting criminal activity, that’s going to harm the investigation from federal agencies, which may very well hinder the international cooperation that’s required in order to try and stop these activities,” says Vitale.
“To have that international cooperation, you need information sharing that the NDA shuts down,” he adds. “It actually makes it harder for Interpol and other agencies to work together to try and prevent this type of activity from happening, setting a dangerous precedent if NDAs are being used to stop information flow.”
But the solution is not to ban NDAs outright, argues Jornt van der Wiel, security researcher at Kaspersky Lab. “The pressure to use NDAs is understandable,” he says. “Where we could see more progress, however, is in the amount of information restricted by NDAs.
“NDAs are often quite strict about no information being shared. What would be an interesting approach is to instead define what information can or cannot be shared, like passwords and other internal data.”
This month’s ransomware attack, which has been attributed to the REvil group, was Kaseya’s second high-profile security breach. “The Kaseya VSA product was targeted by GandCrab ransomware group in 2019, which is widely believed to be the precursor group to REvil,” explains Morgan. “As a result, the product should have been under the maximum high level of scrutiny and monitoring, with the company knowing that the software would likely be targeted again.”