View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
July 27, 2021updated 28 Jul 2021 3:04pm

Do NDAs undermine the fight against ransomware?

Kaseya's use of NDAs can be detrimental to the global fight against ransomware, as the use of such a contract can prevent vital information being relayed to authorities, say experts.

By Claudia Glover

Kaseya, the IT service provider compromised in a high-profile ransomware attack earlier this month, is reported to have asked affected customers to sign a non-disclosure agreement (NDA) before sharing the decryption key it has secured to unlock their data. At a time when law enforcement agencies are scrambling to stem the ransomware epidemic, commentators have asked whether such NDAs help the criminals evade detection.

ransomware NDAs

Non-disclosure agreements are standard practice after cyberattacks, but may hamper law enforcement. (Photo by William Potter/Shutterstock)

Last week, Kaseya revealed that it had acquired a global decryption key for the ransomware that criminals had used on its VSA remote monitoring software, attacking over 1,400 of Kaseya’s customers. The company, which previously said it refused to pay the $50–70m ransom, did not disclose exactly how it acquired the key. A spokesperson told the Guardian that it came from a “trusted third party”.

On Friday, CNN reported that Kaseya was asking affected customers to sign an NDA before sharing the decryption key. This is standard practice in the industry, explains Chris Morgan, threat analyst at security provider Digital Shadows. “Typically, NDAs are signed to minimise the chance of sensitive information being breached, which would have a detrimental impact if the information was made public.”

Toni Vitale, partner at law company Gateley Legal, suspects that Kaseya’s NDA may also be an attempt to prevent customers from publicly criticising Kaseya, which had previously been hacked in 2019. “What I would suggest they’re probably doing is trying to get people to stop talking about it, [halting] discussion from lots of clients about how badly their systems were affected, some of whom may be blaming Kaseya for not having the right security in place,” he says. (Kaseya declined an invitation to comment on this or the CNN report.)

Ransomware NDAs: More harm than good?

Either way, Kaseya’s NDA demand has thrown light on a practice that some argue is detrimental to the fight against ransomware, which is now so prevalent that 40% of IT decision makers surveyed by Sophos consider it inevitable that they will get hit.

“If the NDA prevents people from reporting criminal activity, that’s going to harm the investigation from federal agencies, which may very well hinder the international cooperation that’s required in order to try and stop these activities,” says Vitale.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

“To have that international cooperation, you need information sharing that the NDA shuts down,” he adds. “It actually makes it harder for Interpol and other agencies to work together to try and prevent this type of activity from happening, setting a dangerous precedent if NDAs are being used to stop information flow.”

But the solution is not to ban NDAs outright, argues Jornt van der Wiel, security researcher at Kaspersky Lab. “The pressure to use NDAs is understandable,” he says. “Where we could see more progress, however, is in the amount of information restricted by NDAs.

“NDAs are often quite strict about no information being shared. What would be an interesting approach is to instead define what information can or cannot be shared, like passwords and other internal data.”

This month’s ransomware attack, which has been attributed to the REvil group, was Kaseya’s second high-profile security breach. “The Kaseya VSA product was targeted by GandCrab ransomware group in 2019, which is widely believed to be the precursor group to REvil,” explains Morgan. “As a result, the product should have been under the maximum high level of scrutiny and monitoring, with the company knowing that the software would likely be targeted again.”

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.