Shadowserver 2020 Urgent Need – The Full Story

March 16, 2020

Read First: Saving Shadowserver and Securing the Internet — Why You Should Care & How You Can Help

The Shadowserver Foundation currently serves 107 National CERTs in 136 countries, over 4,600 vetted network owners and over 90% of the Internet (by IPv4 space and ASN), primarily by providing them with free daily network reports. These reports notify our constituents about millions of misconfigured, compromised, infected or abusable devices for remediation every day.

How do we do this? Our non-profit, public benefit services include daily scanning of exposed network ports on billions of IP addresses internet wide, collecting and sandboxing hundreds of thousands of newly collected malware samples live to the Internet, sharing tens of thousands of new, undetected malware samples with Anti Virus vendors to improve protection products, generating rich sets of custom threat intelligence from a malware repository of over 1.2 billion samples, reporting on millions of infected botnet victims every day through our own sinkholes and those of our trusted partners, and operating large networks of honeypots to detect networks attacks on a global scale. Using these proven approaches, we have reported out over 167 billion events for remediation globally since 2004, at no cost to the public or our constituents.

We also provide quiet, focused, behind-the-scenes expertise and support to Law Enforcement, helping to power many major international botnet takedowns and cybercrime disruption operations. This activity has contributed to high profile indictments and arrests over the past 15 years, and has helped to successfully stop many hundreds of millions of dollars of financial losses worldwide. Shadowserver is proud to sit on Europol’s Advisory Group for Internet Security and works closely with leading international Law Enforcement Agencies, either voluntarily or under more formal MOU. Shadowserver is also available to provide bespoke, specialist consulting and deliver custom, Internet-scale projects within our non-profit framework.

To deliver all of this, Shadowserver is composed of two legal entities:

Our US non-profit primarily operates our extensive data collection, processing, storage infrastructure and engineering, including a US-based data center in San Jose, CA containing 104 racks, 1340 physical servers and ~12 petabytes of storage. This powers all of our scanning, malware collection/sandboxing, botnet sinkholing, free daily network report generation, etc. The US NPO has been funded since 2004 by donations and corporate sponsors.

Our newer EU non-profit primarily provides our free support to international Law Enforcement investigations, as well as enabling us to participate in European projects, such as operating honeypot sensor networks. The EU NPO has been funded since 2014 by the European Commission (through initiatives such as Horizon 2020 and CEF projects), through supportive European National CERTs/CSIRTs (such as NCSC.UK and GOVCERT.LU) and by European banks through the Cyber Defence Alliance (CDA).

Over the years, we have been lucky enough to have some very generous sponsors. In particular, Shadowserver’s ever-expanding US data center operations have become increasingly dependent on one large enterprise supporter – Cisco Systems. We are eternally grateful for Cisco’s long term support of our mission and for helping Shadowserver achieve what it has so far.

However, our vision has always been for The Shadowserver Foundation to become a truly independent, self sustaining, international non-profit organization. So for 2020 we had been hard at work evaluating potential long term sustainability funding models. During February, we had reached the stage where we were working on the details of a preferred neutral governance Industry Alliance approach with some well known names in the community. This new model feels like an excellent path to get us to where we really want to be long term, and the path was being supported by long time sponsor Cisco. We had been getting ready to make an exciting initial joint press announcement with key partners about the start of that new journey at some point in the coming weeks. Then we would move into transition during 2020.

However, at the end of February, our largest US sponsor, Cisco Systems, unfortunately notified us that they are no longer able to continue being the primary financial supporter of Shadowserver. We very much hope that Cisco will still become one of the founding anchor members of our soon to be announced Shadowserver Industry Alliance, and help to guarantee our long term sustainability funding. But the timing of this change has had some very direct and immediate impacts on Shadowserver’s US operational activities:

We lost four of seven donated-in sys-admin/dev US staff immediately
We will lose the three other remaining donated-in senior US staff on May 26th 2020
Shadowserver must move all of our current US data center infrastructure to a new location before May 26th 2020

As a small non-profit organization, Shadowserver does not have the cash reserves on hand to instantly respond to these unexpected events and externally enforced timescales. We are still finalizing vendor quotes and confirming the expected data center move costs, but to prevent Shadowserver’s US-based public benefit services from ceasing completely by May 26th 2020 we urgently need to raise:

Current expected costs to avoid a complete May 26th US data center shutdown are:

$400,000 USD committed by March 31st, paid by May 15th. Purpose: to sign a lease on new US data center space, fit it out, provision bandwidth and move our current data center infrastructure there.

Additional costs to keep Shadowserver US running for the rest of 2020 are:

An additional $1.7 million USD to cover our minimum 2020 US operating costs (new monthly US data center hosting costs, bandwidth, picking up key US staff salaries and other basic operational costs to the end of December 2020).

In summary, the urgent funding required to keep Shadowserver US running in 2020 is:

Total funding $2.1 million USD (including the data center move)

Note: EU project delivery and support services to current international Law Enforcement operations will not be immediately impacted, since these are currently funded independently, through our EU legal entity. But they will likely also be impacted in the longer term by the loss of our US data center.

We will remain eternally grateful to Cisco for their generous support provided to date. Shadowserver could not have achieved the impact that it has without them. We know that these figures will likely cause a level of “sticker shock” at their size, as will the extremely short and aggressive timescales – particularly when they fall mid budget cycle for many large organizations and come at a time of increased global uncertainty. However, we strongly believe that Shadowserver has already demonstrated and repeatedly proven its value to the world, and will continue to provide significant positive benefits to the world going forward. The strength and breadth of our public benefit services and our hard earned reputation, from 15 years spent on the front lines quietly fighting the battle against global cybercrime, will enable us to successfully raise the urgent financial support needed to keep our US data center operations running.

Once we have successfully completed this rapid transition, we are confident that Shadowserver’s long term sustainability can be guaranteed, through our soon to be announced neutral governance Industry Alliance model (more information to follow in future posts). But in the short term, almost all of our focus is currently on ensuring that Shadowserver is able to continue operating our US data center and is therefore able to keep providing public benefit services to all of our impacted constituents and trusted partners globally, with the minimum of disruption.

So in a challenging moment for Shadowserver, what can you do to help?

We are looking for leading members of the global community, who understand the benefit of Shadowserver’s proven capabilities and extensive track record, as well as the value proposition and return on impact investment of continuing to provide free, public benefit, victim detection and remediation services globally for all. We encourage those who gain the most from our services and from having a safer, more secure Internet (or who stand to lose the most from our public benefit services ceasing) to reach out, come together and work with us to find a solution to this short term but very critical situation.

Pledges of support and rapid funding commitments are urgently required.
Donations in kind might be possible to help reduce the budget needed – particularly hosting facilities, bandwidth, hardware and software licenses. Some generous partners and sponsors already do this.
Positive stories and case studies, to help convince budget holders and policy/decision makers of the value to the global community of Shadowserver’s services are also appreciated.
Creative potential solutions are welcomed – social media campaigns, crowdsourcing and voluntary invoicing have already been suggested (yes, we can issue invoices for our free daily reports or other existing services, to those organizations willing and able to pay them).
We need introductions to the people and organizations with the capital resources on hand to potentially assist (or to at least carry this message much wider, to the right audiences)

All constructive input will be greatly appreciated.

Without immediate assistance from our friends and supporters in the global community, who we have served to the best of our ability for the past 15 years, The Shadowserver Foundation will no longer be able to continue to operate most of our core public benefit services, including free daily network reports for all constituents.

This will remove our ability to notify National CERTs/CSIRTs and network owners of infected victims inside their networks, and prevent timely remediation of abusable, misconfigured or compromised devices globally. Shadowserver is the only free daily service to the entire Internet on this scale, is unique to our long standing community, and provides a proven rapid global response capability.

These services are particularly essential at a time of global uncertainty, where the real world COVID-19 virus outbreak means that millions of people will be highly dependent on the Internet for accurate healthcare information and remote working, or when the next Internet-wide virtual threat outbreak such as Mirai or Wannacry occurs (with the similar remotely wormable CVE-2020-0796 “EternalDarkness” vulnerability having just leaked last week). Millions of malware infected victims all over the world, who are currently being sinkholed and protected from cybercriminal control by Shadowserver, may lose that critical protection – just at the time when governments and businesses are being forced to unexpectedly stretch their corporate security perimeters and allow staff to work from home on their own, potentially unmanaged devices, and the risk of another major Windows worm has increased.

We call on all impacted constituents, partners and members of the community to urgently rally to support Shadowserver’s continuing public benefit operation. Some trusted industry partners are already mobilizing to assist us and we will be reaching out to many more soon.

We hope you will share our passion to ensure a positive outcome, despite these unexpected and difficult circumstances. Please think about the benefit that you and your own constituents have received from Shadowserver’s existence over the years, and what would happen if Shadowserver had not been there, or was no longer available. Please discuss the situation with impacted colleagues, management and peers, and reach out on social media or get in touch by email urgently.

Shadowserver 2020 Urgent Need – The Full Story

Recent Articles

Non-profit consortium launches national scale Cyber Resilience pilot to assess the cyber threat landscape for the NGO sector in The Netherlands

Introducing Report Severity Levels

Qakbot Historical Bot Infections Special Report

Qakbot Botnet Disruption