The Kaseya ransomware attack of July was particularly devastating to small businesses in the United States, with an estimated 800 to 1,500 companies impacted. The incident came to a surprising end when a universal decryption key was released, but it has been discovered that the FBI quietly held on to the key for three weeks prior to making it available to the public in a bid to “disrupt” the attack.
This information has raised some serious questions, particularly because the perpetrators disappeared from the internet some time prior to the release of the decryption key. Congress has now taken up the issue, first questioning FBI director Chris Wray in a hearing and now requesting that the agency provide a written briefing explaining its actions.
A bipartisan committee is seeking to find out exactly what reasoning the FBI used in keeping the key under wraps for nearly a month, time in which ransomware victims might have been able to use it instead of making a ransom payment or losing data.
Congress demands to know why FBI sat on Kaseya decryption key
Unfolding in early July, the attack on managed service provider Kaseya cascaded out to hit about a thousand of its clients. Threat actor REvil, already notorious for its ransomware attacks on Microsoft Exchange Server users and the meat packing giant JBS, took responsibility for the breach and offered Kaseya the option of purchasing a master decryption key for $70 million.
After about two weeks, REvil suddenly pulled its entire public-facing infrastructure from the internet. In late July, over a week after this happened, Kaseya announced that it had received the decryption key from a “trusted source” that it would not name.
Unsurprisingly, that source turned out to be the FBI. What is surprising is that US government agencies apparently had some sort of prior penetration into REvil’s operations, and had actually acquired the decryption key very shortly after the Kaseya attack happened.
In late September, the Washington Post published a story revealing that the FBI had been holding onto the key with the knowledge and agreement of other agencies. The Post cited several anonymous US officials as sources. The FBI and other agencies apparently felt that distributing the key would tip off REvil that their servers had been penetrated, as they worked behind the scenes to identify the players and put them out of business for good.
As it turns out, the secrecy was pointless; REvil abruptly went out of business on their own in mid-July, possibly after becoming aware that government groups were in their servers. However, the FBI held on to the key for about 10 days after the group’s “Happy Blog” and other infrastructure used for receiving ransom payments disappeared from the dark web.
FBI attempts to defend delay
This touched off a storm of criticism from both victims and members of Congress. FBI director Wray admitted to the delay, defending it by saying that the agencies involved had to make the decision as a group and that the assessment was that the breach had not been “as severe” as initially assessed.
The director also invoked testing of the decryption key as a reason for the delay, saying that such tools received from criminal actors are often slow and lacking in function. However, upon receiving the decryption key, security firm Emsisoft was able to create a functional decryption tool for victim use in about 10 minutes. The firm said that it was able to move quickly because of its prior experience with REvil’s ransomware, but if it had been an entirely new type of ransomware the tool could have been developed within a few hours.
Some of the Kaseya clients that were infected had been left in the lurch when REvil disappeared, unable to make payments to the group to have their files decrypted (and in some cases, to prevent them from being publicly disclosed on the Happy Blog). Dana Liedholm, spokesperson for Kaseya, said that the firm had 54 clients still looking to unencrypt files when the decryption key was received and said that it was able to help “some” of those that lacked the ability to restore their systems from backups.
Oliver Tavakoli, CTO at Vectra, thinks that the FBI and other agencies should not automatically be assumed to be at fault here given the lack of insight anyone has into their operations. He echoes some of the points that the agency made about weighing the costs of giving up operational assets in terms of overall victim count: “The decisions of law enforcement are easy to criticize in hindsight. While the FBI had the decryption keys, the plan to take down REvil infrastructure in an effort to head off future attacks had to be weighed against the desire to help victims of the Kaseya attacks. It’s easy to second-guess that decision since REvil appeared to dismantle elements of the infrastructure and thus the law enforcement plan to take it down was thwarted. However, hindsight is always 20/20.”
Wherever the blame may ultimately lay, the FBI’s operations did not put a permanent end to REvil. The group returned to action in mid-September, compromising new victims and publishing the documents of payment refusers on its revived Happy Blog.