The House Committee on Oversight and Reform has requested a briefing to understand the rationale behind the FBI’s decision to delay providing the victims of the Kaseya REvil ransomware with a universal decryption key for three weeks.
“To understand the FBI’s decision, the lawmakers are requesting a briefing from the FBI on its legal and policy rationale for withholding the ransomware key, as well as the FBI’s overall strategy for addressing, investigating, preventing, and defeating ransomware attacks,” the Committee said in a press release on Wednesday.
As Committee Chairwoman Carolyn B. Maloney said in a letter addressed to FBI Director Wray, during the FBI’s delay to help the REvil ransomware victims, many businesses, schools, and hospitals lost money and time while trying to recover their data and restore impacted systems.
“Although the Federal Bureau of Investigation (FBI) reportedly obtained a digital decryptor key that could have unlocked affected systems, it withheld this tool for nearly three weeks as it worked to disrupt the attack, potentially costing the ransomware victims—including schools and hospitals—millions of dollars,” Maloney added.
“We request a briefing from the FBI on its legal and policy rationale for withholding the digital decryptor key as it attempted to disrupt this cyber attack, and the FBI’s overall strategy for addressing, investigating, preventing, and defeating ransomware attacks.
“Congress must be fully informed whether the FBI’s strategy and actions are adequately and appropriately addressing this damaging trend.”
Ongoing joint investigation likely behind delay
Last week, FBI Director Christopher A. Wray testified before Congress, saying that the federal law enforcement agency withheld the decryption for almost three weeks because it planned an operation to disrupt the Russian REvil ransomware gang without tipping them off, according to a Washington Post report.
However, before the FBI could execute its takedown plan, REvil shut down operations, took down their infrastructure in mid-July, and disappeared after its leak sites also went offline overnight. FBI declined to comment when BleepingComputer reached out to ask about the shut down of REvil’s servers.
Wray also said to Congress that the delay was the direct result of the FBI coordinating with other agencies and allies.
“We make the decisions as a group, not unilaterally,” Wray said while refraining from providing more info due to an ongoing investigation.
“These are complex [..] decisions, designed to create maximum impact, and that takes time in going against adversaries where we have to marshal resources not just around the country but all over the world.”
FBI: Creating a decryptor takes time
Another reason invoked by Wray for the delay in helping the Kaseya attack victims was the time needed to test and validate the decryption key, and build a decryptor that could be used to recover encrypted files.
However, the universal key provided by the FBI to Kaseya was quickly put to use by Emsisoft, who tested it and developed a decryptor within 10 minutes, primarily because of the company’s extensive experience with REvil ransomware.
The Kaseya supply-chain ransomware attack coordinated by the REvil gang hit roughly 50 managed service providers (MSPs) as well as up to downstream 1,500 businesses.
“The attack had limited impact, with only approximately 50 of the more than 35,000 Kaseya customers being breached,” Kaseya said after the incident.
“Of the approximately 800,000 to 1,000,000 local and small businesses that are managed by Kaseya’s customers, only about 800 to 1,500 have been compromised.”
This was not the first time ransomware groups have attacked Kaseya’s cloud-based MSP platform in recent years.
GandCrab, REvil (Sodinokibi), and Ragnar Locker also targeted Kaseya’s remote management tools to make it harder for victim’s MSPs to block ongoing ransomware attacks.