The U.S. House Committee on Oversight and Reform this week asked the FBI to explain its decision-making process around delaying the release of a decryption key for the Kaseya ransomware. The FBI held on to the key for almost three weeks when an early release could have saved time as well as millions in losses for thousands of organizations.
In July this year, the REvil gang carried out a ransomware attack targeting IT supplier Kaseya. The attack was potentially the most severe ransomware incident the U.S. has seen considering REvil directly targeted the underlying software supply chain of the company. The ramifications were evident from the fact that nearly 1,500 downstream organizations were impacted along with 36,000 customers and thousands of MSPs.
The REvil ransomware gang, also known as Sodinokibi, exploited a zero-day vulnerability (although known to Kaseya, which was validating a patch at the time) to infiltrate the target network and encrypt computer systems. The cybercriminal syndicate’s exploitation involved authentication bypass, arbitrary file upload, and finally code injection.
The damage inflicted by the Russia-based group was sufficient to make it demand a ransom of more than $70 million in exchange for decrypting the affected systems. Considering the attack encrypted files, and locked out downstream organizations from their systems, REvil wanted $5 million from large organizations, $500,000 from smaller companies, and $45,000 from smaller firms for specific decryptors for certain extensions.
Ransomware payouts often entail differing opinions, given the associated risk. Concerns such as the safe decryption of data or the safe return/deletion in case it was exfiltrated are real. Additionally, a payout may set organizations back by millions of dollars, but the monetary losses from system and service downtime can be catastrophic. More importantly, it can also incur non-monetary losses such as a dent in the reputation of the victim organization.
All that could have been avoided with a decryption key that the FBI was able to obtain some time after the attack in the first week of July. However, the FBI chose to withhold the key for 19 days after REvil initially struck Kaseya, according to a report from The Washington Post earlier this week.
See More: 14 Insights on How To Prevent a Ransomware Attack and Avoid Being the Next Headline
In his testimony before Congress, FBI Director Christopher A. WrayOpens a new window said that the delay was a result of “complex decisions,†and “testing and validation.†Obviously, the validation of the key wasn’t an issue because antivirus vendor Emsisoft managed to deliver a new key within a day based on the one eventually provided by the FBI on July 21.
The FBI also wanted to keep it secret for an operation the federal body was planning against REvil since it would tip off the ransomware gang. The FBI had obtained the key by accessing REvil’s servers. But the operation never materialized because the Russian syndicate went dark by taking down its infrastructure and shutting all operations.
The intelligence and security agency is now being questioned by the U.S. House Committee on Oversight and Reform. The committee has requested “information to understand the rationale behind the FBI’s decision to withhold this digital decryptor key and the agency’s approach to responding to ransomware attacks.â€
In a letterOpens a new window to Wray, the oversight committee stated that, “Public reporting raises questions about the FBI’s response to this summer’s ransomware attack. The FBI has stated that it withheld the ransomware key it had previously acquired so the Bureau could engage in an operation to disrupt the Russian-based hackers without tipping them off. Before the FBI could execute its plan, however, the hackers reportedly disappeared and their platform went offline. During this delay, many businesses, schools, and hospitals suffered lost time and money, especially in the midst of the COVID-19 public health crisis.â€
The letter, signed by committee chair Rep. Carolyn MaloneyOpens a new window (D-New York), and ranking member James ComerOpens a new window (R-Kentucky), further says, “We request a briefing from the FBI on its legal and policy rationale for withholding the digital decryptor key as it attempted to disrupt this cyber attack, and the FBI’s overall strategy for addressing, investigating, preventing, and defeating ransomware attacks.â€
“Ransomware hackers have shown their willingness and ability to inflict damage on various sectors of the U.S. economy. Congress must be fully informed whether the FBI’s strategy and actions are adequately and appropriately addressing this damaging trend.â€
The FBI has until October 6, 2021, to respond and schedule a briefing.
The REvil infrastructure came back online in early September, as confirmed by Emsisoft threat researcher Brett CallowOpens a new window as well as cybersecurity company Recorded FutureOpens a new window .
Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!