The FBI's Decision to Withhold the Decryption Keys for the Kaseya Ransomware has Sparked Discussion

Many security professionals backed the FBI’s decision to leave Kaseya victims infected for weeks with ransomware.

The FBI had the decryption keys for victims of the massive Kaseya ransomware attack in July, according to the Washington Post, but did not disclose them for three weeks.

The Kaseya attack impacted hundreds of organisations, including dozens of hospitals, schools, businesses, and even a Swedish supermarket chain.

The FBI obtained the decryption keys after gaining access to the servers of REvil, the Russia-based criminal organisation that was behind the enormous attack, according to Washington Post reporters Ellen Nakashima and Rachel Lerman.

Before going black and shutting down large elements of its infrastructure shortly after the attack, REvil wanted a $70 million ransom from Kaseya and thousands of dollars from individual victims. Although the gang has since resurfaced, many organisations are still reeling from the July 4th attack.

Despite the vast number of people who were affected by the attack, the FBI chose to keep the decryption keys to themselves as they prepared to attack REvil’s infrastructure. The FBI did not want to give the decryption keys to REvil operators, according to The Washington Post.

According to The Washington Post, the FBI also indicated that “the impact was not as severe as initially anticipated.”

Officials told the newspaper that the FBI attack on REvil was never carried out as a result of REvil’s disappearance. On July 21, weeks after the incident, the FBI finally handed over the decryption keys to Kaseya. Several victims spoke to The Washington Post about the millions of dollars that were lost and the massive harm that the attacks caused.

Bitdefender received the decryption keys from another law enforcement source, which published a universal decryptor earlier this month for all victims affected before July 13, 2021. According to a Bitdefender spokesman, the decryptor has been utilised by more than 265 REvil victims.

During his appearance before Congress on Tuesday, FBI Director Christopher Wray blamed the delay on other law enforcement agencies and allies who allegedly requested that the keys not be released. He stated that he was constrained in what he could say about the matter because the incident is still being investigated.

“We make the decisions as a group, not unilaterally. These are complex…decisions, designed to create maximum impact, and that takes time in going against adversaries where we have to marshal resources not just around the country but all over the world. There’s a lot of engineering that’s required to develop a tool,” Wray told Congress.

The news sparked heated debate among security professionals, with many defending the FBI’s decision to leave victims battling for weeks to recover from the attack.

Consider this: CISO Mike Hamilton, who dealt with a particularly tricky instance in which a Kaseya victim was left in the dark after paying a ransom just before REvil vanished, stated that being cautious about divulging procedures is a standard practise in law enforcement and intelligence.

“There is a ‘tell’ though, that we’ve confirmed ourselves. The FBI is quoted as saying that the damage wasn’t as bad as they thought and that provided some time to work with. This is because the event wasn’t a typical stealth infiltration, followed by pivoting through the network to find the key resources and backups. From all indications the only servers that were encrypted by the ransomware were the ones with the Kaseya agent installed; this was a smash-and-grab attack,” Hamilton said.

“If you had it deployed on a single server used to display the cafeteria menu, you could rebuild quickly and forget the whole thing happened. The fact that the world wasn’t really on fire, again, created time to dig further into the organization, likely for the ultimate purpose of identifying individual criminals. Those organizations that WERE hit hard had the agent deployed on on-premises domain controllers, Exchange servers, customer billing systems, etc.”

The FBI may have seen the need to prevent or shut down REvil’s operations as outweighing the need to save a smaller group of companies struggling in a single attack, according to Sean Nikkel, senior threat intel analyst at Digital Shadows.

Because of REvil’s growing scale of attacks and extortion demands, a rapidly evolving situation requiring an equally rapid response likely preempted a more measured response to the Kaseya victims, according to Nikkel, who added that while it is easy to judge the decision now that we have more information, it must have been a difficult decision at the time.

“Quietly reaching out directly to victims may have been a prudent step, but attackers seeing victims decrypting files or dropping out of negotiations en masse may have revealed the FBI’s ploy for countermeasures,” Nikkel told ZDNet.

“Attackers then may have taken down infrastructure or otherwise changed tactics. There’s also the problem of the anonymous soundbite about decryption making its way into public media, which could also tip off attackers. Criminal groups pay attention to security news as much as researchers do, often with their own social media presence.”

Open backchannel communications with incident response organisations involved, Nikkel indicated, would have been a preferable strategy to better coordinate resources and response, but he added that the FBI may have already done so.

The incident, according to BreachQuest CTO Jake Williams, is a textbook case of an intelligence gain/loss evaluation.

It’s easy, he continued, for individuals to play “Monday morning quarterback” and criticise the FBI for not disclosing the keys after the fact, as Nikkel did.

Williams did point out, however, that the direct financial impact was almost definitely greater than the FBI thought when it withheld the key to protect its operation.

“On the other hand, releasing the key solves an immediate need without addressing the larger issue of disrupting future ransomware operations. On balance, I do think the FBI made the wrong decision in withholding the key,” Williams said.

“However, I also have the convenience of saying this now, after the situation played itself out. Given a similar situation again, I believe the FBI will release the keys unless a disruption operation is imminent (hours to days away). Because organizations aren’t required to report ransomware attacks, the FBI lacked the full context required to make the best decision in this case. I expect this will be used as a case study to justify reporting requirements.”

Critics must remember, according to John Bambenek, chief threat hunter at Netenrich, that the FBI is first and foremost a law enforcement institution that will always act in a way that optimises law enforcement outcomes.