Many security professionals backed the FBI’s decision to leave Kaseya victims infected for weeks with ransomware.
The FBI had the decryption keys for victims of the massive Kaseya ransomware attack in July, according to the Washington Post, but did not disclose them for three weeks.
The Kaseya attack impacted hundreds of organisations, including dozens of hospitals, schools, businesses, and even a Swedish supermarket chain.
The FBI obtained the decryption keys after gaining access to the servers of REvil, the Russia-based criminal organisation that was behind the enormous attack, according to Washington Post reporters Ellen Nakashima and Rachel Lerman.
Before going black and shutting down large elements of its infrastructure shortly after the attack, REvil wanted a $70 million ransom from Kaseya and thousands of dollars from individual victims. Although the gang has since resurfaced, many organisations are still reeling from the July 4th attack.
Despite the vast number of people who were affected by the attack, the FBI chose to keep the decryption keys to themselves as they prepared to attack REvil’s infrastructure. The FBI did not want to give the decryption keys to REvil operators, according to The Washington Post.
According to The Washington Post, the FBI also indicated that “the impact was not as severe as initially anticipated.”
Officials told the newspaper that the FBI attack on REvil was never carried out as a result of REvil’s disappearance. On July 21, weeks after the incident, the FBI finally handed over the decryption keys to Kaseya. Several victims spoke to The Washington Post about the millions of dollars that were lost and the massive harm that the attacks caused.
Bitdefender received the decryption keys from another law enforcement source, which published a universal decryptor earlier this month for all victims affected before July 13, 2021. According to a Bitdefender spokesman, the decryptor has been utilised by more than 265 REvil victims.
During his appearance before Congress on Tuesday, FBI Director Christopher Wray blamed the delay on other law enforcement agencies and allies who allegedly requested that the keys not be released. He stated that he was constrained in what he could say about the matter because the incident is still being investigated.
The news sparked heated debate among security professionals, with many defending the FBI’s decision to leave victims battling for weeks to recover from the attack.
Consider this: CISO Mike Hamilton, who dealt with a particularly tricky instance in which a Kaseya victim was left in the dark after paying a ransom just before REvil vanished, stated that being cautious about divulging procedures is a standard practise in law enforcement and intelligence.
“If you had it deployed on a single server used to display the cafeteria menu, you could rebuild quickly and forget the whole thing happened. The fact that the world wasn’t really on fire, again, created time to dig further into the organization, likely for the ultimate purpose of identifying individual criminals. Those organizations that WERE hit hard had the agent deployed on on-premises domain controllers, Exchange servers, customer billing systems, etc.”
The FBI may have seen the need to prevent or shut down REvil’s operations as outweighing the need to save a smaller group of companies struggling in a single attack, according to Sean Nikkel, senior threat intel analyst at Digital Shadows.
Because of REvil’s growing scale of attacks and extortion demands, a rapidly evolving situation requiring an equally rapid response likely preempted a more measured response to the Kaseya victims, according to Nikkel, who added that while it is easy to judge the decision now that we have more information, it must have been a difficult decision at the time.
Open backchannel communications with incident response organisations involved, Nikkel indicated, would have been a preferable strategy to better coordinate resources and response, but he added that the FBI may have already done so.
The incident, according to BreachQuest CTO Jake Williams, is a textbook case of an intelligence gain/loss evaluation.
It’s easy, he continued, for individuals to play “Monday morning quarterback” and criticise the FBI for not disclosing the keys after the fact, as Nikkel did.
Williams did point out, however, that the direct financial impact was almost definitely greater than the FBI thought when it withheld the key to protect its operation.
Critics must remember, according to John Bambenek, chief threat hunter at Netenrich, that the FBI is first and foremost a law enforcement institution that will always act in a way that optimises law enforcement outcomes.