July witnessed the ever-impactful Kaseya attack by the REvil Ransomware group two weeks before their abrupt shutdown. Although Kaseya claims that only a small percentage of customers were affected, since Kaseya’s customer base consists of managed service providers, up to 1,500 businesses downstream felt the heavy impact of their data encryption.
Despite Kaseya’s refusal to pay the $70 Million ransom, about three weeks after the attack, the company revealed that it had obtained the universal decryption key from a third party. At the time, the company did not release the source of the key but were proactive in helping their affected customers. In a recent report, the Washington Post revealed that the third party was the FBI.
Information has come to light that the FBI had access to the decryption key weeks before handing it over to Kaseya. By the time the FBI had released the key into Kaseya’s hands, recovery efforts were well underway. As was expected, in the aftermath of the attack, organisations affected were scrambling to find solutions to retrieve their data and continue their operations. Had they waited for the intervention, they would have suffered losses that may have resulted in their complete shutdown.
Whilst small organisations with no financial security struggled and spent large amounts of money trying to recover their data, the FBI and other government agencies had allegedly concealed their possession of the universal decryption key. The reason for this secrecy was a failed operation to “disrupt” the hackers.
In a Senate Homeland Security and Governmental Affairs Committee hearing as reported by TheHill, FBI Director Christopher Wray came out to say, “Sometimes we have to make calculations about how best to help the most people because maximising impact is always the goal.” This ‘for the greater good’ narrative ended with no definitive good outcomes and cost the victims, which included hospitals and schools millions of dollars in recovery efforts—begging the question of whether decisions made within these types of situations can have the desired outcomes.
Following the FBI’s failed attempt to thwart the REvil Ransomware group, they have once again resurfaced, ready to leave a trail of suffering organisations in their path. The only bright side of the situation for organisations that were hit, before the temporary disappearance of the Russian ransomware group, is that cybersecurity company Bitdefender released a free universal decryptor for victims of REvil’s past campaigns.
Stemming from the astounding revelation was also the question of how the FBI was able to obtain said key. As reported by the Washington Post, the key was obtained through the infiltration of REvil’s servers.
In an attempt to defend the actions of the FBI and several other US government agencies regarding the timeline, Wray claims, “When it comes to the issue of encryption keys or decryption keys, there is a lot of testing and validating that is required to make sure that they are going to actually do what they are supposed to do, and there is a lot engineering that is required to develop a tool that is required to put the tool in use.”
On the flip side, in a comment made to the Washington Post, Fabian Wosar, the CTO of Emisoft, explained it took the company all of 10 minutes to extract, create, and test the decryptor. This comment casts doubts on the FBI Director’s claims.
With the resurfacing of the Russian-based group, it will be interesting to observe if the FBI will take another stab at them.