The FBI refrained from supplying the ransomware decryption key to the Kaseya company in July for almost three weeks after obtaining it, according to an exclusive report by the Washington Post. About 1,500 organizations including schools, hospitals and food chains were hit following the breach of the servers of Kaseya, whose software is used for remote computer management.
According to the report, the FBI succeeded in breaching the servers of the malicious group REvil, which took responsibility for the attack, but kept it a secret because it wanted to take action to stop the operations of the group without raising suspicion. But shortly after the attack, REvil stopped its operations and disappeared from the dark web – until recently. The Washington Post reported that the group disappeared before the FBI could strike the group.
REvil, one of the main ransomware groups, was also behind other major attacks such as the one against giant meat supplier JBS a number of months ago. The group also known as Sodinokibi is suspected of operating from Russian territory, and is one of the sources of tension between Washington and Moscow. REvil initially demanded $50 million in ransom, but the company claims it did not pay, and that it received the decryption key anyway. The FBI has never admitted that it supplied the decryption key, which was also leaked on various forums.
During a U.S. Senate Homeland Security Committee hearing on Tuesday, the director of the FBI, Christopher Wray, was asked about the report regarding the decryption key. The chairman of the committee, Senator Gary Peters, pointed out to Wray that victims of the attack were forced to spend huge amounts of money to restore the data that was stolen. Wray responded that he had to constrain his remarks because the investigation is still underway, but said that the decision was not a unilateral one by the FBI.
"These are complex…decisions, designed to create maximum impact, and that takes time in going against adversaries where we have to marshal resources not just around the country but all over the world," Wray testified at the hearing regarding threats to homeland security 20 years after the September 11 terrorist attacks. He spoke at length about the dangers on the cyber front.
Last week, data security company Bitdefender announced that it succeeded in developing a universal decryptor for REvil ransomware "in collaboration with a trusted law enforcement partner", and that the company is offering the decryptor for free. Regarding the attack on Kaseya, a statement posted on the company's website said "Please note this is an ongoing investigation and we can't comment on details related to this case until authorized by the lead investigating law enforcement partner. Both parties believe it is important to release the universal decryptor before the investigation is completed to help as many victims as possible."
The company added that it believes new attacks by REvil are imminent following the group's recent return to the dark web. "We urge organizations to be on high alert and to take necessary precautions," it said.