Skip to main content
close search
site logo

FBI justifies its decision to withhold Kaseya decryptor

The law enforcement agency prioritized the long-term benefits of a delay over the immediate decryption key release.

Published Nov. 17, 2021
Samantha Schwartz's headshot
Samantha Schwartz Reporter
The U.S Capitol Rotunda is in front of a designed background of $100 bills.
Getty via Getty Images

Members of the House Committee on Oversight and Reform questioned the FBI's decision to withhold REvil's decryption key for about three weeks after the Kaseya ransomware attack in early July. But the FBI prioritized the long-term benefits of a delay over the immediate decryption key release.

"If any one of us had a loved one with a disease and we could take a longer-term approach to completely eradicate that disease … Perhaps with a little discomfort for a loved one, we probably prefer that over a less effective, shorter-term solution," Bryan Vorndran, assistant director of the FBI's Cyber Division, said during a hearing Tuesday. The FBI's decision to keep the decryption key was "very, very complicated," and included multiple agencies. 

For private companies affected by the Kaseya supply chain, the FBI's choice meant businesses lost money. "We get complaints from businesses as their representatives and their members of Congress about decisions that government agencies make," Rep. James Comer, R-Ky., said during the hearing. "It's always frustrating when the government agencies or the bureaucrats don't take into consideration how much this decision will actually cost."

The ransomware attack on Kaseya was part of a larger effort to slow, and prevent, further REvil attacks. The FBI was also unwilling to trust the decryptor at face value, and mass distribute it. 

The decryption keys for Kaseya "that you're referring to were developed and coded by safe harbor criminals … Obviously, simply grabbing malware that's been coded by criminals in Russia and deploying it onto U.S. infrastructure would not be a wise decision," Vorndran said. The FBI tested the decryptor in different environments to ensure the threat actors were not deploying additional backdoors through the key. 

The National Cyber Director (NCD) office was not yet established when the Kaseya attack occurred, though NCD Chris Inglis' understanding of the decision also favors maximum return. "There's something between zero and infinity that you have to then come down on to align timeliness and breadth," when racing against threat actors. When the security community reveals what they know too soon, bad actors have enough time to adjust their code and actions. 

Attribution has long troubled the cybersecurity community and U.S. intelligence is constantly determining whether cybercriminals moonlight as nation states, or state actors are hiring criminals. While how much overlap there is between nation states and criminals is a "classified discussion, it is a blended threat," Vorndran said. 

"In a best case scenario, we only see about 20% of the intrusions in the country, no different than our partners at [the Cybersecurity and Infrastructure Security Agency]," Vorndran said. Intelligence has some gaps in determining those connections, but the FBI has not seen a decrease in ransomware attacks, specifically those originating from Russia, according to Vorndran.

The Internet Computer Complaint Center (IC3) received more than 2,000 ransomware complaints between January to July 31 this year — mounting to nearly $17 million in losses. While the reporting amount is still limited, the number of reports increased 62% between 2020 and 2021. 

With ransomware reporting so low, the federal government has to cling to the data that actually is shared. The issue is, there are so many points of contact for organizations — the FBI, CISA, the Secret Service — that a ransomware victim may not know who to contact first. 

How different federal agencies handle an incident is still a point of confusion for victim organizations and Congress. 

Those three specific agencies regularly coordinate, and the FBI regularly informs CISA of incidents. If a company is hit with ransomware, it is sufficient to report it only to CISA, just as it is with other agencies, Rep. Jamie Raskin, D-Md., said. Even if a company is the victim of a ransomware crime, it doesn't have to report to the FBI first. 

"The design and the intended operation is that having told one of them that all of them will then know and be able to respond with their unique authorities," Inglis said during the hearing. "The caveat here is that we're kind of allowing for the fact that the system is not perfect." 

If for some reasons multiple agencies are not informed, it would be accidental in nature, Inglis said. There are no policies forbidding interagency communication. 

Recommended Reading

Editors' picks

Company Announcements

View all | Post a press release
Clay Platte Family Medicine Data Breach Investigation
From Migliaccio and Rathod LLP
October 21, 2024
Traceable Releases 2025 State of API Security Report: API Breaches Persist as Fraud, Bot Attac…
From Traceable AI
October 30, 2024
Abbott Laboratories Employees Credit Union (“ALEC”) Data Breach Investigation
From Migliaccio and Rathod LLP
October 21, 2024
DigiCert Welcomes Lakshmi Hanspal as New Chief Trust Officer
From DigiCert
October 24, 2024
Editors' picks
Latest in Cyberattacks
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell