FBI withheld decryption key for Kaseya ransomware attack for three weeks: report

Getty

The FBI allegedly withheld the release of a decryption key for almost three weeks that could have assisted groups crippled by the massive ransomware attack on IT group Kaseya earlier this year to unlock their networks. 

The Washington Post reported on Tuesday that the FBI and other federal agencies made the decision to not give Kaseya the key while it pursued an operation to knock REvil, the cybercriminal group behind the attack, offline. Websites used by REvil went dark prior to the FBI’s planned operation. 

The ransomware attack on Kaseya, which took place just prior to the Fourth of July weekend, impacted up to 1,500 groups. Kaseya chose not to pay the ransom demanded by the hackers, and instead used a decryption key that the company said it had received from a “trusted third party” weeks after the attack.  

The FBI declined to comment on the report to The Hill. 

FBI Director Christopher Wray was questioned about the decision during a Senate Homeland Security and Governmental Affairs Committee hearing Tuesday, with Wray avoiding giving details on the decision due to the ongoing investigation into the incident. 

“When it comes to the issue of encryption keys or decryption keys, there is a lot of testing and validating that is required to make sure that they are going to actually do what they are supposed to do, and there is a lot engineering that is required to develop a tool that is required to put the tool in use,” Wray testified. “Sometimes we have to make calculations about how best to help the most people, because maximizing impact is always the goal.”

He emphasized that the FBI makes decisions such as withholding decryption keys in conjunction with other agencies, including the Cybersecurity and Infrastructure Security Agency (CISA).

“We make the decisions as a group not unilaterally, and these are complex, case-specific decisions designed to create maximum impact, and that takes time in going against adversaries where we have to marshal resources not just around the country, but all over the world,” Wray said. 

Committee Chairman Gary Peters (D-Mich.) criticized the FBI for its lack of transparency on the case, noting that he had first learned about the withheld decryption key through The Washington Post’s report. 

“I certainly understand and respect that Kaseya is an ongoing investigation here, but the FBI’s decisions here may have cost millions of dollars, and possibly even more than that,” Peters said during the hearing. “The FBI in my mind is going to need to explain this action, we need to know who signed off on it, who was aware, and whether the cost to the bottom line to Americans families and businesses was considered in that decision process.” 

The attack on Kaseya came on the heels of escalating damaging ransomware attacks against U.S. companies, including separate attacks in May on Colonial Pipeline and meat producer JBS USA. Hospitals and schools have also become victims of ransomware attacks during the COVID-19 pandemic, with hackers looking for targets more likely to pay. 

Congress is currently considering multiple bipartisan proposals around cyber incident reporting to help the federal government get a handle on ransomware attacks, with Wray testifying in support of the legislation Tuesday. 

“Our strategy is to go after the actors, their infrastructure, and their money, and legislation like this would help us do that,” Wray testified.

Tags Christopher Wray CISA Cybercrime FBI Gary Peters Kaseya Ransomware attack Russia

Copyright 2023 Nexstar Media Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.