Sept 22–New reports indicate that the US Federal Bureau of Investigation (FBI) withheld information pertaining to the Kaseya decryption key for nearly three weeks. This critical information could have enabled the IT group to unlock their network, and possibly those of clients in a timely manner.
The decision not to provide Kaseya with the key appears to have been made in conjunction with attempts to expunge REvil from the internet. REvil’s websites seemingly disappeared just ahead of the FBI’s intended sting.
The Kaseya ransomware attack affected as many as 1,500 organizations. The attack occurred just ahead of the Fourth of July weekend. Ultimately, the IT firm opted not to pay the hackers. Instead, the group relied on a decryption key that the company received from a “trusted third party.”
During a Senate Homeland Security and Governmental Affairs Committee hearing on Tuesday, FBI Director Christopher Wray answered questions about the decryption key decision.
“When it comes to the issue of encryption keys or decryption keys, there is a lot of testing and validating that is required to make sure that they are going to actually do what they are supposed to do, and there is a lot engineering that is required to develop a tool that is required to put the tool in use,” stated Wray.
The decision to withhold the decryption key was made in partnership with CISA and other federal agencies. Wray emphasized that the decision was not made unilaterally, and that it took a wide variety of factors into account. Senators criticized the FBI for opaqueness around the case, noting that they first learned of the decryption key’s withholding via media reports.
“Our strategy is to go after the actors, their infrastructure, and their money, and legislation like this would help us do that,” stated Wray. For more on this story, visit The Hill. To receive expert-curated content, cutting-edge cyber security analysis, and premium cyber security resources each week, sign up for the Cyber Talk newsletter.