The FBI refrained for almost three weeks from helping to unlock the computers of hundreds of businesses and institutions hobbled by a major ransomware attack this summer, even though the bureau had secretly obtained the digital key needed to do so, according to several current and former U.S. officials.
The key was obtained through access to the servers of the Russia-based criminal gang behind the July attack. Deploying it immediately could have helped the victims, including schools and hospitals, avoid million of dollars in recovery costs, analysts estimate.
But the FBI held on to the key, with the agreement of other agencies, in part because it was planning to carry out an operation to disrupt the hackers, a group known as REvil, and the bureau did not want to tip them off. Also, a government assessment found the harm was not as severe as initially feared. The planned takedown never occurred because in mid-July REvil’s platform went offline — without U.S. government intervention — and the hackers disappeared before the FBI had a chance to execute its plan, according to the current and former officials.
The previously unreported episode highlights the trade-offs law enforcement officials face between trying to damage cyber criminal networks and promptly helping the victims of ransomware — malware that encrypts data on computers, rendering them unusable.
The White House has made fighting ransomware a priority, and President Biden has urged Russian President Vladimir Putin to rein in ransomware criminals operating out of Russia.
“The questions we ask each time are, what would be the value of a key if disclosed? How many victims are there? Who could be helped?” said one individual familiar with the matter, who, like others, spoke on the condition of anonymity to discuss a sensitive matter. “And on the flip side, what would be the value of a potential longer term operation in disrupting an ecosystem? Those are the questions we will continue to have to balance.”
The FBI finally shared the key with Kaseya, the IT company whose software was infected with malware, on July 21 — nineteen days after it was hit.
By then, it was too late for some victims.
“The decryptor key would have been nice three weeks before we got it, but we had already begun a complete restoration of our clients’ systems,” Joshua Justice, owner of the Maryland IT company JustTech which had about 120 clients affected by the attack.
The FBI, without commenting on the specific case, said delays are inevitable when working with other U.S. agencies and international partners.
“In general,” said an FBI official, “a lot of our cyber investigations focus on our interagency collaboration because that’s imperative to the success of any of our operations. Although this takes time, it also allows us to have the largest impact while helping the most victims or even potential victims.”
“What sometimes can be seen as a perceived delay” can be justified by “the complexities” of carrying out operations with other agencies and international partners, said the official, who spoke on the condition of anonymity in accordance with FBI rules.
The official added, “the FBI must be cautious and deliberate in what is provided to victims. The solution must be rigorously tested and risks associated with decryptors must be mitigated.”
The Justice Department and White House declined to comment.
- BobikH and Karlston
-
2
Recommended Comments
There are no comments to display.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.