Content, Ransomware

FBI Withheld REvil Ransomware Decryptor Key As Some MSPs Suffered Encryption


The Federal Bureau of Investigation (FBI) admitted that it hid for nearly three weeks a decryption key that would have unfrozen systems of dozens of MSPs and hundreds of businesses crippled by the REvil ransomware attack on Kaseya’s VSA software in July.

The FBI's decision, though likely painful for roughly 60 MSPs and 1,500 downstream customers impacted by the attack, sounds somewhat akin to a famous Star Trek quote from Spock: “Logic clearly dictates that the needs of the many outweigh the needs of the few."

Indeed, the FBI -- which apparently obtained the key by boring into REvil’s servers -- justified its actions by claiming it needed the tool to run an operation to trap the hackers and potentially head-off future attacks, the Washington Post reported. Other federal entities and allies were reportedly aware of the FBI’s decision to withhold the key.

Releasing the tool, however, might have allowed impacted businesses to recover more quickly and/or effectively from the attack. The REvil gang subsequently demanded a $70 million ransom payment in exchange for a universal decryptor to unlock all victims of the assault. Kaseya never paid the ransom.

The FBI's Thought Process

The FBI’s reluctance to hand Kaseya the decryptor key is another instance of the conundrum law enforcement faces that pits the big picture against saving innocent bystanders, in this case MSPs and businesses, from avoidable, perhaps irrecoverable financial harm.

“The questions we ask each time are: What would be the value of a key if disclosed? How many victims are there? Who could be helped?” a person with knowledge of the trade off told the Post. “And, on the flip side, what would be the value of a potential longer-term operation in disrupting an ecosystem? Those are the questions we will continue to have to balance.”

The delay in providing the decryption tool to Kaseya stemmed in part from the FBI’s collaboration with other agencies and allies, and “testing and validating” the key, director Christopher Wray told a Senate Security Committee hearing, the Post reported. “We make the decisions as a group, not unilaterally,” he said. “These are complex . . . decisions, designed to create maximum impact, and that takes time in going against adversaries where we have to marshal resources not just around the country but all over the world.” Wray said the investigation is ongoing, the Post reported.

Kaseya Taps Emsisoft for Help

Nearly three weeks after the Kaseya hit, the FBI showed the key to Kaseya, which subsequently asked cybersecurity provider Emsisoft to create a fresh decryption tool that Kaseya released the following day to MSPs. Owing to its familiarity with REvil, refreshing the tool took only a matter of minutes, Emsisoft said at the time, suggesting the FBI’s reluctance to provide the key immediately to Kaseya had injured the victims even more.

“The decryptor key would have been nice three weeks before we got it, but we had already begun a complete restoration of our clients’ systems,” Joshua Justice, who owns JustTech, a La Plata, Maryland-based IT services provider, told the Post. Some 120 of JustTech’s customers were compromised by the attack.

On September 16, 2021, security provider Bitdefender released a universal decryptor tool to help victims of REvil/Sodinokibi ransomware to restore their files and recover from attacks made before July 13, 2021.

U.S. Government vs. Ransomware

The Biden Administration has made counter punching ransomware cyber gangsters one of its main priorities. The White House this week revealed specific actions aimed at disassembling the financial ecosystem that underwrites ransomware hackers. The strategy calls for the U.S. Treasury Department to impose sanctions on cryptocurrency exchanges that pave the way for hackers to whisk away millions of dollars from cyber data freezing scores.

And, before the year ends, the government will detail additional rules to crumble money laundering activities and terrorism financing. In addition, the Treasury Department’s Office of Foreign Assets Control intends to educate businesses on how not to run afoul of U.S. law should they elect to accede to a ransomware extortionist’s demands.

Along with the Kaseya hit, REvil has also been fingered for the attack on meat producer JBS USA. In exchange for meeting its ransom demands, the crew is known to give its ransomware targets a universal decryptor that unlocks their file extensions used against them. It’s not known if it did so in the JBS event. The company reportedly paid $11 million to restore its systems.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.