Critical Infrastructure Security , Cybercrime , Cybercrime as-a-service
FBI Director Questioned Over Kaseya Decryption Key
Christopher Wray Asked About Report That Bureau Held Key for 3 WeeksFBI Director Christopher Wray faced questions during a Senate hearing Tuesday concerning a published report that the bureau withheld a decryption key that agents obtained from the ransomware gang that targeted software firm Kaseya for almost three weeks as part of its ongoing investigation into the incident.
During a hearing of the Senate Homeland Security and Government Affairs Committee, Sen. Gary Peters, D-Mich., who is the committee chairman, questioned Wray about a Washington Post report that the FBI had obtained the decryption key used by the REvil ransomware gang but withheld sharing it with victims of the attack as the investigation continued.
See Also: The Expert Guide to Mitigating Ransomware & Extortion Attacks
The FBI held onto the decryption key, which the bureau obtained from the gang's servers, because it planned to target REvil's infrastructure and did not want to tip off the cybercriminals. That operation came to a halt when the ransomware group disappeared in July without explanation.
Some security researchers now believe that REvil, aka Sodinokibi, has returned (see: Bad News: Innovative REvil Ransomware Operation Is Back).
At the hearing, however, Peters questioned Wray as to why the FBI withheld distributing the decryption key to Kaseya and the company's approximately 50 managed service provider customers who were infected by REvil ransomware in July. In turn, about 1,500 of those MSPs' customers were also infected with crypto-locking malware - many of which were small businesses with little or no security resources.
Peters noted that the victims spent millions of dollars to recover their data from these attacks and that some could have used the key to offset those costs.
Wray declined to provide specifics during a public hearing, but said that the ransomware attack remains under investigation and that the decision was made by multiple agencies involved.
"There is a lot of testing and validating that is required to make sure that [decryption keys] are going to actually do what they're supposed to do. And there's a lot of engineering that's required to develop the tool [and] put the tool to use," Wray testified. "Sometimes we have to make calculations about how best to help the most people because maximizing the impact is always the goal and whenever we do that in these joint enabled sequenced operations, we are doing it in conjunction with other government agencies and others."
Wray declined to say which other government agencies had been involved in the decision to withhold the key while the investigation continued.
REvil Decryption Key
Earlier this month, security firm Bitdefender released a free decryptor for REvil's ransomware, which first began operating and targeting victims in April 2019. The company noted that its key would not work with all versions of the crypto-locking malware used by the gang but that it could help victims such as those involved in the Kaseya attack (see: Good News: REvil Ransomware Victims Get Free Decryptor).
While it released the free decryptor key, Bitdefender did not specify how the company managed to obtain it. Fabian Wosar, CTO of antivirus vendor Emsisoft, however, hinted in a tweet that law enforcement officials appeared to have obtained the key, although he did not mention the FBI specifically.
Looks like during the takedown of parts of the REvil infrastructure several months ago LEA got their hands on the secret key required to decrypt the ransom note key blobs which include the secret key for the system. Great news for older victims who can decrypt their files now. :)
— Fabian Wosar (@fwosar) September 16, 2021
When Wray responded to Peters' questions about the Kaseya case and obtaining the decryptor key, he noted that any specific details would need to be shared in a classified setting.
Peters also noted that he wants to know if the FBI withheld other decryptor keys as part of other ransomware investigations.
Other Cyber Issues
The original goal of Tuesday's Senate Homeland Security Committee hearing was discuss threats to the U.S. in the 20 years since the terrorist attacks of Sept. 11, 2001, and some of the emerging concerns to the nation's security (see: 20 Years After 9/11: How US Cybersecurity Landscape Evolved).
Both Wray and Secretary of Homeland Security Alejandro Mayorkas testified that issues of cybersecurity, including ransomware and nation-state activity, are one of the main threats to U.S. national security along with terrorism - both domestic and foreign - as well as violent crime and intellectual property theft by countries such as China. Wray and Mayorkas also faced several questions about immigration and the resettling of Afghan refugees in the U.S. after American troops withdrew from that country in August.
"We have recently seen numerous cybersecurity incidents impacting organizations of all sizes and disrupting critical services, from the SolarWinds supply chain compromise to the exploitation of vulnerabilities found in Microsoft Exchange Servers and Pulse Connect Secure devices, to ransomware affecting entities from Colonial Pipeline to JBS Foods to Kaseya," Mayorkas testified during his opening remarks.
Mayorkas also noted that in 2020, about 2,400 state, local, tribal, and territorial governments, healthcare facilities and schools across the U.S. had been targeted by ransomware and that victimized organizations had paid out about $350 million in ransoms, with the average payment exceeding $300,000.
Wray noted that in 2020, the FBI’s Internet Crime Complaint Center saw a 20% increase in the number of ransomware incidents reported.
"As the president has observed, ransomware has evolved into a national security issue, affecting the critical infrastructure we can least afford to be without," Wray said.
Wray also noted that the FBI is focused on cyberthreats from China, which not only include various cyber operations but also the ongoing theft of intellectual property from the U.S. He also noted that Iran and North Korea continue to increase their cyber capabilities, while cybercriminal gangs continue to operate within Russia's borders.
"These are the incidents that garner the most attention, but behind the scenes, the FBI took upwards of 1,100 actions against cyber adversaries last year, including arrests, criminal charges, convictions, dismantlements and disruptions; and enabled many more actions through our dedicated partnerships with the private sector, foreign partners and at the federal, state and local level," Wray said.
During his speech before the United Nations General Assembly on Tuesday, President Joe Biden noted that the U.S. continues to make improvements in the country's cybersecurity.
"We reserve the right to respond decisively to cyberattacks that threaten our people, our allies or our interests," Biden said.