The Kaseya ransomware attack, which occurred in July and affected as many as 1,500 companies worldwide, was a big, destructive mess—one of the largest and most unwieldy of its kind in recent memory. But new information shows the FBI could have lightened the blow victims suffered but chose not to.
A new report from the Washington Post shows that, shortly after the attack, the FBI came into possession of a decryption key that could unlock victims’ data—thus allowing them to get their businesses back up and running. However, instead of sharing it with them or Kaseya, the IT firm targeted by the attack, the bureau kept it a secret for approximately three weeks.
The feds reportedly did this because they were planning an operation to “disrupt” the hacker gang behind the attack—the Russia-based ransomware provider REvil—and didn’t want to tip their hand. However, before the FBI could put its plan into action, the gang mysteriously disappeared. The bureau finally shared the decryption key with Kaseya on July 21—about a week after the gang had vanished.
A decryption key, which is typically only sent to a victim after they have paid their attacker, unscrambles the data that is encrypted during a ransomware attack and can help an infected company to recover. However, they don’t always work super well—which is part of the reason why authorities insist that victims should never pay ransoms.
So, how did the FBI come into possession of REvil’s decryption key? That part is quite odd. The government apparently retrieved it via “access to the servers” of the ransomware gang, though it’s unclear how they got that access or why it was so easy to come by shortly after the attack.
The end result of the bureau’s aborted operation, then, is that it apparently withheld a critical tool that could have helped organizations affected by the attack to avoid estimated “millions of dollars in recovery costs.” Such organizations included schools, hospitals, and droves of small businesses.
Sources interviewed by the Washington Post chalk this ordeal up to a routine cost-benefit analysis that federal agencies must go through when pursuing criminals.
“The questions we ask each time are, what would be the value of a key if disclosed? How many victims are there? Who could be helped?” one source told the newspaper. “And on the flip side, what would be the value of a potential longer-term operation in disrupting an ecosystem? Those are the questions we will continue to have to balance.”
When reached for comment via email on Tuesday, a spokesperson for Kaseya told Gizmodo that they were “grateful for the support we were given by the FBI” and couldn’t “comment on their decisions regarding timing of the release of the key.”
The FBI did not yet respond to a request for comment.
Frankly, this development raises a lot more questions than it answers. For one thing, it means that the government had access to the hackers’ servers and, therefore, the decryption key, almost immediately after the attack took place. While the Post story does not divulge the precise date that the bureau came into possession of the key, we know that Kaseya first publicly disclosed that it had the key on July 22—around three weeks after the attack took place. How and why the FBI would have been able to nab the key so quickly is a little bit baffling.
That said, it’s not the first time that the feds have, in the course of investigating a ransomware attack, conjured up a pivotal piece of the investigative puzzle, seemingly out of thin air. After the Colonial Pipeline attack occurred in May, the government similarly managed to get its hands on the key to the attacking ransomware gang’s crypto wallet—allowing them to claw back much of the ransom that had been paid to the criminals. This operation, which saw the Justice Department confiscate millions in crypto, was never fully explained to the public.
One thing is for sure: The business owners who suffered as a result of the Kaseya attack are not particularly happy about the deferred decryption. Describing July as a “month of hell,” Joshua Justice, who owns affected Maryland IT company JustTech, told the Post that the period after the attack had cost his business a whole lot of grief.
“I had grown individuals crying to me in person and over the phone asking if their business was going to continue,” he said. “I had one man say ‘Should I just retire? Should I let my employees go?’ ”