The Washington PostDemocracy Dies in Darkness

FBI held back ransomware decryption key from businesses to run operation targeting hackers

Law enforcement faces trade-offs between trying to damage cyber criminal networks and promptly helping victims of ransomware. (Yuri Gripas/Reuters)

The FBI refrained for almost three weeks from helping to unlock the computers of hundreds of businesses and institutions hobbled by a major ransomware attack this summer, even though the bureau had secretly obtained the digital key needed to do so, according to several current and former U.S. officials.

The key was obtained through access to the servers of the Russia-based criminal gang behind the July attack. Deploying it immediately could have helped the victims, including schools and hospitals, avoid what analysts estimate was millions of dollars in recovery costs.

But the FBI held on to the key, with the agreement of other agencies, in part because it was planning to carry out an operation to disrupt the hackers, a group known as REvil, and the bureau did not want to tip them off. Also, a government assessment found the harm was not as severe as initially feared. The planned takedown never occurred because in mid-July REvil’s platform went offline — without U.S. government intervention — and the hackers disappeared before the FBI had a chance to execute its plan, according to the current and former officials.

The previously unreported episode highlights the trade-offs law enforcement officials face between trying to damage cyber criminal networks and promptly helping the victims of ransomware — malware that encrypts data on computers, rendering them unusable.

The White House has made fighting ransomware a priority, and President Biden has urged Russian President Vladimir Putin to rein in ransomware criminals operating out of Russia.

Biden tells Putin the U.S. will take ‘any necessary action’ to defend critical sectors attacked by ransomware

“The questions we ask each time are: What would be the value of a key if disclosed? How many victims are there? Who could be helped?” said one individual familiar with the matter, who, like others, spoke on the condition of anonymity to discuss a sensitive matter. “And on the flip side, what would be the value of a potential longer-term operation in disrupting an ecosystem? Those are the questions we will continue to have to balance.”

The FBI finally shared the key with Kaseya, the IT company whose software was infected with malware, on July 21 — 19 days after it was hit. Kaseya asked New Zealand-based security firm Emsisoft to create a fresh decryption tool, which Kaseya released the following day.

By then, it was too late for some victims.

“The decryptor key would have been nice three weeks before we got it, but we had already begun a complete restoration of our clients’ systems,” Joshua Justice, owner of the Maryland IT company JustTech, which had about 120 clients affected by the attack.

On Tuesday, FBI Director Christopher A. Wray, testifying before Congress, indicated the delay stemmed in part from working jointly with allies and other agencies. “We make the decisions as a group, not unilaterally,” he said, noting that he had to constrain his remarks because the investigation was ongoing. “These are complex . . . decisions, designed to create maximum impact, and that takes time in going against adversaries where we have to marshal resources not just around the country but all over the world.”

He also suggested that “testing and validating” the decryption key contributed to the delay. “There’s a lot of engineering that’s required to develop a tool” that can be used by victims, he said at a Senate Homeland Security Committee hearing.

Emsisoft, however, was able to act quickly. It extracted the key from what the FBI provided Kaseya, created a new decryptor and tested it — all within 10 minutes, according to Fabian Wosar, Emsisoft chief technology officer. The process was speedy because the firm was familiar with REvil’s ransomware. “If we had to go from scratch,” Wosar said, “it would have taken about four hours.”

The Justice Department and White House declined to comment.

Anatomy of a ransomware attack

In June, REvil attacked JBS, the world’s largest meat supplier, temporarily shutting down some operations in Australia, Canada and the United States.

A month later, just before the Fourth of July weekend, it hit Kaseya, affecting small towns in Maryland, grocery stores in Sweden and schools in New Zealand.

In that July attack, REvil hacked the software provided by Kaseya, a Miami-based IT firm, and 54 of Kaseya’s clients were infected. Many of the victims were “managed service providers” that furnish IT software to customers to improve network efficiency. Hundreds of the managed service providers’ customers, who were using Kaseya software, were in turn victimized. Kaseya estimated between 800 and 1,500 businesses in total were infected.

Justice, whose JustTech company is one of Kaseya’s MSP clients, spent more than a month restoring his clients’ systems. “I had grown individuals crying to me in person and over the phone asking if their business was going to continue,” he said. “I had one man say, ‘Should I just retire? Should I let my employees go?’ ”

Without the key to restore encrypted data to a readable state, victims were forced to try to retrieve backup copies of data or to replace their systems — both expensive and time-consuming processes.

Justice had security teams working 18-hour shifts to get the company’s own and its clients’ systems back up and running. It was, Justice said, “a month of hell.”

Swedish grocery store chain Coop said it does not yet know how much it cost to temporarily shutter its stores. “We had to close about 700 of our stores, and it took six days before all of them opened again,” spokeswoman Helena Esscher said in an email. “The financial impact depends on several factors, such as loss of sales, of course, but also insurances and to what extent they cover events like that which occurred.”

Two analysts that study grocery chains said Coop’s closure could have cost the company millions of dollars in lost business.

Pressure builds on Biden to curb ransomware attacks

Kaseya chief executive Fred Voccola has said he believes the damage done by the attack was not as great as initially feared. He said in a video message the week following the attack that the company worked quickly to prevent the damage from spreading. “If I was you, I’d be very, very frustrated — and you should be,” he said. But, he added, “People make the story, make the impact of this, larger than what it is.”

Kaseya spokeswoman Dana Liedholm declined to comment on who provided the key. Kaseya did not pay a ransom and never engaged with REvil, Liedholm said.

Asked whether Kaseya was satisfied with the FBI’s response in the case, Liedholm said, “I can’t describe it other than to say that we were very happy with the way that they worked with us.”

She said she did not know how many of the firm’s 54 clients were able to use the key. She noted that “many were able to restore [their systems] from backups,” while some were not.

None of JustTech’s clients paid a ransom because the IT provider was able to restore systems from backups it held separately, Justice said. Other companies, worried about the impact to their businesses, paid a ransom long before the decryption key became available.

Global ransomware attack takes a small Maryland town offline

REvil had demanded ransoms ranging from $45,000 to $5 million per infected device, depending on the size of the company. At one point, it demanded that Kaseya pay $70 million for a universal decryption key — a key that would work on all the affected networks.

Some incident response firms charge $400 to $500 an hour for investigating the attack, including learning how the intruder got in, expelling the attacker and containing the damage. Then there are costs for restoring systems using backed-up data and building resilience to avoid a repeat attack. Legal and accounting costs also must be factored in.

Decryptors provided by ransomware criminals do not offer an easy fix. They often contain software flaws, so decryption can be slow or unreliable. Moreover, once a system is unlocked, it still needs to be cleaned of all the malware that the criminal might have left. All of that takes time and expertise, which add to recovery costs.

A hospital in Romania was hit, but it had paper backups of all patient records so “that saved them,” said Alexandru Cosoi, director of investigations and forensics at Bitdefender, a cybersecurity firm based in Bucharest.

On Thursday, Bitdefender released a “universal” decryptor that will unlock all systems encrypted by REvil before July 13 — the date the platform went offline. Cosoi said the firm obtained the key from a “law enforcement partner,” the identity of which the firm is obligated to keep secret for now. The partner was not the FBI, according to people familiar with the matter.

Cosoi said the firm received the key on Tuesday and tested it to make sure it worked before making it available. It would be of most benefit, he said, to victims who may have partially restored systems and still have encrypted data that could be unlocked.

As of Tuesday, more than 265 REvil victims around the world had used the decryptor on their networks, Cosoi said, a figure they obtain by taking note of the number of networks that connect to Bitdefender’s servers to activate the decryptor.

He cautioned, however, that the attacks will continue — ransomware is too lucrative for criminals to give up. And despite Biden’s warnings to Putin, the incursions continue.

This month, REvil reappeared. It has rebuilt its platform and resumed its activity. As of Tuesday, it had logged at least eight new victims, including a plastics manufacturer and a legal aid service for the poor.

The universal key released by Bitdefender will not help those victims.

Aaron Schaffer and Dalton Bennett contributed to this report.