But it delayed sharing that key for three weeks, my colleagues Ellen Nakashima and Rachel Lerman report this morning.
Why delay?: The FBI was hoping to launch an operation to disrupt the REvil hacking group that launched the attack. Officials feared that sharing the key with victims would tip REvil off that the bureau had secret access to its servers.
But the FBI's plan was thwarted when the hacking group took itself offline in mid-July without any U.S. government intervention.
The fallout
Sharing the key earlier could have helped the victims — including schools, hospitals and a small town in Maryland — avoid millions of dollars in recovery costs, analysts estimate.
Instead, most of the damange had been done by the time the FBI shared the decryption key with Kaseya, the company whose software REvil exploited. Many victim organizations were already well underway with lengthy and expensive restorations of all their computer systems.
The newly reported story offers a rare window into the trade-offs facing law enforcement as officials struggle to balance between helping ransomware victims and punishing the criminal gangs that have locked up their computers and demanded payment.
“The questions we ask each time are, what would be the value of a key if disclosed? How many victims are there? Who could be helped?” one individual familiar with the matter told Ellen and Rachel. “And on the flip side, what would be the value of a potential longer term operation in disrupting an ecosystem? Those are the questions we will continue to have to balance.”
The FBI declined to comment on the Kaseya case.
But an official told Ellen and Rachel that delays in helping victims are sometimes unavoidable.
- First, the bureau doesn't want to provide a decryption key to victims before it's rigorously tested the key to make sure it works and won't do more damage.
- Second, the bureau is often working with other government agencies, which can be a complex and time-consuming process.
“Although this takes time, it also allows us to have the largest impact while helping the most victims or even potential victims,” the official said.
It's getting worse
Ransomware attacks have pummeled U.S. industry in recent years. And the scourge seems on track to get worse before it gets better.
That means the tough choices facing law enforcement are likely to get even thornier.
In this case, the benefit of holding on to the decryption key didn't pay off. But in at least one other case, law enforcement had better luck punching back against a ransomware operator.
After the DarkSide hacking group locked up computers at Colonial Pipeline in May, the FBI was able to crack into the gang's cryptocurrency wallet and yank back more than $2 million of the ransom the pipeline company paid. Colonial was one of the highest profile ransomware attacks to date, briefly causing gas shortages and panic buying in the southeastern United States.
The Treasury Department is also preparing to push back against the financial underpinnings of ransomware by imposing sanctions on financial exchanges that support ransom payments.
Ouch
Yet, for Kaseya victims, the damage was profound.
The attack was almost certainly the most widespread ransomware attack to hit U.S. companies to date. That's because the initial victim — the Miami-based IT-firm Kaseya — provided software to “managed service providers,” which provide software in turn to their own clients. As a result, the hackers were able to hop from Kaseya's computers to 54 of its clients and then to their clients in turn.
Kaseya estimates between 800 and 1,500 total businesses were affected.
Joshua Justice, who owns the Maryland IT company JustTech, had 120 clients affected by the attack. He called it “a month of hell.”
“I had grown individuals crying to me in person and over the phone asking if their business was going to continue,” he told my colleagues. “I had one man say, 'Should I just retire? Should I let my employees go?’ ”
The keys
A ransomware group locked up computers at an Iowa grain cooperative
The attack comes after President Biden demanded that Russia-based ransomware gangs steer clear of companies in critical U.S. industries – including agriculture – during a June summit with Russian President Vladimir Putin.
The BlackMatter hacking group, which carried out the attack against Iowa-based New Cooperative, said it doesn't believe the grain cooperative truly counts as critical infrastructure, Bloomberg’s William Turton reports.
“They will pay or have nothing,” the group said. New Cooperative took its systems offline and contained the threat, the cooperative said.
BlackMatter is demanding a $5.9 million ransom, according to Record Future senior threat analyst Allan Liska. The group is believed to be a reconstituted version of the DarkSide ransomware gang, which attacked Colonial Pipeline earlier this year.
European police say they took down a mafia-linked cybercrime network
Police arrested 106 people in the operation, Motherboard’s Lorenzo Franceschi-Bicchierai reports. The mafia-linked hackers defrauded hundreds of victims through phishing and other types of online fraud, including tricking businesses into paying fake vendors, according to police.
The arrests show traditional organized crime groups and cybercriminals are increasingly teaming up.
The group included computer and cryptocurrency experts who set up the phishing campaigns and helped launder stolen money, police said. The group was also linked to two homicides and other crimes in Tenerife, Spain, Spanish police said.
Hill happenings
Get ready for a big week of cyber-focused hearings on the Hill
The Senate Homeland Security Committee is holding its annual “threats to the homeland” hearing this morning. Chairman Gary Peters (D-Mich.) plans to question officials about the government's plan to combat ransomware and the damage it's causing to U.S. businesses, a Peters aide tells me.
He'll also stress the importance of companies in critical industries reporting to the government when they're hacked. Peters is working on a bill that would mandate such reports. Senate Intelligence Committee Chairman Mark Warner (D-Va.) has already introduced a similar bill.
The House Homeland Security Committee will hold its version of the annual threats hearing Wednesday. The hearings traditionally focus on the biggest threats from hacking, terrorism and elsewhere.
Senate Homeland Security is holding another hearing focused specifically on cyber threats on Thursday with National Cyber Director Chris Inglis and Cybersecurity and Infrastructure Security Agency Director Jen Easterly slated to testify.
Government scan
A major union is cautiously endorsing plans to build a Civilian Cyber Reserve
AFGE blasted another proposal for a National Digital Reserve Corps program, however, as a “costly boondoggle.” Both proposals will be considered as part of a major annual defense authorization bill.
On the move
The Center for Internet Security is adding three new officials to its election security team.
- Former Pennsylvania secretary of state Kathryn Boockvar will be vice president of election operations and support.
- Jared Dearing, recently the Kentucky State Board of Elections executive director, will be senior director of elections security.
- Marci Andino, recently the South Carolina elections director, will be director of CIS's Elections Infrastructure Information Sharing and Analysis Center.
The Center for Tech Diplomacy at Purdue has named former U.S. Agency for International Development Deputy Administrator Bonnie Glick as its first director.
Daybook
- Former Undersecretary of State Keith Krach and former U.S. Agency for International Development Deputy Administrator Bonnie Glick speak at a Center for Tech Diplomacy at Purdue event on semiconductors and supply chains today at 9:10 a.m.
- Homeland Security Secretary Alejandro Mayorkas, FBI Director Christopher A. Wray and National Counterterrorism Center Director Christine Abizaid testify at a Senate Homeland Security and Governmental Affairs Committee hearing on homeland security threats since Sept. 11, 2001, today at 9:30 a.m.
- Mayorkas, Wray and Abizaid testify before the House Homeland Security Committee on Wednesday at 9 a.m.
- National Cyber Director Chris Inglis, CISA Director Jen Easterly and Federal Chief Information Security Officer Chris DeRusha testify before the Homeland Security and Governmental Affairs Committee on Thursday at 10:15 a.m.
- The Pentagon’s cyber commanders participate in the Joint Service Academy Cybersecurity Summit on Thursday at 3 p.m.
