Some interesting discussions related to the Kaseya ransomware incident are going around on social media right now.
This, after a report that the FBI withheld a decryption key that could have helped downstream victims of the attack by REvil. The Washington Post originally broke this story.
Now, U.S. senators are asking FBI Director Christopher Wray why this happened.
The questioning took place during a U.S. Senate Committee on Homeland Security and Government Affairs hearing this week, which centered around evaluating homeland threats 20 years after 9/11.
Senator Gary Peters (D-MI), committee chairman, opened the line of questioning.
"It was reported that the FBI held back the digital key necessary to unlock the computers of hundreds of businesses and organizations that were subjects of a cyberattack almost three weeks ago," said Peters. "I want to hear why the bureau would do this. Sharing the key sooner certainly could have potentially avoided millions of dollars in recovery costs…."
What happened in the committee meeting?
During the Senate hearing, Wray cited his inability to comment too much due to an ongoing investigation.
"As you [Peters] and I have discussed previously for a private sector partnership in this space, to stop the avalanche of ransomware attacks that we continue to see we are constantly using technical information that we obtained through our investigations.… But when it comes to the issue of the encryption keys, or decryption keys, there is a lot of testing and validating that is required to make sure they're going to do what they're supposed to do," Wray said.
Further defending the decision, Wray said this choice was "interdepartmental" and mentioned agencies like CISA were also involved.
"Sometimes we have to make calculations about how to best help the most people because maximizing impact is always the goal. Whenever we do that in these joint enabled sequence operations, we are doing it in conjunction with other government agencies and others. We make the decisions as a group not unilaterally. These are complex case-specific decisions designed to create maximum impact and that takes time."
Chairman Peters pressed Wray further to understand what agencies were involved, and Wray again said he could not respond due to the ongoing investigation and reaffirmed the government agencies worked together.
In the final question, Peters asked if Wray could commit to providing "a complete briefing" to the committee at a later date, possibly in a private meeting.
"Happy to work with the committee to see what more information we can provide to be helpful and responsive," Wray said, "And I certainly agree that some of that might be better done in a classified setting, and so I'll have my staff follow up with yours to see what we can do to be more illuminating, recognizing again that some of this has to do with a very sensitive ongoing, very much ongoing, investigation."
You can watch the video here, as well as download testimony.
Why did the FBI hold back the key?
At this point, this question leads to a lot of speculation.
Peters and Wray decidedly stated the key was on hand, but there was a joint decision not to release it when the cyberattacks were happening.
Reflecting on the Kaseya cyberattack
SecureWorld reported on the Kaseya cyberattack, carried out by the REvil ransomware gang. When it was learned Kaseya obtained the decryptor key from an unknown source, many had opinions on who.
It was only said that the key came from a "trusted third party." Online, several people mentioned the possibility of the keyholder being a government agency.
Will more be revealed to the public regarding why the FBI made the decision they did? Why would government agencies decide to put millions of dollars at stake from a ransomware attack? Surely, there are details the public was not privy to know.
We will continue to monitor this evolving story as new details become available.
[RESOURCE: Ransomware attacks are in every corner these days. Is your organization prepared if the threat becomes reality? Register to attend SecureWorld's Remote Sessions webcasts on these valuable topics—from developing an insider threat program to responding to a breach— presented by experts working in the cybersecurity field.]
