The Kaseya Ransomware attackHeld in July and affecting up to 1,500 companies worldwide, it was a big, destructive mess – one of the largest and most unwieldy of its kind in recent times. But new information shows that the FBI could have mitigated the blows suffered but chose not to.
A new report from the Washington Post shows that shortly after the attack, the FBI obtained a decryption key that decrypted the victims’ data – and enabled them to get their business going again. However, instead of sharing it with you or Kaseya, the IT company affected by the attack, the office kept it a secret for about three weeks.
The Feds supposedly did so because they were planning an operation to “disrupt” the hacking gang behind the attack – the Russia-based ransomware company. REvil– and didn’t want to shake hands with them. But before the FBI could carry out their plan, the gang had to mysteriously disappeared. On July 21, the office finally gave Kaseya the decryption key – about a week after the gang disappeared.
A decryption key, which is usually not sent to a victim until after they have paid their attacker, decrypts the data that encrypted during a ransomware Attack and can help an infected company recover. However, you are doesn’t always work super well—What is part of the reason why Authorities insist the victims should never pay ransom.
So, How did the FBI get REvil’s decryption key? That part is pretty weird. The government apparently restored it through “access to the servers” of the ransomware gang, although it is unclear how they obtained that access or why it was so easy to get shortly after the attack.
So the end result of the Bureau’s aborted operation is that it appeared to be withholding an important tool that could have helped the organizations affected by the attack avoid it estimated “Millions of dollars in restoration costs.” These organizations included schools, hospitals, and multitudes of small businesses.
Sources interviewed by the Washington Post criticize this ordeal to a routine cost-benefit analysis that federal agencies must go through when prosecuting criminals.
“The questions we ask ourselves every time are: What would a key be worth if it were revealed? How many victims are there? Who could be helped? ” a source told the newspaper. “And on the other hand, what would the value of a potential longer term be? Operation when an ecosystem is disrupted? These are the questions that we still have to weigh up. “
When a spokesperson for Kaseya emailed a comment on Tuesday, he told Gizmodo that they were “grateful for the support we received from the FBI” and that they “could not comment on their decisions regarding when to release keys” .
The FBI has not yet responded to a request for comment.
In all fairness, this development raises a lot more questions than it answers. For one thing, it means that the government had access to the hackers’ servers and thus to the decryption key, almost immediately after the attack took place. While the Post’s story doesn’t reveal the exact date the office obtained the key, we do know that Kaseya came first announced publicly that it had the key on July 22nd – about three weeks after the attack. How and why the FBI could have stolen the key so quickly is a little confusing.
However, it is not the first time that the US federal authorities have conjured up a central piece of the investigative puzzle from seemingly nowhere in the wake of a ransomware investigation. After the attack on the Colonial Pipeline happened in May, similarly managed to get the key to the crypto wallet of the attacking ransomware gang into their hands, allowing them to reclaim much of the ransom that had been paid to the criminals. This operation in which the Justice Department confiscated millions in crypto, has never been fully explained to the public.
One thing is certain: the business owners who suffered from the Kaseya attack are not particularly happy about the delayed decryption. Joshua Justice, who owns the affected IT company JustTech in Maryland, calls July the “month of hell”. said the post that the time after the attack had cost his enterprise much grief.
“I’ve had grown people crying to me in person and on the phone and asking if their business would go on,” he said. “I had a man who said, ‘Should I just retire? Should I let my employees go? ‘ ”
This article was previously published on Source link