FBI Sat On Ransomware Decryption Key For Weeks As Victims Lost Millions Of Dollars

from the is-this-one-of-those-'greater-good'-things-I-don't-understand-becaus dept

The vulnerability equities process meets the FBI’s natural tendency to find and hoard illegal things until it’s done using them. And no one walks away from it unscathed. Welcome to the cyberwar, collateral damage!

If an agency like the NSA comes across an exploit or unpatched security flaw, it’s supposed to notify affected tech companies so they can fix the problem to protect their customers and users. That’s the vulnerability equities process in theory. In practice, the NSA (and others) weigh the potential usefulness of the exploit versus the damage it might cause if it’s not fixed and make a disclosure decision. The NSA claims in public statements it’s very proactive about disclosing discovered exploits. The facts say something different.

Then there’s the FBI, which has engaged in criminal acts to further investigations. Perhaps most famously, the FBI took control of a dark web child porn server and ran it for a few weeks so it could deploy its malware (Network Investigative Technique, according to the FBI) to users of the site. Not only did it continue to distribute child porn during this time, but it reportedly optimized the system to maximize its malware distribution.

The trend continues. As Ellen Nakashima and Rachel Lerman report for the Washington Post (alternative link here), the FBI could have stopped a massive ransomware attack but decided it would be better if it just sat on what it knew and watched things develop.

The FBI refrained for almost three weeks from helping to unlock the computers of hundreds of businesses and institutions hobbled by a major ransomware attack this summer, even though the bureau had secretly obtained the digital key needed to do so, according to several current and former U.S. officials.

The key was obtained through access to the servers of the Russia-based criminal gang behind the July attack. Deploying it immediately could have helped the victims, including schools and hospitals, avoid what analysts estimate was millions of dollars in recovery costs.

The worse news is it wasn’t just the FBI, which is already known for running criminal enterprises while engaging in investigations. The report says this refusal to release the key was a joint agreement with “other agencies,” all of which apparently felt the nation (and the rest of the world) would be better served by the FBI keeping the key to itself while it tried to hunt down the criminals behind the ransomware attack.

And it turned out to be totally worth it!

The planned takedown never occurred because in mid-July REvil’s platform went offline — without U.S. government intervention — and the hackers disappeared before the FBI had a chance to execute its plan, according to the current and former officials.

FBI Director Chris Wray, testifying before Congress, said the tradeoff was necessary because it could help prevent future attacks (unproven) and time was needed to develop a tool that would help those hit by the ransomware.

“These are complex . . . decisions, designed to create maximum impact, and that takes time in going against adversaries where we have to marshal resources not just around the country but all over the world.”

He also suggested that “testing and validating” the decryption key contributed to the delay.

I, too, would testify before Congress that things were complex and time-consuming, especially when the end result was the bad guys getting away while victims remained victims. I would, however, perhaps consider not belaboring the “it will be long and hard” point when the private sector has demonstrated that it actually won’t be that long, and possibly not even all that hard.

Emsisoft, however, was able to act quickly. It extracted the key from what the FBI provided Kaseya, created a new decryptor and tested it — all within 10 minutes, according to Fabian Wosar, Emsisoft chief technology officer. The process was speedy because the firm was familiar with REvil’s ransomware. “If we had to go from scratch,” Wosar said, “it would have taken about four hours.”

The FBI took three weeks to turn over the key to the first of many victims. During that time, it apparently failed to accomplish what Emisisoft developed in 10 minutes, as well as failing to catch any of the perpetrators. Faced with this not-so-subtle undercutting of its “we really were just trying to save the world” narrative, the FBI — via its parent organization — has decided to shut the fuck up.

The Justice Department and White House declined to comment.

Sure, the FBI could still be pursuing some leads, but the timing of REvil’s disappearance and the FBI’s release of the key to one of ransomware victims suggests the FBI only decided to release because it was no longer of any use to the investigation. It may still possess some limited use to those whose data is still locked up, but pretty much every victim has moved on and attempted to recover from the incident. The cost — as is detailed in the Washington Post report — is in the hundreds of millions. Some victims are still trying to recover. Others are back in business, but only after losing millions to downtime.

Who pays for this? Well, the victims do. And taxpayers will too, if the government decides to compensate some of the companies victimized by ransomware and victimized again by the FBI. The FBI, however, will hardly feel a thing, since the going rate for temporary chagrin is a rounding error in the agency’s reputational damage column.

Filed Under: , , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “FBI Sat On Ransomware Decryption Key For Weeks As Victims Lost Millions Of Dollars”

Subscribe: RSS Leave a comment
31 Comments
Rekrulsays:

Emsisoft, however, was able to act quickly. It extracted the key from what the FBI provided Kaseya, created a new decryptor and tested it — all within 10 minutes, according to Fabian Wosar, Emsisoft chief technology officer. The process was speedy because the firm was familiar with REvil’s ransomware. “If we had to go from scratch,” Wosar said, “it would have taken about four hours.”

If they could create a decryption key from scratch in about four hours, why didn’t they do that and give it to the affected organizations?

restless94110says:

The Bureau

The FBI should never have been started, it was a blackmail operation for decades, it has done nothing other than gin up cases–either via entrapment schemes or agents provacateur–for its entire existence. They are inept in every way. And have been for 100 years.

What act like this one will be the end of them? Depends on the stupidity of the American people.

Time will tell.

Anonymoussays:

The headline for destroying the evil evil hackers would have been better than saving some victims.

Had they caught the evil evil hackers, how many future victims would have been saved?

We had the antidote to the poison

For how long after the FBI announced that they had that decryption key would that key remain useful to new victims of the malware?

How much additional harm did the people and businesses suffer because the key was not distributed immediately? How much of that harm would have not happened, had the FBI not had the decryption key?

FTFA:

Emsisoft, however, was able to act quickly. It extracted the key from what the FBI provided Kaseya, created a new decryptor and tested it — all within 10 minutes …

… then, why can’t Emsisoft create decryption keys from infected systems in 10 minutes? /rhetorical

"Having the key" was a one-time event. (You did get that last question correct, didn’t you?) The FBI had an opportunity to "catch the crooks". Or they could make the key public, and see the key stop being useful within hours: if not from direct publicity, then by companies no longer rolling over so readily.

The FBI gambled, that by withholding the key from publication, the malware group wouldn’t startle and disappear before they could be tracked down. They lost. Had the FBI succeeded, you would be hailing them as limited, temporary heroes in an unwinnable war (or an eternal struggle, if you prefer).

While you are second guessing the FBI here, be sure to remember that the FBI had to make their decision, "which choice leads to the greater good", without knowing how it would all play out.

That One Guysays:

Re:

Had they caught the evil evil hackers, how many future victims would have been saved?

Congratulations for your support of ‘the ends justify the means’, I’m sure the knowledge that the FBI might have caught the extortionists was and will be of great comfort to their current victims who the FBI left out to dry.

For how long after the FBI announced that they had that decryption key would that key remain useful to new victims of the malware?

Utterly irrelevant, they had the required data to help the current victims and they instead threw them under the bus.

How much additional harm did the people and businesses suffer because the key was not distributed immediately? How much of that harm would have not happened, had the FBI not had the decryption key?

If helps if you read the article.

The cost — as is detailed in the Washington Post report — is in the hundreds of millions. Some victims are still trying to recover. Others are back in business, but only after losing millions to downtime.

… As for what might have happened if they didn’t have the key that’s also irrelevant, they did and they refused to do anything with it.

The FBI gambled, that by withholding the key from publication, the malware group wouldn’t startle and disappear before they could be tracked down. They lost. Had the FBI succeeded, you would be hailing them as limited, temporary heroes in an unwinnable war (or an eternal struggle, if you prefer).

Like hell I would. It’s one thing to make sacrifices yourself to attain a goal but when you throw other people under the bus to further your own goals ‘praise’ is not what you deserve.

While you are second guessing the FBI here, be sure to remember that the FBI had to make their decision, "which choice leads to the greater good", without knowing how it would all play out.

See previous point. When you sacrifice others for your own goals you aren’t after the ‘greater good’ you’re after what’s best for you.

That Anonymous Cowardsays:

Re:

"Had they caught the evil evil hackers, how many future victims would have been saved?"

If Momma Cass had just split that ham sammich with Karen Carpenter they both would still be alive.

"While you are second guessing the FBI here, be sure to remember that the FBI had to make their decision, "which choice leads to the greater good", without knowing how it would all play out."

They are putting men with IQs under 70 on trial for providing aid to terrorists after their CI loans them the money to buy the apple gift card to send to the imaginary terrorists while some motherfucker shot up a synagogue after planning it in the open for months.

Which choice leads to the greater good & which just gets them good headlines so they can keep their budget?

PaulTsays:

Re:

"Had they caught the evil evil hackers, how many future victims would have been saved?"

That assumes the hackers existed in the first place. The track record of the FBI and others seems to suggest that they might have been creating the crimes in order to generate funding to "fight" groups they themselves were at least incentivising if not forcing to commit the original crimes.

Also, if I’m not mistaken the FBI don’t typically have jurisdiction abroad. I wonder how that fits with the typically foreign sources of this type of attack.

"Had the FBI succeeded, you would be hailing them as limited, temporary heroes"

I believe you’re making a large assumption there.

"the FBI had to make their decision… without knowing how it would all play out"

The problem with this kind of story is that everyone except the FBI seems to have been able to predict the outcome.

Anonymoussays:

Re:

The FBI gambled, that by withholding the key from publication, the malware group wouldn’t startle and disappear before they could be tracked down. They lost. Had the FBI succeeded, you would be hailing them as limited, temporary heroes in an unwinnable war (or an eternal struggle, if you prefer).

Let’s say the hackers didn’t startle and the FBI succeeded in tracking down this russian-based group. Then what?

Anonymoussays:

Re:

While you are second guessing the FBI here, be sure to remember that the FBI had to make their decision, "which choice leads to the greater good", without knowing how it would all play out.

…And? In literally one paragraph above, you acknowledged that this was a "gamble". If I fuck up on a decision without knowing how things play out that doesn’t magically mean I’m no longer responsible. If I gamble with resources that belong to other people that doesn’t mean I’m no longer responsible for the fallout.

This sort of "banks didn’t know that the recessions would happen and thus they shouldn’t miss out on their golden parachutes" and "the cop didn’t know that the fleeing naked man was unarmed and thus the shooting was justified" apologism is precisely why trust in institutions is at rock bottom.

bhull242says:

Re:

"Having the key" was a one-time event. (You did get that last question correct, didn’t you?) The FBI had an opportunity to "catch the crooks". Or they could make the key public, and see the key stop being useful within hours: if not from direct publicity, then by companies no longer rolling over so readily.

I’m not so sure that it was a one-time event. Given how the government got the key the first time, it’s possible they could have gotten it again later.

Nor am I convinced that they could have caught the crooks through this method or that such a method was the only way to do so.

Also, “It would stop being useful”? Well, duh. The ransomware would be useless, and the crooks would have no way of knowing how the key was acquired, so the attack would likely stop.

The FBI gambled, that by withholding the key from publication, the malware group wouldn’t startle and disappear before they could be tracked down. They lost. Had the FBI succeeded, you would be hailing them as limited, temporary heroes in an unwinnable war (or an eternal struggle, if you prefer).

You wouldn’t be entirely correct on that. Again: the ends don’t justify the means.

Anonymoussays:

Re:

Gurl pbhyqa’g naq gurl qvqa’g fnl gurl pbhyq.
Rapelcgvba vaibyirf gjb cnegf, gur pvcure naq gur xrl.
Gur pvcure vf jung lbh ner qbvat gb gur zrffntr.
Gur xrl vf ubj lbh ner qbvat vg.
Abg orvat snzvyvne jvgu gur fcrpvsvpf bs gurfr enafbzjnerf, ohg xabjvat n ovg nobhg rapelcgvba, V’z tbvat gb nffhzr rirelbar va frphevgl ohfvarff nyernql xarj juvpu pvcure gurl jrer hfvat. Gur xrl jnf cebonoyl fbzr bofpraryl uhtr cevzr ahzore, yvxr 48!-1. Bapr gurl unq gur xrl, vg jnf n fvzcyr znggre bs cyhttvat vg vagb gurve nyernql znqr qrpbqre; pbhyqn orra qbar ol n cnve bs vagreaf naq bar xrlobneq. Vs gurl unqa’g nyernql orra snzvyvne jvgu gur rknpg pvcure va hfr, gurl jbhyq’ir arrqrq gb perngr gung ovg svefg, urapr gur 4 ubhe gvzrsenzr.
Nf na rkrepvfr sbe gur ernqre, lbh fubhyq or noyr gb qrpelcg guvf va nobhg 10 zvahgrf; V’ir nyjnlf orra n sna bs gur pynffvpf.

Anonymoussays:

Re:

They did not, and could not create the key, but what they had to was deal with other details of putting the files back together, like how much needed to be decrypted. If as an example, only the first half of the file is encrypted, decrypting the second half scrambles it. Familiarity with REvil’s ransomware meant they did not have to do any experimentation to sort out auxiliary details of decryption.

bhull242says:

Re: Re: Re:

Yeah, I got no idea, but then I’m not exactly the best with ciphers, at least at figuring out which cipher is being used and what key.

…which may be the point of the whole thing. It’s be nice if there was a hint, but yeah, I have no idea where to begin.

I think g = s given the number of times “’g” appears at the end of words, V = I since it appears capitalized on its own or in contractions, and I think i = v and r = e since you’ve got the contraction “V’ir” and I think the only contraction that would fit that pattern would be “I’ve”. From there, I’m guessing it’s symmetric (a = b iff b = a) rather than translational (xth letter maps to ((x-n) % 26 + 1)th letter of the alphabet (since i maps to v and vice versa, and then g and i have one letter in between them but map to letters (s and v, respectively) with two letters in between). If so, then s = g and e = r.

That’s all I’ve got so far, though. I’m just not seeing any pattern in the mapping aside from a single instance of symmetry that may extend to the rest of the mapping.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Report this ad??|??Hide Techdirt ads
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...
Older Stuff
12:25 Australian Privacy Commissioner Says 7-Eleven Broke Privacy Laws By Scanning Customers' Faces At Survey Kiosks (6)
10:50 Missouri Governor Doubles Down On 'View Source' Hacking Claim; PAC Now Fundraising Over This Bizarrely Stupid Claim (45)
10:45 Daily Deal: The All-in-One Microsoft, Cybersecurity, And Python Exam Prep Training Bundle (0)
09:43 Want To Understand Why U.S. Broadband Sucks? Look At Frontier Communications In Wisconsin, West Virginia (8)
05:36 Massachusetts College Decides Criticizing The Chinese Government Is Hate Speech, Suspends Conservative Student Group (71)
19:57 Le Tigre Sues Barry Mann To Stop Copyright Threats Over Song, Lights Barry Mann On Fire As Well (21)
16:07 Court Says City Of Baltimore's 'Heckler's Veto' Of An Anti-Catholic Rally Violates The First Amendment (15)
13:37 Two Years Later, Judge Finally Realizes That A CDN Provider Is Not Liable For Copyright Infringement On Websites (21)
12:19 Chicago Court Gets Its Prior Restraint On, Tells Police Union Head To STFU About City's Vaccine Mandate (158)
10:55 Verizon 'Visible' Wireless Accounts Hacked, Exploited To Buy New iPhones (8)
10:50 Daily Deal: The MacOS 11 Course (0)
07:55 Suing Social Media Sites Over Acts Of Terrorism Continues To Be A Losing Bet, As 11th Circuit Dumps Another Flawed Lawsuit (11)
02:51 Trump Announces His Own Social Network, 'Truth Social,' Which Says It Can Kick Off Users For Any Reason (And Already Is) (100)
19:51 Facebook AI Moderation Continues To Suck Because Moderation At Scale Is Impossible (26)
16:12 Content Moderation Case Studies: Snapchat Disables GIPHY Integration After Racist 'Sticker' Is Discovered (2018) (11)
13:54 Arlo Makes Live Customer Service A Luxury Option (8)
12:05 Delta Proudly Announces Its Participation In The DHS's Expanded Biometric Collection Program (5)
11:03 LinkedIn (Mostly) Exits China, Citing Escalating Demands For Censorship (14)
10:57 Daily Deal: The Python, Git, And YAML Bundle (0)
09:37 British Telecom Wants Netflix To Pay A Tax Simply Because Squid Game Is Popular (32)
06:41 Report: Client-Side Scanning Is An Insecure Nightmare Just Waiting To Be Exploited By Governments (35)
20:38 MLB In Talks To Offer Streaming For All Teams' Home Games In-Market Even Without A Cable Subscription (10)
15:55 Appeals Court Says Couple's Lawsuit Over Bogus Vehicle Forfeiture Can Continue (15)
13:30 Techdirt Podcast Episode 301: Scarcity, Abundance & NFTs (0)
12:03 Hollywood Is Betting On Filtering Mandates, But Working Copyright Algorithms Simply Don't Exist (66)
10:45 Introducing The Techdirt Insider Discord (4)
10:40 Daily Deal: The Dynamic 2021 DevOps Training Bundle (0)
09:29 Criminalizing Teens' Google Searches Is Just How The UK's Anti-Cybercrime Programs Roll (19)
06:29 Canon Sued For Disabling Printer Scanners When Devices Run Out Of Ink (41)
20:51 Copyright Law Discriminating Against The Blind Finally Struck Down By Court In South Africa (7)
More arrow