FBI Sat On Ransomware Decryption Key For Weeks As Victims Lost Millions Of Dollars
from the is-this-one-of-those-'greater-good'-things-I-don't-understand-becaus dept
The vulnerability equities process meets the FBI’s natural tendency to find and hoard illegal things until it’s done using them. And no one walks away from it unscathed. Welcome to the cyberwar, collateral damage!
If an agency like the NSA comes across an exploit or unpatched security flaw, it’s supposed to notify affected tech companies so they can fix the problem to protect their customers and users. That’s the vulnerability equities process in theory. In practice, the NSA (and others) weigh the potential usefulness of the exploit versus the damage it might cause if it’s not fixed and make a disclosure decision. The NSA claims in public statements it’s very proactive about disclosing discovered exploits. The facts say something different.
Then there’s the FBI, which has engaged in criminal acts to further investigations. Perhaps most famously, the FBI took control of a dark web child porn server and ran it for a few weeks so it could deploy its malware (Network Investigative Technique, according to the FBI) to users of the site. Not only did it continue to distribute child porn during this time, but it reportedly optimized the system to maximize its malware distribution.
The trend continues. As Ellen Nakashima and Rachel Lerman report for the Washington Post (alternative link here), the FBI could have stopped a massive ransomware attack but decided it would be better if it just sat on what it knew and watched things develop.
The FBI refrained for almost three weeks from helping to unlock the computers of hundreds of businesses and institutions hobbled by a major ransomware attack this summer, even though the bureau had secretly obtained the digital key needed to do so, according to several current and former U.S. officials.
The key was obtained through access to the servers of the Russia-based criminal gang behind the July attack. Deploying it immediately could have helped the victims, including schools and hospitals, avoid what analysts estimate was millions of dollars in recovery costs.
The worse news is it wasn’t just the FBI, which is already known for running criminal enterprises while engaging in investigations. The report says this refusal to release the key was a joint agreement with “other agencies,” all of which apparently felt the nation (and the rest of the world) would be better served by the FBI keeping the key to itself while it tried to hunt down the criminals behind the ransomware attack.
And it turned out to be totally worth it!
The planned takedown never occurred because in mid-July REvil’s platform went offline — without U.S. government intervention — and the hackers disappeared before the FBI had a chance to execute its plan, according to the current and former officials.
FBI Director Chris Wray, testifying before Congress, said the tradeoff was necessary because it could help prevent future attacks (unproven) and time was needed to develop a tool that would help those hit by the ransomware.
“These are complex . . . decisions, designed to create maximum impact, and that takes time in going against adversaries where we have to marshal resources not just around the country but all over the world.”
He also suggested that “testing and validating” the decryption key contributed to the delay.
I, too, would testify before Congress that things were complex and time-consuming, especially when the end result was the bad guys getting away while victims remained victims. I would, however, perhaps consider not belaboring the “it will be long and hard” point when the private sector has demonstrated that it actually won’t be that long, and possibly not even all that hard.
Emsisoft, however, was able to act quickly. It extracted the key from what the FBI provided Kaseya, created a new decryptor and tested it — all within 10 minutes, according to Fabian Wosar, Emsisoft chief technology officer. The process was speedy because the firm was familiar with REvil’s ransomware. “If we had to go from scratch,” Wosar said, “it would have taken about four hours.”
The FBI took three weeks to turn over the key to the first of many victims. During that time, it apparently failed to accomplish what Emisisoft developed in 10 minutes, as well as failing to catch any of the perpetrators. Faced with this not-so-subtle undercutting of its “we really were just trying to save the world” narrative, the FBI — via its parent organization — has decided to shut the fuck up.
The Justice Department and White House declined to comment.
Sure, the FBI could still be pursuing some leads, but the timing of REvil’s disappearance and the FBI’s release of the key to one of ransomware victims suggests the FBI only decided to release because it was no longer of any use to the investigation. It may still possess some limited use to those whose data is still locked up, but pretty much every victim has moved on and attempted to recover from the incident. The cost — as is detailed in the Washington Post report — is in the hundreds of millions. Some victims are still trying to recover. Others are back in business, but only after losing millions to downtime.
Who pays for this? Well, the victims do. And taxpayers will too, if the government decides to compensate some of the companies victimized by ransomware and victimized again by the FBI. The FBI, however, will hardly feel a thing, since the going rate for temporary chagrin is a rounding error in the agency’s reputational damage column.