Congress demands briefing from FBI on decision not to share Kaseya decryption keys

Rep. Jim Langevin, co-chair of the Congressional Cybersecurity Caucus, told ZDNet that it was "unacceptable" for the federal government to withhold decryptor keys from Kaseya.
Written by Jonathan Greig, Contributor

The US House Committee on Oversight and Reform has demanded a briefing with the FBI to determine whether it was justified in withholding the Kaseya ransomware decryption keys.

Committee chairwoman Rep. Carolyn Maloney and ranking member Rep. James Comer sent a letter to FBI Director Christopher Wray asking him to appear before Congress to explain the FBI's actions in the case. 

The FBI's decision to keep the REvil ransomware decryption key from victims of the attack on Kaseya has caused a furor among some victims and experts who questioned the organization's judgement.

"Public reporting raises questions about the FBI's response to this summer's ransomware attack. The FBI has stated that it withheld the ransomware key it had previously acquired so the Bureau could engage in an operation to disrupt the Russian-based hackers without tipping them off. However, before the FBI could execute its plan, the hackers reportedly disappeared, and their platform went offline. During this delay, many businesses, schools, and hospitals suffered lost time and money, especially in the midst of the COVID-19 public health crisis," the members of Congress wrote. 

"We request a briefing from the FBI on its legal and policy rationale for withholding the digital decryptor key as it attempted to disrupt this cyber attack, and the FBI's overall strategy for addressing, investigating, preventing, and defeating ransomware attacks. Ransomware hackers have shown their willingness and ability to inflict damage on various sectors of the US economy. Congress must be fully informed whether the FBI's strategy and actions are adequately and appropriately addressing this damaging trend."

Maloney and Comer said the FBI's actions potentially cost "the ransomware victims -- including schools and hospitals -- millions of dollars."

Rep. Jim Langevin, co-chair of the Congressional Cybersecurity Caucus, told ZDNet that it was "unacceptable" for the federal government to withhold decryptor keys from Kaseya, and said he has been clear that the FBI must do a better job of supporting victims of cybercrime in the future. 

As cyber incidents become increasingly frequent and severe, the White House must update our National Cyber Incident Response Plan -- which includes a mechanism for balancing threat response and asset response -- to incorporate the National Cyber Director into the decision-making process," Langevin said. 

Last week, the Washington Post reported that the FBI had the decryption keys for victims of the widespread Kaseya ransomware attack that took place in July yet did not share them for three weeks. 

The Kaseya attack affected hundreds of organizations, including dozens of hospitals, schools, businesses and even a supermarket chain in Sweden. 

Washington Post reporters Ellen Nakashima and Rachel Lerman revealed that the FBI managed to obtain the decryption keys because they accessed the servers of REvil. This Russia-based criminal gang was behind the massive attack.

Despite a large number of victims of the attack, the FBI did not share the decryption keys, deciding to hold on to them as they prepared to launch an attack on REvil's infrastructure. According to The Washington Post, the FBI did not want to tip off REvil operators by handing out the decryption keys.

The FBI also claimed "the harm was not as severe as initially feared", according to The Washington Post. 

REvil initially demanded a $70 million ransom from Kaseya and thousands from individual victims before going dark and shutting down significant parts of its infrastructure shortly after the attack. The group has since returned, but many organizations are still recovering from the wide-ranging July 4 attack. 

ZDNet sent questions to multiple members of Congress and the FBI about whether the ransomware group's brief disappearance was connected to the planned FBI operation but have not received a response. 

The FBI eventually shared the decryption keys with Kaseya on July 21, weeks after the attack occurred. Multiple victims spoke to The Washington Post about the millions that were lost and the significant damage done by the attacks. 

During his testimony in front of Congress last week, FBI Director Christopher Wray laid the blame for the delay on other law enforcement agencies and allies who they said asked them not to disseminate the keys. He said he was limited in what he could share about the situation because they are still investigating what happened.  

"We make the decisions as a group, not unilaterally. These are complex...decisions designed to create maximum impact, and that takes time in going against adversaries where we have to marshal resources not just around the country but all over the world. There's a lot of engineering that's required to develop a tool," Wray told Congress. 

Congress demanded a response from the FBI by October 6. 

Editorial standards