FBI Delayed Helping Kaseya Ransomware Victims For Weeks: Report

The FBI secretly obtained the decryption key by accessing REvil’s servers, but held onto it for almost three weeks because it was planning to carry out an operation to disrupt REvil and didn’t want to tip them off.

The FBI refrained for almost three weeks from helping unlock the computers of Kaseya ransomware victims even though it had the means to do so, The Washington Post reported.

The intelligence agency had secretly obtained the decryption key needed to get the nearly 1,500 victim organizations back up and running by accessing the servers of the Russia-based REvil ransomware gang, according to The Washington Post, citing current and former U.S. officials. But the FBI held onto the key because it was planning to carry out an operation to disrupt REvil and didn’t want to tip them off.

If the FBI had made the ransomware decryption key available to Kaseya and its customers as soon as it was obtained, schools, hospitals and other victims could have avoided millions of dollars in recovery costs, analysts told The Washington Post. But instead, the FBI opted not to share the key with Kaseya until July 21, 19 days after the REvil ransomware attack took place, The Washington Post reported.

[Related: REvil: We Accidentally Leaked Kaseya Universal Decryptor Key]

“The FBI must be cautious and deliberate in what is provided to victims,” an FBI official told The Washington Post. “The solution must be rigorously tested and risks associated with decryptors must be mitigated.” An FBI spokeswoman declined to comment to CRN on The Washington Post report.

“We are very grateful for the support we were given by the FBI and can’t comment on their decisions regarding timing of the release of the key,” a Kaseya spokesperson told CRN. ”We also cannot comment on your question around the number of impacted customers that ended up using the decryption key.”

Spokeswoman Dana Liedholm told The Post she wasn’t sure how many of the 54 direct victims –primarily MSPs – ended up using the decryption key, though she noted many restored from backups.

The FBI’s planned takedown of REvil never occurred since the ransomware gang’s platform went offline in mid-July without U.S. government intervention, The Washington Post reported. As a result, the hackers disappeared before the FBI had the chance to even execute its plan, The Post said. In addition, a government assessment found the damage from the Kaseya attack wasn’t as severe as initially feared.

Kaseya MSP customer JustTech was forced to undertake a complete restoration of its clients’ systems since no decryption key was available in the weeks following the attack, owner Joshua Justice told The Washington Post. JustTech’s security teams worked 18-hours shifts for more than a month to get the company’s own and its clients’ systems back up and running, according to Justice.

“I had grown individuals crying to me in person and over the phone asking if their business was going to continue,” Justice told The Post. “I had one man say ‘Should I just retire? Should I let my employees go?’”

REvil resurfaced earlier this month and claimed the universal decryptor key for all victims of the Kaseya ransomware attack had been accidentally released to victims by a coder. “One of our coders misclicked and generated a universal key, and issued the universal decryptor key along with a bunch of keys for one machine. That’s how we sh*t ourselves,” REvil wrote Sept. 9 in an illicit Russian-language forum.

The ransomware operator claims to have compromised at least eight new victims over the past few weeks, including a plastics manufacturer and legal aid service for the poor. Cybersecurity vendor Bitdefender on Thursday released a universal decryptor that unlocked all systems encrypted by REvil before July 13, but that doesn’t help the ransomware gang’s latest victims.