It’s a dilemma that has long plagued the intelligence community: should it share cybersecurity intelligence to help protect U.S. companies, or should it withhold that information and use it for the FBI and intelligence community’s benefit instead?
The FBI’s answer in a recent case was to secretly hoard the information that would help the victims recover.
The FBI’s decision to keep a decryption key secret from the victims, a decision The Washington Post first reported, has raised questions in the cybersecurity community about whether the FBI made the right call—and whether the government has an obligation to help ransomware victims.
The FBI was withholding the decryption tool, which could help unlock victim computers and boot out the ransomware, because the FBI had plans to target and disrupt a Russian gang that hit hundreds of targets in July. Law enforcement officials had smuggled the decryption key from the ransomware gang’s servers, and using it to help victims would have spilled the beans on the FBI’s plot.
But the FBI’s plan was foiled when the hacking gang, known as REvil, went dark and disappeared from the internet, seemingly in retreat. Without a need to disrupt the gang anymore, the FBI shared the decryption key in the end with Kaseya, the IT management software company that was the original target of the ransomware gang.
Kaseya told The Daily Beast the FBI’s work on the matter was welcome.
“We are grateful for the support we were given by the FBI,” a spokesperson for Kaseya, Dana Liedholm, said.
This latest incident is raising red flags, however, across the government about whether the FBI should be allowed to hoard decryption tools at the expense of victims—and under what circumstances.
“If these reports are true, it’s inexcusable for the FBI to leave thousands of companies struggling to reconstitute their systems on their own,” Rep. Jim Langevin (D-RI), co-chair of the Congressional Cybersecurity Caucus, told The Daily Beast. “We already have a process for balancing the need to bring hackers to justice and helping victims of cybercrime.”
Langevin said President Joe Biden’s top cyber adviser, the White House National Cyber Director (NCD) Chris Inglis, ought to be at the helm managing these decisions. “But I think we need to reexamine it and incorporate [the National Cyber Director] to ensure we are properly weighing all relevant factors before withholding decryption keys or similar defensive measures,” he said.
Balancing whether to help U.S. companies or keep information for government use is a common conundrum the intelligence community faces. The National Security Agency frequently encounters bugs it prevents companies from fixing so that it can spy on foreigners, although at times, and sometimes very publicly, the intelligence agency shares vulnerabilities with the private sector so it can fix them. But the familiar contours of the problem in the intelligence community shouldn’t override the fact that it’s a live issue for ransomware victims, experts say.
Some are also raising the question of whether decryption tools that could help ransomware victims should be subject to something like the vulnerabilities equities process (VEP), the procedure the federal government uses to determine whether security vulnerabilities the government finds should be disclosed to companies so they can be fixed or withheld so the intelligence community can exploit them.
“This development suggests the need for renewed attention and or discussion on the policy objectives of the VEP, and whether and when law enforcement investigative leads must be considered against other societal needs,” a former attorney in the National Security Division at the Department of Justice told The Daily Beast, suggesting goals to disrupt ransomware gangs have to be balanced with helping companies they’ve hit.
The top White House cyber official in the Obama administration, Michael Daniel, told The Daily Beast he thinks the Biden administration should use a process similar to the VEP, although the process might not need to be as formal.
“The Bureau is not the only agency with a stake in the situation and therefore it has to consult with other agencies before it takes an action like providing a decryption key,” Daniel said, adding that the federal government “has an interest in helping the immediate victim or victims, and it has an interest in restoring critical functions or services.”
But, Daniel added, the government also had to consider the long-term, broader public interest and how to prevent organizations from becoming victims in the future. “The government has an interest in undertaking effective disruption operations,” he said.
More weight should be placed on consideration of the victims whose business has been ground to a halt in the aftermath of ransomware attacks, according to Kurtis Minder, CEO and co-founder of security firm GroupSense, which helps ransomware victims negotiate with cybercriminals if they can’t obtain a decryption key otherwise.
“I am not in law enforcement, and I know they have to make this call all the time: whether to take intelligence or information they have tactically to stop one attack or one bad person, or leverage it to pull on the threads… for the greater good,” Minder told The Daily Beast. “We are on the front lines representing victims who are losing their businesses, livelihoods, and more. I would hope that consideration was given to any other possible options to help these victims.”
The FBI could have been more creative in sharing the tool earlier without tipping their hand that they took it from the ransomware gang and were planning a counterattack, says Phil Reiner, who serves as executive director of the Ransomware Task Force, a group that has been coordinating with the FBI on how to takedown the ransomware gangs.
“I understand the conundrum the FBI faced, so it’s hard to armchair quarterback all the considerations that must have been at play,” Reiner, who is also the CEO of the Institute for Security and Technology, told The Daily Beast. “If the FBI operation had worked and they’d successfully hit REvil, but folks had been left to struggle along the way, how different would this conversation be? I hope it’s a learning experience for the FBI, but that remains to be seen. I’d assert there are ways to help organizations in duress and also not blow the operation.”
The FBI declined to comment for this story. The White House did not return multiple requests for comment.
The FBI withheld the key from victims for weeks so it could tackle the ransomware gang, but it failed to disrupt the group. While the Russian hackers behind the whole incident disappeared weeks ago, seemingly in retreat from pillaging victims around the world, the REvil hackers have spun up operations anew recently, security researchers tell The Daily Beast. And other ransomware gangs have continued to pummel hospitals and, in more recent days, an Iowa grain cooperative, which some fear could cause food shortages.
It’s the latest trial for the Biden administration, which has made blunting ransomware attacks a priority, after the earlier attacks against Kaseya, meat supplier JBS, and Colonial Pipeline, which caused Americans to queue up for fuel across the Eastern Seaboard.
The full picture of who was responsible for obtaining the decryption tool and how they shared it has been touchy from the outset—at the time victims were recovering from the attacks, Kaseya published a statement announcing the tool “unexpectedly came to us,” without saying who gave it to them. But just minutes after Kaseya published the statement—and without explanation—the firm deleted that comment in an apparent effort to make the tool’s acquisition appear to have been carefully planned.
The spokesperson for Kaseya declined to comment on the revision. The FBI declined to comment.
The Biden administration has been working to take action against ransomware gangs in other ways. Just this week the U.S. Treasury Department announced it was sanctioning Suex, a virtual currency exchange that it alleges has helped ransomware actors funnel illegal profits from victims who paid out after ransomware attacks. It’s part of a broader effort to crack down on the infrastructure that enables the cybercriminals to get away with their grift.
Suex has been implicated in payments in at least eight different kinds of ransomware attacks, according to the Treasury Department.
This just may be the administration’s opening salvo in a longer-term effort to go after hackers using ransomware. In a Treasury Department advisory on ransomware, the department notes other companies that help facilitate payments to ransomware gangs—not just cryptocurrency exchanges—may bear the brunt of the government’s measures soon enough.
“Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations,” the advisory, which was released on Tuesday, notes.
But as long as ransomware gangs continue, the open question of how U.S. law enforcement agencies and the intelligence community will wield their power over decryption tools—and whether intelligence operations or getting U.S. businesses back up and running will take priority—remains up in the air. Balancing the need to disrupt the hackers and help victims along the way will continue to be a thorny issue, says Katie Nickels, director of intelligence at Red Canary, a cybersecurity firm.
“Ultimately, disrupting operators’ ability to continue operations could mitigate longer-term risks around theft of data from compromised networks, though that’s a difficult assessment to make. Of course, this trade-off is painful for the victims of ransomware,” Nickels said. “Sometimes they’ll have to make really unenviable decisions: they can either pilfer keys and tip their hand by helping victims, or they can try to degrade capabilities and gather information that could lead to indictments, arrests, or other actions with potentially broader impact.”