Congress is demanding answers from the FBI as to why the agency withheld the Kaseya ransomware decryption key that could have limited the damage inflicted on MSPs and other victims.

The U.S. House Committee on Oversight and Reform sent a letter to FBI director Christopher Wray requesting a briefing with the FBI on its “legal and policy rationale” for withholding the digital decryptor key as it attempted to disrupt this cyberattack, and the “FBI’s overall strategy for addressing, investigating, preventing and defeating ransomware attacks.”

“During this delay, many businesses, schools and hospitals suffered lost time and money, especially in the midst of the COVID-19 public health crisis,” the letter said. “Ransomware hackers have shown their willingness and ability to inflict damage on various sectors of the U.S. economy. Congress must be fully informed whether the FBI’s strategy and actions are adequately and appropriately addressing this damaging trend.”

U.S. Reps. Carolyn Maloney, committee chair, and James Comer, ranking member, signed the letter.

The REvil ransomware gang attacked Kaseya and its customers on July 2. The FBI reportedly held onto the decryption key as part of an operation to disrupt REvil. However, the operation failed.

Investigation Necessary

Security experts in the channel quickly weighed in on Congress’ request for answers from the FBI.

Erich Kron is security awareness advocate at KnowBe4. He said the FBI’s action is “certainly one worth investigating.”

“In this case, the victim organizations can hardly be blamed for the ransomware infection they suffered, as the infection was spread through the software supply chain and via the third-party vendors hired to prevent such a catastrophe,” he said. “This is not a case where the victims did something wrong. So withholding the decryption key that could restart their businesses and organizations was a very bold move by the FBI.”

Frustrating and Troubling

A frustrating and troubling part of this ordeal is withholding this key didn’t benefit the FBI, Kron said. However, it had a great deal of value to those suffering during the incident.

“Finding out why they held onto the decryption key and the chance to recover more quickly would certainly be important to me if I was one of the victim organizations,” he said. “While there are certainly times when it is proper that sensitive information be withheld, especially minor details that can later be used to validate confessions or be used in trial, or those that expose details of an investigation, withholding the information that has such a significant bearing on the victim’s recovery is a not a minor detail. If a car hits a person in a crosswalk and flees, it would not be prudent to delay assisting the victim while hoping the driver returns and can be arrested. This is essentially what happened to these victim organizations, the means to assist was there, however the desire was not.”

Scroll through our slideshow above for more security experts’ comments and more cybersecurity news.