Congress Wants Answers on FBI Withholding Kaseya Ransomware Decryption Key
One cybersecurity expert said the FBI's actions certainly warrant investigation.
![Answer Answer](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blt358cea918b248978/6524433bab64d47f7bcd35f2/shutterstock_434507557.jpg?width=700&auto=webp&quality=80&disable=upscale)
Shutterstock
Oliver Tavakoli is CTO at Vectra. He said law enforcement decisions are easy to criticize in hindsight.
“While the FBI had the decryption keys, the plan to take down REvil infrastructure in an effort to head off future attacks had to be weighed against the desire to help victims of the Kaseya attacks,” he said. “It’s easy to second-guess that decision since REvil appeared to dismantle elements of the infrastructure and thus the law enforcement plan to take it down was thwarted. However, hindsight is always 20/20.”
John Bambenek is principal threat hunter at Netenrich.
“In a free country, people and organizations have a general right to understand the decision-making of their government,” he said. “While I generally agree with the decision of the FBI on this, everyone should understand how each organization will respond to these incidents so they can have fully-informed decision-making.”
Purandar Das is president and CEO of Sotero. He said the question of whether the FBI was justified in withholding the Kaseya decryption key is either easy or hard to answer.
“From the perspective of the affected organizations, the answer is of course it should have been released immediately,” he said. “That perspective is built on the hardships that the organizations suffered as they attempted to rebuild and restore operations. Knowing that the key was potentially available makes it frustrating to look back at the stress and hardships they went through to regain operational readiness.”
From the perspective of law enforcement, this would be no different from most investigations, Das said.
“The authorities would most likely have operated with two objectives,” he said. “Identify the perpetrators and hold them accountable, in this case eliminate them from attacking more organizations. That could have delayed the release of the key as they pursued the actions of both the victims and the perpetrators collecting valuable information. The other factor that could have influenced this decision on timing could be the fact that it is almost impossible to keep information secret once a broader set of individuals are involved.”
Bud Broomhead is CEO of Viakoo, a provider of automated IoT cyber hygiene.
“This is a case where strategy of fighting a long-term war is in conflict with the tactics of fighting a specific battle,” he said. “The balance between strategy and tactics has happened throughout human history and will be with us throughout the duration of the cyber wars.”
Exabeam Fusion Security Information and Event Management (SIEM) and Exabeam Fusion Extended Detection and Response (XDR) are now available on Google Cloud Marketplace. Google Cloud customers can access Exabeam cybersecurity products to protect their organizations from insider and external threats.
Exabeam’s cloud-delivered security products streamline and accelerate security operations center (SOC) operations by automating the entire threat detection, investigation and response (TDIR) process.
Chris Stewart is vice president of business development at Exabeam.
“Availability on Google Cloud Marketplace allows our partners to eliminate the roadblocks that may come from other tedious procurement procedures, making it much easier for end users to implement Exabeam security analytics and respond to cyber threats quickly and efficiently,” he said.
Expanding Exabeam’s partnership with Google Cloud by joining the Google Cloud Marketplace makes it a easy process for organizations to choose Exabeam products and fortify their cyber defenses, Stewart said.
“Our current integrations with Google Cloud and over 300 other IT and security products and platforms make us the most complete SIEM and XDR solution on the market,” he said.
A surprising 91.5% of malware arrived over HTTPS-encrypted connections during the second quarter, showing any organization that isn’t examining encrypted HTTPS traffic at the perimeter is missing nine-tenths of all malware.
That’s according to WatchGuard Technologies‘ latest quarterly internet report. It also shows alarming surges across fileless malware threats, dramatic growth in ransomware, a big increase in network attacks, and much more.
Among the findings in the report:
Malware is using PowerShell tools to bypass powerful protections.
Fileless threats soared, becoming even more evasive.
Network attacks are booming despite the shift to primarily remote workforces.
Ransomware attacks came back with a vengeance. While total ransomware detections on the endpoint were on a downward trajectory from 2018 through 2020, that trend broke in the first half of 2021. The six-month total finished just shy of the full-year total for 2020. If daily ransomware detections remain flat through the rest of 2021, this year’s volume will reach an increase of over 150% compared to 2020.
Big game ransomware hits eclipse “shotgun blast”-style attacks. The Colonial Pipeline attack made it clear that ransomware as a threat is here to stay.
Old services continue to prove worthy targets.
Microsoft Office-based threats persist in popularity.
Phishing domains are masquerading as legitimate, widely recognized domains.
Corey Nachreiner is WatchGuard’s chief security officer.
“With much of the world still firmly operating in a mobile or hybrid workforce model, the traditional network perimeter doesn’t always factor into the cybersecurity defense equation,” he said. “While a strong perimeter defense is still an important part of a layered security approach, strong endpoint protection (EPP) and endpoint detection and response (EDR) is increasingly essential.”
A surprising 91.5% of malware arrived over HTTPS-encrypted connections during the second quarter, showing any organization that isn’t examining encrypted HTTPS traffic at the perimeter is missing nine-tenths of all malware.
That’s according to WatchGuard Technologies‘ latest quarterly internet report. It also shows alarming surges across fileless malware threats, dramatic growth in ransomware, a big increase in network attacks, and much more.
Among the findings in the report:
Malware is using PowerShell tools to bypass powerful protections.
Fileless threats soared, becoming even more evasive.
Network attacks are booming despite the shift to primarily remote workforces.
Ransomware attacks came back with a vengeance. While total ransomware detections on the endpoint were on a downward trajectory from 2018 through 2020, that trend broke in the first half of 2021. The six-month total finished just shy of the full-year total for 2020. If daily ransomware detections remain flat through the rest of 2021, this year’s volume will reach an increase of over 150% compared to 2020.
Big game ransomware hits eclipse “shotgun blast”-style attacks. The Colonial Pipeline attack made it clear that ransomware as a threat is here to stay.
Old services continue to prove worthy targets.
Microsoft Office-based threats persist in popularity.
Phishing domains are masquerading as legitimate, widely recognized domains.
Corey Nachreiner is WatchGuard’s chief security officer.
“With much of the world still firmly operating in a mobile or hybrid workforce model, the traditional network perimeter doesn’t always factor into the cybersecurity defense equation,” he said. “While a strong perimeter defense is still an important part of a layered security approach, strong endpoint protection (EPP) and endpoint detection and response (EDR) is increasingly essential.”
Congress is demanding answers from the FBI as to why the agency withheld the Kaseya ransomware decryption key that could have limited the damage inflicted on MSPs and other victims.
The U.S. House Committee on Oversight and Reform sent a letter to FBI director Christopher Wray requesting a briefing with the FBI on its “legal and policy rationale” for withholding the digital decryptor key as it attempted to disrupt this cyberattack, and the “FBI’s overall strategy for addressing, investigating, preventing and defeating ransomware attacks.”
“During this delay, many businesses, schools and hospitals suffered lost time and money, especially in the midst of the COVID-19 public health crisis,” the letter said. “Ransomware hackers have shown their willingness and ability to inflict damage on various sectors of the U.S. economy. Congress must be fully informed whether the FBI’s strategy and actions are adequately and appropriately addressing this damaging trend.”
U.S. Reps. Carolyn Maloney, committee chair, and James Comer, ranking member, signed the letter.
The REvil ransomware gang attacked Kaseya and its customers on July 2. The FBI reportedly held onto the decryption key as part of an operation to disrupt REvil. However, the operation failed.
Investigation Necessary
Security experts in the channel quickly weighed in on Congress’ request for answers from the FBI.
Erich Kron is security awareness advocate at KnowBe4. He said the FBI’s action is “certainly one worth investigating.”
“In this case, the victim organizations can hardly be blamed for the ransomware infection they suffered, as the infection was spread through the software supply chain and via the third-party vendors hired to prevent such a catastrophe,” he said. “This is not a case where the victims did something wrong. So withholding the decryption key that could restart their businesses and organizations was a very bold move by the FBI.”
Frustrating and Troubling
A frustrating and troubling part of this ordeal is withholding this key didn’t benefit the FBI, Kron said. However, it had a great deal of value to those suffering during the incident.
“Finding out why they held onto the decryption key and the chance to recover more quickly would certainly be important to me if I was one of the victim organizations,” he said. “While there are certainly times when it is proper that sensitive information be withheld, especially minor details that can later be used to validate confessions or be used in trial, or those that expose details of an investigation, withholding the information that has such a significant bearing on the victim’s recovery is a not a minor detail. If a car hits a person in a crosswalk and flees, it would not be prudent to delay assisting the victim while hoping the driver returns and can be arrested. This is essentially what happened to these victim organizations, the means to assist was there, however the desire was not.”
Scroll through our slideshow above for more security experts’ comments and more cybersecurity news.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
Read more about:
MSPsAbout the Author(s)
You May Also Like