The FBI reportedly withheld the Kaseya ransomware decryption key for nearly three weeks, leaving victims struggling to recover and stay afloat.

That’s according to a Washington Post report. The REvil ransomware gang attacked Kaseya and its customers on July 2.

The agency reportedly held onto the key as part of an operation to disrupt REvil. However, the operation failed.

Erich Kron, security awareness advocate at KnowBe4, said this certainly was not a fair tradeoff.

KnowBe4’s Erich Kron

“The FBI had the means and ability to assist by simply sharing a digital key, but chose not to, a decision that had no bearing on the activity of the REvil group and gained them nothing in return,” he said. “This was not a case of the FBI being unable to help due to lack of staffing or any other reason, but the simple sharing of a digital key to the victim organizations.”

Failed Operation

According to the report, the FBI obtained the Kaseya decryption key through access to REvil’s servers. Deploying it immediately could have helped the victims avoid what analysts estimate was millions of dollars in recovery costs.

But the FBI held on to the key, with the agreement of other agencies. It did so because it was planning to carry out an operation to disrupt REvil and it didn’t want to tip them off. Also, a government assessment found the harm was not as severe as initially feared.

However, the planned FBI takedown never occurred. That’s because in mid-July REvil’s platform went offline without U.S. government intervention. The hackers disappeared before the FBI had a chance to execute its plan, according to the current and former officials.

The FBI shared the key with Kaseya on July 21. New Zealand-based security firm Emsisoft created a fresh decryption tool, which Kaseya released the following day.

Dana Liedholm is Kaseya’s senior vice president of corporate marketing.

“We are very grateful for the support we were given by the FBI and can’t comment on their decisions regarding timing of the release of the key,” she said.

Tough Decision

Purandar Das is co-founder and president of Sotero.

Sotero’s Purandar Das

“This is and will be a hard decision,” he said. “For the affected organizations, this is a tough thing to handle knowing that they suffered through outages and potentially substantial commercial losses while they figured out how to recover and when they could back online. From a law enforcement perspective and bigger-picture perspective, going after the criminal gangs while they were still public and were engaged in interactions makes sense. This would enable law enforcement to take them out of action. We also need to keep in mind that information like this, when released to a broader group, is almost impossible to keep under wraps. This would have only made it harder for law enforcement actions if the attackers were forewarned. The positive development from this, if there is one, is it should focus organizations to not only tighten security, but also make sure they are resilient.“

Slippery Slope

Kron said withholding the decryption key likely increased victims’ losses.

“Much like the failure to disclose the extent of the data breach by the Alaska Health Department, this brings to light the delicate balance of releasing information related to a potential criminal investigation and helping the victims of the cyberattack,” he said. “By withholding the decryption keys, the victim organizations likely suffered more financial losses, all in the hope of a potential operation that never ended up happening. This is a very slippery slope to travel when a federal agency has the ability and power to assist private organizations, but withholds it for their own use. This type of action does not help the private sector trust the U.S. government and can severely impact future cooperation between the sectors.”