FBI Director Christopher Wray faces questions at a Senate hearing on Wednesday (yesterday). The FBI withheld the REvil decryption key obtained by agents from a ransomware gang targeting software company Kaseya without sharing it for nearly three weeks as part of its ongoing investigation into the incident, a published report said.
FBI Director Christopher Wray
During a hearing of the Senate Homeland Security and Governmental Affairs Committee, Committee Chairman Sen. Gary Peters, D-Mich., questioned Director Wray about a Washington Post report that the FBI had obtained the REvil ransomware The decryption key used by the gang, but declined to be shared with the attack victims as the investigation continues.
The FBI kept the decryption key that the bureau obtained from the gang’s servers because it planned to target REvil’s infrastructure and didn’t want to reveal the cybercriminals. The follow-up came to a halt when the ransomware group disappeared without explanation in July.
Some security researchers now believe that REvil, aka Sodinokibi, has returned.
During the hearing, however, Peters questioned why the FBI refused to distribute decryption keys to Kaseya and the company’s roughly 50 hosting provider customers who were infected with the REvil ransomware in July. In turn, some 1,500 customers of these MSPs were infected with crypto-locking malware – many of which were small businesses with few or no security resources.
Peters noted that victims spend millions of dollars recovering data from these attacks, and some could have used keys to offset those costs. Director Ray declined to provide specific details during the public hearing, but said the ransomware attack was still under investigation and that the decision was made by multiple agencies involved.
“Extensive testing and validation is required to ensure that [解密密钥] able to actually do what they’re supposed to do.A lot of engineering was required to develop the tool [并] The tools that will be used,” Director Ray testified. “Sometimes we have to calculate how best to help the most people because maximizing impact is always the goal, and whenever we do that in these jointly enabled ordered operations, we All will be done in conjunction with other government agencies and other agencies. “
Director Ray declined to say which other government agencies were involved in the decision to withhold the keys while the investigation continued.
REvil decryption key
Earlier this month, security firm Bitdefender released a free decryptor for the REvil ransomware, which first started working and targeted victims in April 2019. The company noted that its key would not work with all versions of the crypto-locking malware used by the gang, but it could help all victims of the REvil ransomware attack prior to July, such as participating.
While releasing a free decryptor key, Bitdefender did not specify how the company obtained it. However, Fabian Wosar, CTO of antivirus vendor Emsisoft, suggested in a tweet that law enforcement officials appear to have obtained the keys, although he did not specifically mention the FBI.
It appears that during the dismantling of parts of REvil’s infrastructure a few months ago, LEA obtained the keys needed to decrypt the ransom note key blob, which included the system’s keys. Good news for old victims who can now decrypt their files. — Fabian Wosar (@fwosar) September 17, 2021
When Chief Ray responded to Peters’ questions about the Kaseya case and obtaining the decryption key, he pointed out that any specific details would need to be shared in a classified setting. Peters also noted that he wondered if the FBI had withheld other decryption keys in other ransomware investigations.
Other network issues
The initial goal of the Senate Homeland Security Committee hearing on Wednesday (yesterday) was to discuss threats to the United States in the 20 years since the Sept. 11, 2001, terrorist attacks, as well as some emerging concerns about national security. Wray and Homeland Security Secretary Alejandro Mayorkas both testified that cybersecurity concerns, including ransomware and state APT activity, are one of the main threats to U.S. national security, along with terror terrorism (domestic and foreign) and state theft such as violent crime and intellectual property. Chief Ray and Mayorkas also faced several questions about the resettlement of immigrants and Afghan refugees in the United States after U.S. troops pulled out of Afghanistan in August.
Homeland Security Secretary Alejandro Mayorcas
“We’ve seen a number of recent cybersecurity incidents impacting organizations of all sizes and disrupting critical services, ranging from the SolarWinds supply chain compromise to exploiting vulnerabilities found in Microsoft Exchange Servers and Pulse Connect Secure appliances, to impacting everything from Colonial Pipeline to JBS Meat ransomware from the factory’s entities,” Mayokas testified in his opening remarks.
Majorcas also pointed out that in 2020, about 2,400 state, local, tribal and territorial governments, medical institutions and schools in the United States were targeted by ransomware, and victim organizations have paid about $350 million in ransoms, with an average payment of more than $30 million. Ten thousand U.S. dollars……
Wray noted that in 2020, the number of ransomware incidents reported by the FBI’s Internet Crime Complaint Center increased by 20 percent. “As the President has observed, ransomware has evolved into a national security issue affecting critical infrastructure we cannot afford the most.” Director Wray pointed out that the FBI is focused on cyber threats from other countries, which includes not only various cyber operations, but also the continuous theft of American intellectual property. He also noted that Iran and North Korea continue to improve their cyber capabilities, while cybercriminal gangs continue to operate within Russia.
“These are the most high-profile incidents, but behind the scenes, the FBI has taken more than 1,100 actions against cyber adversaries last year, including arrests, criminal charges, convictions, dismantling and sabotage; and many more through our dedicated partners with Private sector, foreign partners, and collaboration at the federal, state and local levels,” said Director Wray.
In his address to the United Nations General Assembly on Tuesday, President Biden noted that the United States should continue to make improvements in the country’s cybersecurity. “We reserve the right to respond decisively to a cyberattack that threatens our people, our allies or our interests,” Biden said.