FBI Had the REvil Decryption Key

The Washington Post reports that the FBI had a decryption key for the REvil ransomware, but didn’t pass it along to victims because it would have disrupted an ongoing operation.

The key was obtained through access to the servers of the Russia-based criminal gang behind the July attack. Deploying it immediately could have helped the victims, including schools and hospitals, avoid what analysts estimate was millions of dollars in recovery costs.

But the FBI held on to the key, with the agreement of other agencies, in part because it was planning to carry out an operation to disrupt the hackers, a group known as REvil, and the bureau did not want to tip them off. Also, a government assessment found the harm was not as severe as initially feared.

Fighting ransomware is filled with security trade-offs. This is one I had not previously considered.

Another news story.

Tags: , , , , ,

Posted on September 22, 2021 at 9:30 AM18 Comments

Comments

Anonymous September 22, 2021 9:53 AM

Reminds me of the British efforts to combat German encryption in WW2. Once they cracked the Enigma machine, they had to do a ton of work to determine how much they could use their newfound knowledge without tipping off the Germans that all their plans were now visible.

Certainly no comfort to the families of soldiers and sailors who died to German attacks that the allied generals saw coming by then, nor for victims of REvil in this case. Hopefully holding onto the key this long actually led to preventing future attacks.

Francesco Mantovani September 22, 2021 10:11 AM

Makes sense to me, Take this for example:

https://www.theguardian.com/australia-news/2021/sep/11/inside-story-most-daring-surveillance-sting-in-history

“[…] The decoded messages presented the AFP with a pressing ethical dilemma: when to interfere to prevent a single planned crime and risk compromising the wider operation, and when to allow crimes to take place, preserving the integrity of the wider operation. Eventually, the AFP decided to intervene primarily in instances where there was a “serious chance someone might get killed”, Chin says. During the 18 months leading up to 7 June, the agency acted on 21 such threats to life – in one, the police intervened directly to prevent an imminent alleged murder plot from taking place.”

They decide to not intervene for small crimes in order to track a wider operation

Corelli September 22, 2021 10:55 AM

… FBI surely could have discreetly passed the decryption key to victims via 3rd parties, with no trace of FBI or government involvement.

would likely take a long time for the Russian gang to figure out their software had been compromised.

the alleged serious risk to ongoing FBI investigations sounds phony– what exactly was that risk compared to the known major damage to victims?
The prime FBI duty is to protect the public — not protect their arbitrary internal procedures.

TimH September 22, 2021 12:12 PM

The FBI could unlock the system, and the company simply puts out that it restored from backup.

Only the highest level need know this.

mexaly September 22, 2021 1:42 PM

This is how we prioritize police objectives over civilian objectives.
Occasionally, we have to do a reset, and start all over again.

one hospital that was affected September 22, 2021 2:24 PM

In that way FBI helped the criminals and was acting like criminals.
We had a hell of a time to restore everything from scratch. Underpaid, sleepless, you can imagine it.

One can argue that with key there could be backdoors. Indeed. But comparing systems and data down to every bit is less time consuming than building everything again from scratch, configuring etc.

JonKnowsNothing September 22, 2021 2:35 PM

@TimH

re: Only the highest level need know this

Except, that’s not good enough.

Remember Yahoo, Marissa Mayer and Alex Stamos. There’s always someone bigger than you that will give the shop to anyone with a badge but they won’t let you in on “their little secret”.

SpaceLifeForm September 22, 2021 3:20 PM

I believe there is a subtle nuance in this story that some players are attempting to bury.

Earlier, a decryptor was created, but only for the Kaseya victims.

This likely occurred because of RE effort by FBI.

Later, news appeared that REvil had a backdoor, because criminals do not trust criminals.

I am sure FBI found the backdoor during the RE exercise. The existence of the backdoor and the knowledge that it was found was leaked by someone at highest level from FBI. (hint)

REvil shuts down.

hxtps://www.recordedfuture.com/blackmatter-ransomware-successor-darkside-revil/

name.withheld.for.obvious.reasons September 22, 2021 10:54 PM

You have mentioned this Bruce, when you discuss how the state uses zero days to maintain some sort of offensive or unlikely defensive position. The same issues are at play, prioritizing state use of a bug to leverage other systems defaults to holding back the exploit and leaves the vendors AND customers hanging in the wind. In this case, only the number and type of victim are different.

Peter September 23, 2021 1:59 AM

“This is one I had not previously considered.”

Really?
Despite knowing how “they” keep fex zero-days to themselves, with the intent to use them?

ASB September 23, 2021 10:21 AM

>>Only the highest level need know this

That might work if only the highest levels were the ones performing the technology work required.

Given how many technical people in any not-tiny organization will be in the loop to one degree or another for an effort like this, secrecy is going to be really hard to maintain.

This observation should not be construed as an automatic defense of the tactics used, however…

-ASB

H Potter September 23, 2021 5:13 PM

Whoopie. Having the decry. key may help in some specific circumstances. In most large ransomware recovery efforts it would be of no help, and could even slow the recovery down. There’s a lot more than just data recovery going on.

Clive Robinson September 23, 2021 8:57 PM

@ Bruce, ALL,

Fighting ransomware is filled with security trade-offs. This is one I had not previously considered.

It is an “adversarial” process, unfortunatly there is more than just the “Them and US” sides the FBI / Ransomware-operators take of each other.

There is also the “victims” of both the the ransomware-operators and the FBI. So they frequently get “burned twice”. But also there are all those that are in some way dependent on the “primary” victim…

So of the “trade off” a rider of the old saw,

“One man’s meat, is another man’s poison”

Should be added, especially when you have agencies with “agenders” pushing the camals nose under the tent flap.

My standing advice is still,

“Unless you can show a real business case for connecting to the Internet, then don’t”

For some reason despite the thousands of vulnerabilities found each year in Microsoft and similars products, many of which can be exploited, the mantra of “must be connected” still rules.

A fundemental change in thinking is required otherwise Ransomware, or the next more profitable thing will continue virtualy unabated.

Is such a change going to happen?

The old advice of “Don’t hold your breath” would appear to be appropeiate.

Baylink September 24, 2021 3:13 PM

I’m a little surprised that you’re surprised.

Any reader of cop or espionage fiction is usually familiar with the premise that you have to think long and hard before burning a source, lest the tactical win engender a strategic loss of much larger proportions.

A story this week about the Australian Iron Something “Secret” communications sting (run by the cops) made this very point in some detail…

SpaceLifeForm September 24, 2021 4:24 PM

Alternate coverage

hxtps://www.techdirt.com/articles/20210922/17095747614/fbi-sat-ransomware-decryption-key-weeks-as-victims-lost-millions-dollars.shtml

Anon October 15, 2021 8:55 PM

During WWII Bletchely Park broke the Enigma codes but couldn’t warn allied ships of impending submarine attacks to avoid revealing the code had been broken.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.