Members of the House Committee on Oversight and Reform questioned the FBI's decision to withhold REvil's decryption key for about three weeks after the Kaseya ransomware attack in early July. But the FBI prioritized the long-term benefits of a delay over the immediate decryption key release.
"If any one of us had a loved one with a disease and we could take a longer-term approach to completely eradicate that disease … Perhaps with a little discomfort for a loved one, we probably prefer that over a less effective, shorter-term solution," Bryan Vorndran, assistant director of the FBI's Cyber Division, said during a hearing Tuesday. The FBI's decision to keep the decryption key was "very, very complicated," and included multiple agencies.
For private companies affected by the Kaseya supply chain, the FBI's choice meant businesses lost money. "We get complaints from businesses as their representatives and their members of Congress about decisions that government agencies make," Rep. James Comer, R-Ky., said during the hearing. "It's always frustrating when the government agencies or the bureaucrats don't take into consideration how much this decision will actually cost."
The ransomware attack on Kaseya was part of a larger effort to slow, and prevent, further REvil attacks. The FBI was also unwilling to trust the decryptor at face value, and mass distribute it.
The decryption keys for Kaseya "that you're referring to were developed and coded by safe harbor criminals … Obviously, simply grabbing malware that's been coded by criminals in Russia and deploying it onto U.S. infrastructure would not be a wise decision," Vorndran said. The FBI tested the decryptor in different environments to ensure the threat actors were not deploying additional backdoors through the key.
The National Cyber Director (NCD) office was not yet established when the Kaseya attack occurred, though NCD Chris Inglis' understanding of the decision also favors maximum return. "There's something between zero and infinity that you have to then come down on to align timeliness and breadth," when racing against threat actors. When the security community reveals what they know too soon, bad actors have enough time to adjust their code and actions.
Attribution has long troubled the cybersecurity community and U.S. intelligence is constantly determining whether cybercriminals moonlight as nation states, or state actors are hiring criminals. While how much overlap there is between nation states and criminals is a "classified discussion, it is a blended threat," Vorndran said.
"In a best case scenario, we only see about 20% of the intrusions in the country, no different than our partners at [the Cybersecurity and Infrastructure Security Agency]," Vorndran said. Intelligence has some gaps in determining those connections, but the FBI has not seen a decrease in ransomware attacks, specifically those originating from Russia, according to Vorndran.
The Internet Computer Complaint Center (IC3) received more than 2,000 ransomware complaints between January to July 31 this year — mounting to nearly $17 million in losses. While the reporting amount is still limited, the number of reports increased 62% between 2020 and 2021.
With ransomware reporting so low, the federal government has to cling to the data that actually is shared. The issue is, there are so many points of contact for organizations — the FBI, CISA, the Secret Service — that a ransomware victim may not know who to contact first.
How different federal agencies handle an incident is still a point of confusion for victim organizations and Congress.
Those three specific agencies regularly coordinate, and the FBI regularly informs CISA of incidents. If a company is hit with ransomware, it is sufficient to report it only to CISA, just as it is with other agencies, Rep. Jamie Raskin, D-Md., said. Even if a company is the victim of a ransomware crime, it doesn't have to report to the FBI first.
"The design and the intended operation is that having told one of them that all of them will then know and be able to respond with their unique authorities," Inglis said during the hearing. "The caveat here is that we're kind of allowing for the fact that the system is not perfect."
If for some reasons multiple agencies are not informed, it would be accidental in nature, Inglis said. There are no policies forbidding interagency communication.