The Federal Bureau of Investigation (FBI) had the keys to REvil’s ransomware as the cybercriminals were locking up company after company’s data and did not publicly share the keys.
What were they thinking? What were they protecting?
The Washington Post reports the FBI had secretly obtained the digital key to the Russia-based ransomware group, REvil, some three weeks prior to their distributing the key. When pressed at a recent congressional hearing, FBI Director, Christopher Wray noted that delay lays within the fact that the FBI was working jointly with other agencies and allies. He explained, “We make the decisions as a group, not unilaterally.” He continued, “These are complex . . . decisions, designed to create maximum impact, and that takes time in going against adversaries where we have to marshal resources not just around the country but all over the world.”
What Wray may have really been saying, without saying it, is that the FBI did not own the information that they had in their possession, the keys were, as noted, “secretly obtained,” by which agency or which ally is not revealed. The doctrine of third-party rule is that one is permitted to use the information to advance their own intelligence operations—which sources told the Washington Post was to take down REvil.
Dmitri Alperovitch, chairman of the Silverado Policy Accelerator in a September 21 New York Times op-ed notes “America is being held for ransom. It needs to fight back.” He commended the two-prong approach of the Biden administration, diplomacy and expanded defensive capabilities. He also called for there to be an offensive capability, especially when it comes to the “most potent ransomware groups” operating out of Russia, North Korea, and Iran. Alperovitch didn’t mince words in suggesting what America needs is “an aggressive campaign [that] would target the foundation of ransomware criminals’ operations: their personnel, infrastructure, and money.”
It appears the FBI was attempting to accomplish that which Alperovitch was suggesting needed to happen—targeting REvil’s personnel, infrastructure, and money.
The FBI takedown that didn’t happen
There is no argument that millions were paid in ransoms to the criminals and some companies had such a degradation of capability their continued existence was at risk. As events unfolded, REvil took itself down on July 13, 2021, and thus the FBI operation against the criminal entity never materialized. Once REvil took itself out of the game, the table adjusted. If the FBI was not the entity who acquired the information via an offensive operation or a source, to make the keys public would require a return to the originator of the intelligence to obtain a green light to make the information public.
Third-party rule on intelligence
To this jaded eye, three weeks seems a rather long cycle for coordination, even if it included allies in different time zones, given the global nature of the REvil’s efforts. That said, it is easy to tell the others what to do and how to do it when one has no equity in the mix and without knowing the number of cooks in the kitchen, nor the sensitivity of the sourcing of the intelligence. To move unilaterally and precipitously by revealing the possession of the decryption key may have compromised the sources and methods that were used to obtain the key. Therefore, it is impossible to say whether the FBI’s liaison office and legal attachés abroad were dragging their feet, or whether the coordination among nations and agencies moved amazingly fast given the complex relationships pertaining to source protection.
Universal decryptor for REvil available
The FBI did, eventually, provide the key to a number of cybersecurity companies, who were able to take the information and fold it into “decryptors” unlocking their client’s data. More publicly and of use for those who were victims of REVil, and did not have backup, nor a cybersecurity provider helping them recover, on September 20, Bitdefender provided a “universal decryptor” that works on any REvil encrypted datasets pre-July 13, 2021. Bitdefender noted how the universal decryptor was able to be created as a result the company’s collaboration with a “trusted law enforcement partner” (not further identified).
In sum, source and equity protection considerations within the international milieu of facing off against the criminal entities fomenting ransomware as a service will always be a gating factor when it comes to publicly revealing information clandestinely obtained.