• United States



Christopher Burgess
Contributing Writer

Yes, the FBI held back REvil ransomware keys

Sep 22, 20214 mins

The ransomware keys might have been acquired by an ally, which would invoke the third-party doctrine where the decision to release was not the FBI's alone.

FBI Flag
Credit: Thinkstock

The Federal Bureau of Investigation (FBI) had the keys to REvil’s ransomware as the cybercriminals were locking up company after company’s data and did not publicly share the keys.

What were they thinking? What were they protecting?

The Washington Post reports the FBI had secretly obtained the digital key to the Russia-based ransomware group, REvil, some three weeks prior to their distributing the key. When pressed at a recent congressional hearing, FBI Director, Christopher Wray noted that delay lays within the fact that the FBI was working jointly with other agencies and allies. He explained, “We make the decisions as a group, not unilaterally.” He continued, “These are complex . . . decisions, designed to create maximum impact, and that takes time in going against adversaries where we have to marshal resources not just around the country but all over the world.”

What Wray may have really been saying, without saying it, is that the FBI did not own the information that they had in their possession, the keys were, as noted, “secretly obtained,” by which agency or which ally is not revealed. The doctrine of third-party rule is that one is permitted to use the information to advance their own intelligence operations—which sources told the Washington Post was to take down REvil.

Dmitri Alperovitch, chairman of the Silverado Policy Accelerator in a September 21 New York Times op-ed notes “America is being held for ransom. It needs to fight back.” He commended the two-prong approach of the Biden administration, diplomacy and expanded defensive capabilities. He also called for there to be an offensive capability, especially when it comes to the “most potent ransomware groups” operating out of Russia, North Korea, and Iran. Alperovitch didn’t mince words in suggesting what America needs is “an aggressive campaign [that] would target the foundation of ransomware criminals’ operations: their personnel, infrastructure, and money.”

It appears the FBI was attempting to accomplish that which Alperovitch was suggesting needed to happen—targeting REvil’s personnel, infrastructure, and money.

The FBI takedown that didn’t happen

There is no argument that millions were paid in ransoms to the criminals and some companies had such a degradation of capability their continued existence was at risk. As events unfolded, REvil took itself down on July 13, 2021, and thus the FBI operation against the criminal entity never materialized. Once REvil took itself out of the game, the table adjusted. If the FBI was not the entity who acquired the information via an offensive operation or a source, to make the keys public would require a return to the originator of the intelligence to obtain a green light to make the information public.  

Third-party rule on intelligence

To this jaded eye, three weeks seems a rather long cycle for coordination, even if it included allies in different time zones, given the global nature of the REvil’s efforts. That said, it is easy to tell the others what to do and how to do it when one has no equity in the mix and without knowing the number of cooks in the kitchen, nor the sensitivity of the sourcing of the intelligence. To move unilaterally and precipitously by revealing the possession of the decryption key may have compromised the sources and methods that were used to obtain the key. Therefore, it is impossible to say whether the FBI’s liaison office and legal attachés abroad were dragging their feet, or whether the coordination among nations and agencies moved amazingly fast given the complex relationships pertaining to source protection.

Universal decryptor for REvil available

The FBI did, eventually, provide the key to a number of cybersecurity companies, who were able to take the information and fold it into “decryptors” unlocking their client’s data. More publicly and of use for those who were victims of REVil, and did not have backup, nor a cybersecurity provider helping them recover, on September 20, Bitdefender provided a “universal decryptor” that works on any REvil encrypted datasets pre-July 13, 2021. Bitdefender noted how the universal decryptor was able to be created as a result the company’s collaboration with a “trusted law enforcement partner” (not further identified).

In sum, source and equity protection considerations within the international milieu of facing off against the criminal entities fomenting ransomware as a service will always be a gating factor when it comes to publicly revealing information clandestinely obtained.

Christopher Burgess
Contributing Writer

Christopher Burgess is a writer, speaker and commentator on security issues. He is a former senior security advisor to Cisco, and has also been a CEO/COO with various startups in the data and security spaces. He served 30+ years within the CIA which awarded him the Distinguished Career Intelligence Medal upon his retirement. Cisco gave him a stetson and a bottle of single-barrel Jack upon his retirement. Christopher co-authored the book, “Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century”. He also founded the non-profit, Senior Online Safety.

More from this author