Lawmakers say they have received scant information from the FBI about a recent ransomware investigation, with top bureau officials offering few answers about decisions that cost U.S. businesses millions of dollars and produced questionable results.
During a Nov. 16 House Oversight and Reform Committee hearing on ransomware, the FBI was questioned about its handling of the July attack against U.S. IT company Kaseya—in which hackers from the ransomware group REvil exploited a vulnerability in Kaseya software to exfiltrate the data of some 1,500 U.S. businesses, schools, hospitals, and other entities.
In September, it was revealed that the FBI had obtained a decryption key in July that would have allowed the hundreds of victim entities to retrieve their data, but agents withheld the key because they didn’t want to tip off REvil about a major law enforcement operation they were planning.
The FBI never had a chance to execute its planned operation against REvil, as the group went offline in late July.
The FBI has come under scrutiny from Congress over its handling of the failed operation, which is said to have cost businesses millions of dollars because of the costs associated with retrieving their data. Some entities rebuilt their systems or retrieved backup copies of their data, while others temporarily closed during the incident.
However, the FBI has apparently been tight-lipped about the matter with Congress.
At the Nov. 16 House Oversight and Reform Committee meeting on ransomware, Rep. James Comer (R-Ky.), the panel’s ranking Republican, criticized the bureau for its lack of transparency about the issue.
“In September, the chairwoman and I asked [FBI] Director [Christopher] Wray for a briefing on the FBI’s decisions. We never received that briefing,” Comer said, directing his ire toward Bryan Vorndran, the assistant director of the FBI’s cyber division. “Please relay to Director Wray that when the Oversight Committee requests a briefing, we expect a briefing.”
Comer questioned Vorndran about the FBI’s decisions in the Kaseya investigation. Vorndran was tight-lipped, but suggested that agents wanted to test the decryption key to make sure it was safe and effective.
“Those decryptor keys were developed and coded by safe-harbored criminals,” he said. “We tested decryptor key in various environments so we could know that it’s not creating new vulnerabilities.”
Vorndran declined to answer Comer’s question about how much money the FBI may have cost businesses with its decision to withhold the decryptor key for weeks in July. Comer, in turn, criticized the FBI and other government bureaucracies for failing to take into account the economic damage their law enforcement operations can have against U.S. victims.
“We need to take into account the hundreds of millions of dollars the FBI is costing by refraining from [promptly providing REvil victims with the decryptor key],” Comer said.
The House Oversight and Reform Committee isn’t the only congressional body struggling for answers about the Kaseya attack. FBI Director Wray was similarly tight-lipped during a Senate Homeland Security Committee hearing in September.
Wray cited an ongoing investigation as to why he couldn’t say much about the matter. He also declined to identify other agencies involved in the response to the Kaseya attack.
“This committee deserves a full accounting of FBI cyber activities, including cyber activities,” Sen. Gary Peters (D-Mich.), the ranking Democrat of the panel, said at the hearing. “And I would hope you could commit to this committee to provide a complete briefing on this operation and others.”
While Wray was non-committal at the time, he said he’d do his best to see that the FBI provides “what information we can.” He said it would probably have to occur in a classified, closed-door hearing.
Meanwhile, the Department of Justice announced on Nov. 8 that it charged two REvil affiliates in relation to the Kaseya ransomware attack, and also retrieved $6 million in ransom payments. Ukrainian national Yaroslav Vasinskyi, 22, is being held in Poland pending U.S. extradition proceedings, while Russian national Yevgeniy Polyanin, 28, remains at large.
Authorities in Romania also arrested two alleged REvil partners on Nov. 4, and another REvil affiliate was taken into custody in Kuwait on the same day, officials said.
Wray and Attorney General Merrick Garland touted the arrests as a major victory for law enforcement and cooperation, although some have questioned the effect the arrests would have against ransomware gangs.
“If this were a drug bust, we’d say they got the street dealers—not the kingpins,” former NSA general counsel Stewart Baker said Nov. 15 on the Cyberlaw Podcast.