• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • Daily Security Bytes
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

FBIs Botched Plan to Catch REvil Cost Victims Millions

October 4, 2021 By Trevor Collins

Earlier this year Kaseya, who provides IT management software to service providers that support tens of thousands of organizations from schools to hospitals, was involved in a ransomware attack fueled by a compromise of their VSA Remote Monitoring and Management (RMM) software. While the ransomware only impacted a small percentage of their customer base, thousands of companies still lost critical access to their data for days or even weeks, costing them millions collectively. Kaseya ultimately obtained the master decryption key nearly three weeks after the attack through what they labeled as “a trusted third party” at the time. Two weeks ago, the Washington Post broke the news that the FBI was Kaseya’s “trusted third party” and they actually had access to the decryption key for nearly three weeks before providing it to Kaseya. The FBI claimed they had to keep their access to the decryption key secret to protect a disruption operation targeting REvil, the ransomware organization responsible for the attack. For some reason though, the FBI held onto the ransomware key for three weeks even after their investigation into REvil, went completely dark. Ultimately, nothing came of the FBI investigation as far as we can tell.

This week, the Congress Committee on Oversite and Reform requested a briefing from the FBI on why it took so long for the victims to receive the key to decrypt the ransomware.

Based on the available information, we believe the timeline looks like this:

  • July 2nd Kaseya customers start seeing ransomware infecting their networks.
  • Based on the committee’s letter we believe that within days of the attack the FBI gain access to the ransomware master key.
  • By July 12 the REvil site was down.
  • On July 22nd the FBI gave the decryption key to Kaseya.
  • August 5th or sometime around then the ransomware key was first leaked to the public.

REvil initially demanded a $70 million ransom, but the cost to the victims of the attack likely exceeded this and the FBI could have given out the universal key any time between July 12th and July 22 after they knew REvil went dark, but they didn’t. Perhaps the FBI wanted to see if the servers would come back online to catch the bad guys, but this blinded them to the millions of dollars of damage done because they wanted a big score. When it comes to ransomware, we can’t always rely on law enforcement to have the best interests of the ransomware victim in mind. Companies must have a backup and recovery policy in place in case they become victims of this attack.

Share This:

Related

Filed Under: Editorial Articles

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Most Exploited Vulnerabilities of 2021
  • The REturn of REvil?
  • 195 CISA Guidance for MSPs
  • Building Security Strategies with Matt Lee

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • WatchGuard Launches PSIRT Page
  • Building Security Strategies with Matt Lee
  • CISA Guidance for MSPs
  • The REturn of REvil?
  • Most Exploited Vulnerabilities of 2021
View All

Search

Archives

Copyright © 2022 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use