Earlier this year Kaseya, who provides IT management software to service providers that support tens of thousands of organizations from schools to hospitals, was involved in a ransomware attack fueled by a compromise of their VSA Remote Monitoring and Management (RMM) software. While the ransomware only impacted a small percentage of their customer base, thousands of companies still lost critical access to their data for days or even weeks, costing them millions collectively. Kaseya ultimately obtained the master decryption key nearly three weeks after the attack through what they labeled as “a trusted third party” at the time. Two weeks ago, the Washington Post broke the news that the FBI was Kaseya’s “trusted third party” and they actually had access to the decryption key for nearly three weeks before providing it to Kaseya. The FBI claimed they had to keep their access to the decryption key secret to protect a disruption operation targeting REvil, the ransomware organization responsible for the attack. For some reason though, the FBI held onto the ransomware key for three weeks even after their investigation into REvil, went completely dark. Ultimately, nothing came of the FBI investigation as far as we can tell.
This week, the Congress Committee on Oversite and Reform requested a briefing from the FBI on why it took so long for the victims to receive the key to decrypt the ransomware.
Based on the available information, we believe the timeline looks like this:
- July 2nd Kaseya customers start seeing ransomware infecting their networks.
- Based on the committee’s letter we believe that within days of the attack the FBI gain access to the ransomware master key.
- By July 12 the REvil site was down.
- On July 22nd the FBI gave the decryption key to Kaseya.
- August 5th or sometime around then the ransomware key was first leaked to the public.
REvil initially demanded a $70 million ransom, but the cost to the victims of the attack likely exceeded this and the FBI could have given out the universal key any time between July 12th and July 22 after they knew REvil went dark, but they didn’t. Perhaps the FBI wanted to see if the servers would come back online to catch the bad guys, but this blinded them to the millions of dollars of damage done because they wanted a big score. When it comes to ransomware, we can’t always rely on law enforcement to have the best interests of the ransomware victim in mind. Companies must have a backup and recovery policy in place in case they become victims of this attack.