Ransomware victims panicked as the FBI secretly withheld REvil’s decryption key

Circular stamp against a marble wall.
Enlarge / The seal of the Federal Bureau of Investigation (FBI) is seen on the J. Edgar Hoover Building in Washington, DC

For three weeks during the REvil ransomeware attack this summer, the FBI secretly withheld the key that would have decrypted data and computers on up to 1,500 networks, including those run by hospitals, schools, and businesses.

The FBI had penetrated the REvil gang’s servers to obtain the key, but after discussing it with other agencies, the bureau decided to wait before sending it to the victims for fear of alerting the criminals. The Washington Post reports. The FBI had not wanted to warn the REvil gang and was hoping to shut down their operations, sources told the Post.

Instead, REvil was shut down on July 13 before the FBI could intervene. For reasons that have not been explained, the FBI did not release the key until July 21.

“We make decisions as a group, not unilaterally,” FBI Director Christopher Wray told Congress on Tuesday. “These are … complex decisions, designed to create maximum impact, and that takes time to go against adversaries where we have to gather resources not just across the country but around the world.”

Years of disruption

REvil has a long history of using high pressure tactics to extort money from victims. The Russia-based gang first appeared in 2019, and was on a roll earlier this year. In March, the group hacked a celebrity law firm representing U2, Madonna and Lady Gaga, demanding $ 21 million. When the law firm resisted, REvil doubled down on the lawsuit and released some of Lady Gaga’s files. In April, the gang stole data from contract manufacturer Quanta Computer, publishing details of two Apple products. Then, in May, it shut down Colonial Pipeline operations from New Jersey to Texas, causing a fuel shortage.

The group resurfaced this summer when it disrupted operations at Brazil-based meat processor JBS, leading to the closure of several plants in the US, Canada and Australia. It hit again when a zero-day exploded in remote management tools created by Kaseya, a Florida-based IT company. The hole in the company’s VSA product gave REvil access to 54 service providers managing networks for up to 1,500 businesses and other organizations.

Grocery stores in Sweden, city councils in Maryland, schools in New Zealand and a hospital in Romania were affected by the attack. Coop, the Swedish supermarket chain, closed around 700 stores and took about six days to reopen. Other victims spent weeks restoring their systems.

They are back

Last Thursday, the cybersecurity firm Bitdefender released a universal decryption tool for encrypted computers and networks before REvil began hibernation on July 13. About 250 victims have used the tool so far, a Bitdefender executive said. The key that made the tool possible reportedly came from a law enforcement agency, but not the FBI.

Despite the FBI’s efforts to take him down, REvil is back this month with a new series of attacks, trapping at least eight new victims, the Post reported. However, the Bitdefender tool will not work for new victims, a sign that REvil has restructured its operations after a short time of inactivity.


Leave a Reply

Your email address will not be published.