Cybersecurity

Lawmakers demand briefing on FBI’s decision to withhold Kaseya decryption key

The leaders of the House Oversight and Reform Committee on Wednesday demanded a briefing from the FBI on its decision to withhold for three weeks the decryption key necessary for companies impacted by the ransomware attack on IT company Kaseya to recover. 

The request came a week after The Washington Post first reported that the FBI, in consultation with other agencies, chose to hold on to the decryption key as part of a planned effort to disrupt REvil, the Russian-based cybercriminal group behind the attack on Kaseya. 

The attack is estimated to have impacted between 800 and 1,500 groups beginning prior to the Fourth of July holiday. 

“Although the Federal Bureau of Investigation (FBI) reportedly obtained a digital decryptor key that could have unlocked affected systems, it withheld this tool for nearly three weeks as it worked to disrupt the attack, potentially costing the ransomware victims—including schools and hospitals—millions of dollars,” Committee Chairwoman Carolyn Maloney (D-N.Y.) and ranking member Rep. James Comer (R-Ky.) wrote in a letter sent to FBI Director Christopher Wray Wednesday.

“We request information to understand the rationale behind the FBI’s decision to withhold this digital decryptor key and the agency’s approach to responding to ransomware attacks,” the lawmakers wrote. 

The Hill has reached out to the FBI for comment on the letter. The Washington Post first reported on the letter. 

Kaseya in July chose not to pay the ransom demanded by the hackers, and instead used a decryption key that the company said it had received from a “trusted third party” weeks after the attack. 

Wray defended the decision in the face of intense questioning by members of the Senate Homeland Security and Governmental Affairs Committee last week.

“When it comes to the issue of encryption keys or decryption keys, there is a lot of testing and validating that is required to make sure that they are going to actually do what they are supposed to do, and there is a lot engineering that is required to develop a tool that is required to put the tool in use,” Wray testified. “Sometimes we have to make calculations about how best to help the most people, because maximizing impact is always the goal.”

He also stressed that the FBI made the decision in conjunction with agencies including the Cybersecurity and Infrastructure Security Agency (CISA), describing it as a “complex, case-specific” issue.

Maloney and Comer criticized Wray and the FBI for withholding the key, particularly as websites used by REvil went offline before the FBI operation to disrupt the group could be carried out.

“During this delay, many businesses, schools, and hospitals suffered lost time and money, especially in the midst of the COVID-19 public health crisis,” the lawmakers wrote. 

They stressed the need for Congress to stay informed and aware of FBI cybersecurity operations, particularly as cyberattacks have increased in recent months, including ransomware attacks on Colonial Pipeline and meat producer JBS USA. 

“Ransomware hackers have shown their willingness and ability to inflict damage on various sectors of the U.S. economy,” Maloney and Comer wrote. “Congress must be fully informed whether the FBI’s strategy and actions are adequately and appropriately addressing this damaging trend.”