Leaders of the House Oversight and Reform Committee are questioning the FBI’s handling of a July ransomware attack on a Florida-based IT firm that compromised up to 1,500 businesses.
Reps. Carolyn Maloney, a New York Democrat, and James Comer, a Kentucky Republican, have requested a briefing from FBI Director Christopher Wray after the bureau reportedly withheld a key to decrypt the ransomware for nearly three weeks, potentially costing victims millions of dollars in recovery costs.
“Congress must be fully informed whether the FBI’s strategy and actions are adequately and appropriately addressing” the threat of ransomware to the US economy, Maloney and Comer wrote Wednesday in a letter to Wray that was shared with CNN. The lawmakers said they want to “understand the rationale behind the FBI’s decision to withhold” the key to unlock computers infected by the ransomware.
The FBI has in recent years ramped up resources to address ransomware, with FBI field offices across the country communicating with victim US companies. But a growing chorus of lawmakers wants to know if the bureau is balancing the need to protect victims with the need to disrupt criminal groups based in Eastern Europe and Russia.
Disrupting the hackers
The Washington Post reported last week that the FBI withheld the decryption key as the bureau planned an operation to disrupt the hackers, a Russian-speaking ransomware syndicate known as REvil. That operation never materialized as REvil mysteriously went offline in mid-July, only to reemerge in September.
The Washington Post was first to report on the letter to the FBI.
The July ransomware incident at the IT firm, Kaseya, rippled across the firm’s customer base of small and medium sized businesses as the hackers were able to breach about 50 of Kaseya’s clients and some 800 to 1,5000 customers of those clients.
An FBI spokesperson said the bureau received the letter and referred CNN to Wray’s recent congressional testimony.
In testimony last week in the Senate, Wray defended the FBI’s approach to combatting ransomware but declined to discuss the specifics of the Kaseya case, citing an ongoing investigation. Wray said that, in general, it can take time to release a decryption key publicly because it needs to be tested and validated.
Kaseya has also declined to discuss the FBI’s response to the incident.
“We are very grateful for the support we were given by the FBI and can’t comment on their decisions regarding timing of the release of the key,” Dana Liedholm, Kaseya’s senior vice president of corporate marketing, said in a statement to CNN.
The breach of Kaseya is just one of multiple ransomware attacks by suspected Russian-speaking hackers to hit US firms in recent months. It came weeks after an alleged REvil hack forced global meat supplier JBS to temporarily close some of its factories in the US.
President Joe Biden urged Russian President Vladimir Putin in June to crack down on hackers operating from Russian soil. However, FBI Deputy Director Paul Abbate said September 14 that there had been “no indication” that Putin had done so.
The FBI and other agencies have in the last two years sought more effective ways of cutting off revenue streams for ransomware gangs. In September 2019, the FBI held the first of multiple closed-door “ransomware summits” with private cyber experts and insurance firms in search of fresh ideas to address the threat.