FBI Sat On Ransomware Decryption Key For Weeks As Victims Lost Millions Of Dollars
from the is-this-one-of-those-'greater-good'-things-I-don't-understand-becaus dept
The vulnerability equities process meets the FBI's natural tendency to find and hoard illegal things until it's done using them. And no one walks away from it unscathed. Welcome to the cyberwar, collateral damage!
If an agency like the NSA comes across an exploit or unpatched security flaw, it's supposed to notify affected tech companies so they can fix the problem to protect their customers and users. That's the vulnerability equities process in theory. In practice, the NSA (and others) weigh the potential usefulness of the exploit versus the damage it might cause if it's not fixed and make a disclosure decision. The NSA claims in public statements it's very proactive about disclosing discovered exploits. The facts say something different.
Then there's the FBI, which has engaged in criminal acts to further investigations. Perhaps most famously, the FBI took control of a dark web child porn server and ran it for a few weeks so it could deploy its malware (Network Investigative Technique, according to the FBI) to users of the site. Not only did it continue to distribute child porn during this time, but it reportedly optimized the system to maximize its malware distribution.
The trend continues. As Ellen Nakashima and Rachel Lerman report for the Washington Post (alternative link here), the FBI could have stopped a massive ransomware attack but decided it would be better if it just sat on what it knew and watched things develop.
The FBI refrained for almost three weeks from helping to unlock the computers of hundreds of businesses and institutions hobbled by a major ransomware attack this summer, even though the bureau had secretly obtained the digital key needed to do so, according to several current and former U.S. officials.
The key was obtained through access to the servers of the Russia-based criminal gang behind the July attack. Deploying it immediately could have helped the victims, including schools and hospitals, avoid what analysts estimate was millions of dollars in recovery costs.
The worse news is it wasn't just the FBI, which is already known for running criminal enterprises while engaging in investigations. The report says this refusal to release the key was a joint agreement with "other agencies," all of which apparently felt the nation (and the rest of the world) would be better served by the FBI keeping the key to itself while it tried to hunt down the criminals behind the ransomware attack.
And it turned out to be totally worth it!
The planned takedown never occurred because in mid-July REvil’s platform went offline — without U.S. government intervention — and the hackers disappeared before the FBI had a chance to execute its plan, according to the current and former officials.
FBI Director Chris Wray, testifying before Congress, said the tradeoff was necessary because it could help prevent future attacks (unproven) and time was needed to develop a tool that would help those hit by the ransomware.
"These are complex . . . decisions, designed to create maximum impact, and that takes time in going against adversaries where we have to marshal resources not just around the country but all over the world.”
He also suggested that “testing and validating” the decryption key contributed to the delay.
I, too, would testify before Congress that things were complex and time-consuming, especially when the end result was the bad guys getting away while victims remained victims. I would, however, perhaps consider not belaboring the "it will be long and hard" point when the private sector has demonstrated that it actually won't be that long, and possibly not even all that hard.
Emsisoft, however, was able to act quickly. It extracted the key from what the FBI provided Kaseya, created a new decryptor and tested it — all within 10 minutes, according to Fabian Wosar, Emsisoft chief technology officer. The process was speedy because the firm was familiar with REvil’s ransomware. “If we had to go from scratch,” Wosar said, “it would have taken about four hours.”
The FBI took three weeks to turn over the key to the first of many victims. During that time, it apparently failed to accomplish what Emisisoft developed in 10 minutes, as well as failing to catch any of the perpetrators. Faced with this not-so-subtle undercutting of its "we really were just trying to save the world" narrative, the FBI -- via its parent organization -- has decided to shut the fuck up.
The Justice Department and White House declined to comment.
Sure, the FBI could still be pursuing some leads, but the timing of REvil's disappearance and the FBI's release of the key to one of ransomware victims suggests the FBI only decided to release because it was no longer of any use to the investigation. It may still possess some limited use to those whose data is still locked up, but pretty much every victim has moved on and attempted to recover from the incident. The cost -- as is detailed in the Washington Post report -- is in the hundreds of millions. Some victims are still trying to recover. Others are back in business, but only after losing millions to downtime.
Who pays for this? Well, the victims do. And taxpayers will too, if the government decides to compensate some of the companies victimized by ransomware and victimized again by the FBI. The FBI, however, will hardly feel a thing, since the going rate for temporary chagrin is a rounding error in the agency's reputational damage column.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: decryption, doj, fbi, ransomware, revil, vep, vulnerabilities, vulnerabilities equities process
Reader Comments
Subscribe: RSS
View by: Time | Thread
Recently
There has also been some speculation, just speculation, especially regarding some Exchange 0-days, that Microsoft may be sitting on patching reported vulnerabilities that are binging exploited by US intelligence.
[ link to this | view in chronology ]
Are there any American agencies left that actually "serve and protect" the general public?
[ link to this | view in chronology ]
OSHA?
[ link to this | view in chronology ]
Re:
Does the National Archives count?
[ link to this | view in chronology ]
Re:
CDC? Maybe?
[ link to this | view in chronology ]
The headline for destroying the evil evil hackers would have been better than saving some victims.
We had the antidote to the poison, but we wanted to use it in a more headline grabbing way. This dead people aren;t our fault.
Can we just nuke DC and start over now?
[ link to this | view in chronology ]
Had they caught the evil evil hackers, how many future victims would have been saved?
For how long after the FBI announced that they had that decryption key would that key remain useful to new victims of the malware?
How much additional harm did the people and businesses suffer because the key was not distributed immediately? How much of that harm would have not happened, had the FBI not had the decryption key?
FTFA:
... then, why can't Emsisoft create decryption keys from infected systems in 10 minutes? /rhetorical
"Having the key" was a one-time event. (You did get that last question correct, didn't you?) The FBI had an opportunity to "catch the crooks". Or they could make the key public, and see the key stop being useful within hours: if not from direct publicity, then by companies no longer rolling over so readily.
The FBI gambled, that by withholding the key from publication, the malware group wouldn't startle and disappear before they could be tracked down. They lost. Had the FBI succeeded, you would be hailing them as limited, temporary heroes in an unwinnable war (or an eternal struggle, if you prefer).
While you are second guessing the FBI here, be sure to remember that the FBI had to make their decision, "which choice leads to the greater good", without knowing how it would all play out.
[ link to this | view in chronology ]
Re:
Oh, please. The FBI wouldn't recognize the "greater good" if it bit them in the ass. And the idea that they would even care is ridiculous.
[ link to this | view in chronology ]
Re: Re:
"The FBI wouldn't recognize the "greater good" if it bit them in the ass"
Even after watching Hot Fuzz...
[ link to this | view in chronology ]
Re:
John Connolly thought that too. South Boston paid for that fuck up.
[ link to this | view in chronology ]
Re:
Had they caught the evil evil hackers, how many future victims would have been saved?
Congratulations for your support of 'the ends justify the means', I'm sure the knowledge that the FBI might have caught the extortionists was and will be of great comfort to their current victims who the FBI left out to dry.
For how long after the FBI announced that they had that decryption key would that key remain useful to new victims of the malware?
Utterly irrelevant, they had the required data to help the current victims and they instead threw them under the bus.
How much additional harm did the people and businesses suffer because the key was not distributed immediately? How much of that harm would have not happened, had the FBI not had the decryption key?
If helps if you read the article.
The cost -- as is detailed in the Washington Post report -- is in the hundreds of millions. Some victims are still trying to recover. Others are back in business, but only after losing millions to downtime.
... As for what might have happened if they didn't have the key that's also irrelevant, they did and they refused to do anything with it.
The FBI gambled, that by withholding the key from publication, the malware group wouldn't startle and disappear before they could be tracked down. They lost. Had the FBI succeeded, you would be hailing them as limited, temporary heroes in an unwinnable war (or an eternal struggle, if you prefer).
Like hell I would. It's one thing to make sacrifices yourself to attain a goal but when you throw other people under the bus to further your own goals 'praise' is not what you deserve.
While you are second guessing the FBI here, be sure to remember that the FBI had to make their decision, "which choice leads to the greater good", without knowing how it would all play out.
See previous point. When you sacrifice others for your own goals you aren't after the 'greater good' you're after what's best for you.
[ link to this | view in chronology ]
Re: Re:
We knew they were attending flight training school & had contact with jihadis but we kept watching them rather than act.
9/11 & oh yeah and those Saudi pilots who came for training at US bases.
[ link to this | view in chronology ]
Re:
"Had they caught the evil evil hackers, how many future victims would have been saved?"
If Momma Cass had just split that ham sammich with Karen Carpenter they both would still be alive.
"While you are second guessing the FBI here, be sure to remember that the FBI had to make their decision, "which choice leads to the greater good", without knowing how it would all play out."
They are putting men with IQs under 70 on trial for providing aid to terrorists after their CI loans them the money to buy the apple gift card to send to the imaginary terrorists while some motherfucker shot up a synagogue after planning it in the open for months.
Which choice leads to the greater good & which just gets them good headlines so they can keep their budget?
[ link to this | view in chronology ]
Re:
"Had they caught the evil evil hackers, how many future victims would have been saved?"
That assumes the hackers existed in the first place. The track record of the FBI and others seems to suggest that they might have been creating the crimes in order to generate funding to "fight" groups they themselves were at least incentivising if not forcing to commit the original crimes.
Also, if I'm not mistaken the FBI don't typically have jurisdiction abroad. I wonder how that fits with the typically foreign sources of this type of attack.
"Had the FBI succeeded, you would be hailing them as limited, temporary heroes"
I believe you're making a large assumption there.
"the FBI had to make their decision... without knowing how it would all play out"
The problem with this kind of story is that everyone except the FBI seems to have been able to predict the outcome.
[ link to this | view in chronology ]
Re:
Taking a page from Toon 1275's book:
Assumes emotions not available for evidence.
[ link to this | view in chronology ]
Re:
The FBI gambled, that by withholding the key from publication, the malware group wouldn't startle and disappear before they could be tracked down. They lost. Had the FBI succeeded, you would be hailing them as limited, temporary heroes in an unwinnable war (or an eternal struggle, if you prefer).
Let's say the hackers didn't startle and the FBI succeeded in tracking down this russian-based group. Then what?
[ link to this | view in chronology ]
Re:
...And? In literally one paragraph above, you acknowledged that this was a "gamble". If I fuck up on a decision without knowing how things play out that doesn't magically mean I'm no longer responsible. If I gamble with resources that belong to other people that doesn't mean I'm no longer responsible for the fallout.
This sort of "banks didn't know that the recessions would happen and thus they shouldn't miss out on their golden parachutes" and "the cop didn't know that the fleeing naked man was unarmed and thus the shooting was justified" apologism is precisely why trust in institutions is at rock bottom.
[ link to this | view in chronology ]
Re:
Since they failed, and we have no knowledge of the same actors doing the same thing in the future, it seems pointless to speculate.
[ link to this | view in chronology ]
Re:
I’m not so sure that it was a one-time event. Given how the government got the key the first time, it’s possible they could have gotten it again later.
Nor am I convinced that they could have caught the crooks through this method or that such a method was the only way to do so.
Also, “It would stop being useful”? Well, duh. The ransomware would be useless, and the crooks would have no way of knowing how the key was acquired, so the attack would likely stop.
You wouldn’t be entirely correct on that. Again: the ends don’t justify the means.
[ link to this | view in chronology ]
Re:
Sadly, no. As many bad actors and crazy people there are at the federal level, there are even more at the state level. Exhibit A: Florida. Exhibit B: Texas. Exhibit C: police unions. We also have Trump who is not currently in DC. There’s also the public who enable them.
[ link to this | view in chronology ]
Re: Re:
One could hope that the big mushroom cloud might convince the others to straighten up or leave politics.
[ link to this | view in chronology ]
The planned takedown
What the hell did they actually think they were going to do? Drone strike these guys? Arrest them?
[ link to this | view in chronology ]
'We could help you, but our primary goal is helping ourselves.'
Ah the delightful results you get when making a bit bust to brag about is considered vastly more important than actually helping victims.
[ link to this | view in chronology ]
Re: 'We could help you, but our primary goal is helping ourselve
They don't really care what effects crime actually has. They just want authority and control, and anyone they can label (doesn't need to be realistic) a criminal or suspect or person of interest more easily allows them that authoritarian wet dream.
[ link to this | view in chronology ]
If they could create a decryption key from scratch in about four hours, why didn't they do that and give it to the affected organizations?
[ link to this | view in chronology ]
Re:
Gurl pbhyqa'g naq gurl qvqa'g fnl gurl pbhyq.
Rapelcgvba vaibyirf gjb cnegf, gur pvcure naq gur xrl.
Gur pvcure vf jung lbh ner qbvat gb gur zrffntr.
Gur xrl vf ubj lbh ner qbvat vg.
Abg orvat snzvyvne jvgu gur fcrpvsvpf bs gurfr enafbzjnerf, ohg xabjvat n ovg nobhg rapelcgvba, V'z tbvat gb nffhzr rirelbar va frphevgl ohfvarff nyernql xarj juvpu pvcure gurl jrer hfvat. Gur xrl jnf cebonoyl fbzr bofpraryl uhtr cevzr ahzore, yvxr 48!-1. Bapr gurl unq gur xrl, vg jnf n fvzcyr znggre bs cyhttvat vg vagb gurve nyernql znqr qrpbqre; pbhyqn orra qbar ol n cnve bs vagreaf naq bar xrlobneq. Vs gurl unqa'g nyernql orra snzvyvne jvgu gur rknpg pvcure va hfr, gurl jbhyq'ir arrqrq gb perngr gung ovg svefg, urapr gur 4 ubhe gvzrsenzr.
Nf na rkrepvfr sbe gur ernqre, lbh fubhyq or noyr gb qrpelcg guvf va nobhg 10 zvahgrf; V'ir nyjnlf orra n sna bs gur pynffvpf.
[ link to this | view in chronology ]
Re: Re:
You... you make TACs brain hurt.
Show of hands who else managed to decode the first word in their head?
Zkb wkh khoo grhv pb eudlq frqwdlq doo ri wkhvh wklqjv?
[ link to this | view in chronology ]
Re: Re: Re:
Yeah, I got no idea, but then I’m not exactly the best with ciphers, at least at figuring out which cipher is being used and what key.
…which may be the point of the whole thing. It’s be nice if there was a hint, but yeah, I have no idea where to begin.
I think g = s given the number of times “'g” appears at the end of words, V = I since it appears capitalized on its own or in contractions, and I think i = v and r = e since you’ve got the contraction “V'ir” and I think the only contraction that would fit that pattern would be “I've”. From there, I’m guessing it’s symmetric (a = b iff b = a) rather than translational (xth letter maps to ((x-n) % 26 + 1)th letter of the alphabet (since i maps to v and vice versa, and then g and i have one letter in between them but map to letters (s and v, respectively) with two letters in between). If so, then s = g and e = r.
That’s all I’ve got so far, though. I’m just not seeing any pattern in the mapping aside from a single instance of symmetry that may extend to the rest of the mapping.
[ link to this | view in chronology ]
Re:
They did not, and could not create the key, but what they had to was deal with other details of putting the files back together, like how much needed to be decrypted. If as an example, only the first half of the file is encrypted, decrypting the second half scrambles it. Familiarity with REvil's ransomware meant they did not have to do any experimentation to sort out auxiliary details of decryption.
[ link to this | view in chronology ]
The Bureau
The FBI should never have been started, it was a blackmail operation for decades, it has done nothing other than gin up cases--either via entrapment schemes or agents provacateur--for its entire existence. They are inept in every way. And have been for 100 years.
What act like this one will be the end of them? Depends on the stupidity of the American people.
Time will tell.
[ link to this | view in chronology ]
Re: The Bureau
How's the horse deworming coming along bro?
[ link to this | view in chronology ]