The ransomware keys might have been acquired by an ally, which would invoke the third-party doctrine where the decision to release was not the FBI's alone.
The Federal Bureau of Investigation (FBI) had the keys to REvilโs ransomware as the cybercriminals were locking up company after companyโs data and did not publicly share the keys.
What were they thinking? What were they protecting?
The Washington Post reports the FBI had secretly obtained the digital key to the Russia-based ransomware group, REvil, some three weeks prior to their distributing the key. When pressed at a recent congressional hearing, FBI Director, Christopher Wray noted that delay lays within the fact that the FBI was working jointly with other agencies and allies. He explained, โWe make the decisions as a group, not unilaterally.โ He continued, โThese are complex .โ.โ. decisions, designed to create maximum impact, and that takes time in going against adversaries where we have to marshal resources not just around the country but all over the world.โ
What Wray may have really been saying, without saying it, is that the FBI did not own the information that they had in their possession, the keys were, as noted, โsecretly obtained,โ by which agency or which ally is not revealed. The doctrine of third-party rule is that one is permitted to use the information to advance their own intelligence operationsโwhich sources told the Washington Post was to take down REvil.
Dmitri Alperovitch, chairman of the Silverado Policy Accelerator in a September 21 New York Times op-ed notes โAmerica is being held for ransom. It needs to fight back.โ He commended the two-prong approach of the Biden administration, diplomacy and expanded defensive capabilities. He also called for there to be an offensive capability, especially when it comes to the โmost potent ransomware groupsโ operating out of Russia, North Korea, and Iran. Alperovitch didnโt mince words in suggesting what America needs is โan aggressive campaign [that] would target the foundation of ransomware criminalsโ operations: their personnel, infrastructure, and money.โ
It appears the FBI was attempting to accomplish that which Alperovitch was suggesting needed to happenโtargeting REvilโs personnel, infrastructure, and money.
The FBI takedown that didnโt happen
There is no argument that millions were paid in ransoms to the criminals and some companies had such a degradation of capability their continued existence was at risk. As events unfolded, REvil took itself down on July 13, 2021, and thus the FBI operation against the criminal entity never materialized. Once REvil took itself out of the game, the table adjusted. If the FBI was not the entity who acquired the information via an offensive operation or a source, to make the keys public would require a return to the originator of the intelligence to obtain a green light to make the information public.
Third-party rule on intelligence
To this jaded eye, three weeks seems a rather long cycle for coordination, even if it included allies in different time zones, given the global nature of the REvilโs efforts. That said, it is easy to tell the others what to do and how to do it when one has no equity in the mix and without knowing the number of cooks in the kitchen, nor the sensitivity of the sourcing of the intelligence. To move unilaterally and precipitously by revealing the possession of the decryption key may have compromised the sources and methods that were used to obtain the key. Therefore, it is impossible to say whether the FBIโs liaison office and legal attachรฉs abroad were dragging their feet, or whether the coordination among nations and agencies moved amazingly fast given the complex relationships pertaining to source protection.
Universal decryptor for REvil available
The FBI did, eventually, provide the key to a number of cybersecurity companies, who were able to take the information and fold it into โdecryptorsโ unlocking their clientโs data. More publicly and of use for those who were victims of REVil, and did not have backup, nor a cybersecurity provider helping them recover, on September 20, Bitdefender provided a โuniversal decryptorโ that works on any REvil encrypted datasets pre-July 13, 2021. Bitdefender noted how the universal decryptor was able to be created as a result the companyโs collaboration with a โtrusted law enforcement partnerโ (not further identified).
In sum, source and equity protection considerations within the international milieu of facing off against the criminal entities fomenting ransomware as a service will always be a gating factor when it comes to publicly revealing information clandestinely obtained.
