FBI Held Back Ransomware Decryption Key From Businesses To Run Operation Targeting Hackers (washingtonpost.com) 45

An anonymous reader quotes a report from The Washington Post: The FBI refrained for almost three weeks from helping to unlock the computers of hundreds of businesses and institutions hobbled by a major ransomware attack this summer, even though the bureau had secretly obtained the digital key needed to do so, according to several current and former U.S. officials. The key was obtained through access to the servers of the Russia-based criminal gang behind the July attack. Deploying it immediately could have helped the victims, including schools and hospitals, avoid what analysts estimate was millions of dollars in recovery costs. But the FBI held on to the key, with the agreement of other agencies, in part because it was planning to carry out an operation to disrupt the hackers, a group known as REvil, and the bureau did not want to tip them off. Also, a government assessment found the harm was not as severe as initially feared. The planned takedown never occurred because in mid-July REvil's platform went offline -- without U.S. government intervention -- and the hackers disappeared before the FBI had a chance to execute its plan, according to the current and former officials. The previously unreported episode highlights the trade-offs law enforcement officials face between trying to damage cyber criminal networks and promptly helping the victims of ransomware -- malware that encrypts data on computers, rendering them unusable.
FBI Held Back Ransomware Decryption Key From Businesses To Run Operation Targeting Hackers

  • That’s the conundrum. Do you help some or try to stop them from more damage?
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Since the FBI is grossly incompetent, you help the ones you can instead of waiting to "catch Mr. Big". This is demonstrated by their incompetence with Carnivore, Whitey Bulger, Kevin Mitnick, and Aaron Swarz. There are *no* successful convictions of computer crime by the FBI in the last 10 years. The convictions for which the FBI take credit were not run by them: they were run by angry non-federal security personnel.

      • Re: (Score:1, Troll)

        by Narcocide ( 102829 )

        Pretty much this. The chances that one of their own didn't tip off REvil is just about 0%. I'm starting to think the FBI itself is a Russian psy-op.

        • Yea, this was modded down for trolling but it's not trolling. I'm speaking truth in earnest to try to warn you all. Wake up and start paying attention.

      • The FBI is not just incompetent; they are corrupt. That's been the case ever since J. Edgar, and it's still the case. Not everything they do is corrupt, but everything they do is tinged by corruption.

    • Re:Tradeoffs (Score:4, Insightful)

      by tomp ( 4013 ) on Tuesday September 21, 2021 @09:03PM (#61819331) Homepage

      There was no tradeoff. They sacrificed schools and hospitals and got nothing. Turns out they were a day late and a dollar short.

      The winning move was helping schools and hospitals recover. Sadly the FBI chose a different move.

      • Re:Tradeoffs (Score:4, Insightful)

        by dontbemad ( 2683011 ) on Tuesday September 21, 2021 @10:10PM (#61819455)
        Everyone can be an asshole in hindsight. I will rarely defend the actions of any of the Alphabet Boys, but it is supremely juvenile to overlook the reality that there were potentially more hospitals, schools, and God knows what else in the sights of this group. To my knowledge, there were no human casualties. The losses were almost exclusively financial, and brought about by foolish and/or inept Information Security policy at that. There is no trolley problem with monetary loss.
        • by DaHat ( 247651 )

          To my knowledge, there were no human casualties

          We may not know the names of those who died as a consequence, however it appears that ransomware at a hospital can/does lead to increased deaths: https://www.theverge.com/2021/... [theverge.com]

        • During the Second World War, after German codes were broken, British intelligence learned there was going to be a major bombing campaign. The issue for the British government is did they do what they could to prevent the attack, or let the bombing happen because the value of not letting the Germans know their code had been cracked was worth the sacrifice. The British government opted for the latter, and thus the devastating bombing of Coventry occurred. Was it right to sacrifice one city for the greater str

          • Just for the record, the "Sacrifice of Coventry" story from "The Ultra Secret (1974)" has been been largely discredited by other Ultra participants and by historians.

    • Consider.
      Computer Security is the red headed step child of business models

    • During the later stages of the Second World War, in the midst of “The Blitz” - the Blitztrieg, or Germany’s massive bombing campaign, the code-breakers of the UK’s Bletchley Park cracked Enigma - the hardware-based encryption system used to encode messages passed between agencies of the German military.

      In one particular intercepted communication, Bletchley learned of a plan to bomb Coventry, a British city with a significant civilian population. Churchill and the British cabinet w
      • Re:Coventry (Score:5, Informative)

        by jeremyp ( 130771 ) on Wednesday September 22, 2021 @04:32AM (#61819957) Homepage Journal

        The Coventry bombing in question was on November 15th 1940, not "the latter stages of WW2". The British did have advanced knowledge of a massive bombing raid, but they did not know where it was going to happen. They knew about the electronic navigation aids used by the Germans but, on that particular night, they jammed the wrong frequency (according to RV Jones who was in charge).

        The story about Churchill throwing Coventry under the bus is a myth.

      • TL;DR; Claim no evidence Enigma code breaking shortened war.

        Actually, breaking the Enigma chippers helped greatly in the war in the Atlantic. The Allies could route convoys around wolf packs helping to ensure vital men and material made it to the UK. Had that not been possible, the Germans U Boot fleet may very well starved the UK out of the war before allied technological advantages and changing tactics enabled by them turned the tide against the U Boots.

  • by Ostracus ( 1354233 ) on Tuesday September 21, 2021 @08:15PM (#61819225) Journal

    Could it be that someone tipped off the REvil group about the FBI and that's why they disappeared?

    • by XXongo ( 3986865 ) on Tuesday September 21, 2021 @08:19PM (#61819239) Homepage

      Could it be that someone tipped off the REvil group about the FBI and that's why they disappeared?

      Sure looks like it to me.

      Or, possibly they hacked into an account of somebody who was part of the takedown plan and learned about it that way.

    • Re: (Score:2, Interesting)

      by tchdab1 ( 164848 )

      One possible step further: someone at the FBI held back the key to give the hackers time to pack up, cover their tracks, and disappear. Someone on the inside working much too closely with WTF was out there playing.

      • More like the FBI et al weren't competent enough to move in a timely manner, and weren't competent enough to keep it need to know internally, so before they were even ready information leaked out first internally and then someone tipped off the bad guys (that's Revil for some of you knuckleheads). Or even better, they used it to catch a mole in their own organization (not likely I know). I definitely hope it isn't a mole higher up the food chain. However, it's happened before. But somehow I don't think Rev

    • Who Are REvil? (Score:4, Interesting)

      by ytene ( 4376651 ) on Wednesday September 22, 2021 @02:03AM (#61819787)
      Interesting question.

      As long as we keep thinking of “REvil” being some random ransomware gang, “someone tipping them off” remains an interesting if unlikely possibility.

      But if you’re willing to consider the possibility that REvil are, in fact, an arms-length unit of a nation-state intelligence service, a service tasked with attacking a political foe, then this becomes a different question. Specifically, what if the hostile nation state currently backing REvil also had intelligence assets within the FBI? Is it possible that such an intelligence asset, given sight of internal reports suggesting that the FBI were moving with determination to tackle ransomware gangs, might suggest that their nation-state-sponsored REvil team “get the heck out of Dodge” before the Sheriff shows up?

      Maybe the biggest risk that REvil faced wasn’t so much being caught or extradited, but more a case of being identified with sufficient clarity to prove the relationship between REvil and a state sponsor?
    • by jeremyp ( 130771 )

      More likely they hacked the business of somebody who was friendly with Vladimir Putin and that's why they disappeared.

  • Plausable method ... (Score:4, Interesting)

    by PinkyGigglebrain ( 730753 ) on Tuesday September 21, 2021 @08:18PM (#61819235)

    They could have released the keys saying some Israeli security researcher cracked the key. The REvil group would not have been tipped off that they had been directly compromised.

    Given Israeli security firms history of managing to crack encrypted phones and such it would have been very credible.

    It also isn't the first time a TLA screwed over the people they were supposed to be serving and protecting for whatever "Greater Good" they wanted to carry out.

    • Real crypto experts wouldn't buy an explanation like that.

    • by Glasswire ( 302197 ) on Tuesday September 21, 2021 @08:40PM (#61819283) Homepage

      Sure if you wanted to help those victim companies. But then anonymizing the source of the keys means the FBI wouldn't be able to be seen as the rescuers of those companies when it was ready to release the keys.

    • by ceoyoyo ( 59147 ) on Tuesday September 21, 2021 @08:42PM (#61819295)

      I bet they'd disappear faster if they thought Mossad had hacked them than the American FBI.

    • by ytene ( 4376651 )
      Isn’t that pretty much what happened when they went after Apple, demanding a “Federal Master Key” to access the corporate iPhone of the San Bernardino shooter?

      Apple told them to go jump in a lake and after telling a Judge that it was essential that they were given the “back door” because there was “no other way” of accessing the device they miraculously found some Israeli company that cracked the phone for them.

      I’m not convinced we know the truth of that
  • Screw protecting anyone, there was an opportunity to bust heads.

  • by PPH ( 736903 ) on Tuesday September 21, 2021 @09:12PM (#61819351)

    Then sit down with the victims and instruct them as follows:

    Upon subsequent contact from REvil, just thank them for the key and inform them that the cryptocurrency payment was successfully transferred to the alternate address as instructed by their cohorts.

    Then sit back and watch them murder each other for double-crossing the leaders.

  • All revealing it sooner would have done is meant they would change the Key, abandon the potential compromised server and continue the attack with new keys.
  • To tell the truth about the "Havana Syndrome". . .
  • That's who is really responsible for Microsoft Ransomware.
    • by Anonymous Coward

      Microsoft plays the same game White Bulger did for decades. Dangle the lure of helping them against "the big crime bosses", turn over a few minor secrets, and get away with murder.

  • probably posted already but fuck paywalls

    https://arstechnica.com/inform... [arstechnica.com]

  • Once you enter the bad guys hideout they may have a pretty good idea they have been burnt.
  • by PPH ( 736903 )

    ... if left to it's own devices would probably release El Chapo in the hope that he would lead them to higher up suspects.

