The House Oversight and Reform Committee is seeking a briefing on how the FBI handled the ransomware attack on Kaseya that affected up to 1,500 businesses worldwide, according to a letter today from the committee leadership to FBI Director Christopher Wray.
The letter, signed by Committee Chair Carolyn Maloney, D-N.Y., and Ranking Member James Comer, R-Ky., specifically takes aim at a report that the FBI withheld a decryption tool from affected parties for up to three weeks before sharing it.
“Earlier this summer, a Florida-based software company was the victim of a ransomware attack that compromised between 800 and 1,500 businesses around the world,” the committee heads wrote.
“Although the Federal Bureau of Investigation (FBI) reportedly obtained a digital decryptor key that could have unlocked affected systems, it withheld this tool for nearly three weeks as it worked to disrupt the attack, potentially costing the ransomware victims—including schools and hospitals—millions of dollars. We request information to understand the rationale behind the FBI’s decision to withhold this digital decryptor key and the agency’s approach to responding to ransomware attacks.”
According to prior reporting, the FBI has explained this gap between obtaining the decryption tool and distributing it as a tactic to set up an operation that would target the REvil ransomware group without tipping off the ransomware group to the actions. However, the same reporting by the Washington Post says that the group’s disappearance from the dark web in July was not the work of any U.S. action, but a tactical vanishing act by the group with law enforcement closing in.
“We request a briefing from the FBI on its legal and policy rationale for withholding the digital decryptor key as it attempted to disrupt this cyberattack, and the FBI’s overall strategy for addressing, investigating, preventing, and defeating ransomware attacks,” Reps. Maloney and Comer wrote. “Ransomware hackers have shown their willingness and ability to inflict damage on various sectors of the U.S. economy.”
REvil, the group behind the Kaseya attack, is the same group that caused Colonial Pipeline to shut down for nearly a week and pay $4.4 million in ransom. The lawmakers are requesting a response from the FBI no later than October 6.
“The growing threat of ransomware attacks requires our federal government agencies – especially the FBI – to respond quickly and effectively to prevent or minimize the damage from these attacks,” the lawmakers wrote.