Why The FBI Held Back a Ransomware Decryption Key for 19 Days

America's Federal Bureau of Investigation 'refrained for almost three weeks from helping to unlock the computers of hundreds of businesses and institutions hobbled by a major ransomware attack this summer,' reports the Washington Post, 'even though the bureau had secretly obtained the digital key needed to do so, according to several current and former U.S. officials.'
The key was obtained through access to the servers of the Russia-based criminal gang behind the July attack. Deploying it immediately could have helped the victims, including schools and hospitals, avoid what analysts estimate was millions of dollars in recovery costs. But the FBI held on to the key, with the agreement of other agencies, in part because it was planning to carry out an operation to disrupt the hackers, a group known as REvil, and the bureau did not want to tip them off. Also, a government assessment found the harm was not as severe as initially feared.

The planned takedown never occurred because in mid-July REvil's platform went offline — without U.S. government intervention — and the hackers disappeared before the FBI had a chance to execute its plan, according to the current and former officials... The FBI finally shared the key with Kaseya, the IT company whose software was infected with malware, on July 21 — 19 days after it was hit. Kaseya asked New Zealand-based security firm Emsisoft to create a fresh decryption tool, which Kaseya released the following day. By then, it was too late for some victims...

On Tuesday, FBI Director Christopher A. Wray, testifying before Congress, indicated the delay stemmed in part from working jointly with allies and other agencies. 'We make the decisions as a group, not unilaterally,' he said, noting that he had to constrain his remarks because the investigation was ongoing... He also suggested that 'testing and validating' the decryption key contributed to the delay. 'There's a lot of engineering that's required to develop a tool' that can be used by victims, he said at a Senate Homeland Security Committee hearing.
Emsisoft, however, was able to act quickly. It extracted the key from what the FBI provided Kaseya, created a new decryptor and tested it — all within 10 minutes, according to Fabian Wosar, Emsisoft chief technology officer. The process was speedy because the firm was familiar with REvil's ransomware. 'If we had to go from scratch,' Wosar said, 'it would have taken about four hours.'

Read more of this story at Slashdot.