Ransomware victims panicked while FBI secretly held REvil decryption key

Front page layout
Site theme
Sign up or login to join the discussions!

For three weeks during the REvil ransomeware attack this summer, the FBI secretly withheld the key that would have decrypted data and computers on up to 1,500 networks, including those run by hospitals, schools, and businesses.
The FBI had penetrated the REvil gang’s servers to obtain the key, but after discussing it with other agencies, the bureau decided to wait before sending it to victims for fear of tipping off the criminals, The Washington Post reports. The FBI hadn’t wanted to tip off the REvil gang and had hoped to take down their operations, sources told the Post.

“We make the decisions as a group, not unilaterally,” FBI Director Christopher Wray told Congress on Tuesday. “These are complex… decisions, designed to create maximum impact, and that takes time in going against adversaries where we have to marshal resources not just around the country but all over the world.”
REvil has a long history of using high-pressure tactics to extort victims. The Russia-based gang first appeared in 2019, and it was on a tear earlier this year. In March, the group hacked a celebrity law firm that represented U2, Madonna, and Lady Gaga, demanding $21 million. When the law firm balked, REvil doubled the demand and released some of Lady Gaga’s files. In April, the gang stole data from contract manufacturer Quanta Computer, publishing details of two Apple products. Then in May, it shut down Colonial Pipeline’s operations from New Jersey to Texas, leading to fuel shortages.

Grocery stores in Sweden, town halls in Maryland, schools in New Zealand, and a hospital in Romania were all affected by the attack. Coop, the Swedish grocery store chain, closed around 700 stores and took some six days to reopen. Other victims spent weeks restoring their systems.
Last Thursday, cybersecurity firm Bitdefender published a universal decryptor tool for networks and computers encrypted before REvil’s hibernation began on July 13. About 250 victims have used the tool so far, a Bitdefender executive said. The key that made the tool possible reportedly came from a law enforcement agency—but not the FBI.
Despite the FBI’s efforts to take it down, REvil is back this month with a new string of attacks, ensnaring at least eight new victims, the Post reported. The Bitdefender tool, however, won’t work for the new victims, a sign that REvil has retooled its operations after a brief downtime.
You must to comment.
Join the Ars Orbital Transmission mailing list to get weekly updates delivered to your inbox.
CNMN Collection
WIRED Media Group
© 2021 Condé Nast. All rights reserved. Use of and/or registration on any portion of this site constitutes acceptance of our User Agreement (updated 1/1/20) and Privacy Policy and Cookie Statement (updated 1/1/20) and Ars Technica Addendum (effective 8/21/2018). Ars may earn compensation on sales from links on this site. Read our affiliate link policy.
Your California Privacy Rights | Do Not Sell My Personal Information
The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of Condé Nast.
Ad Choices

Tech Consultant Chris Hood and Business Strategist.

Leave a Reply

Your email address will not be published. Required fields are marked *