FBI Director: Kaseya’s ‘Swift Response’ Yielded REvil Ransomware Attack Arrests
‘Kaseya’s swift response allowed the FBI and our partners to quickly figure out which of its customers were hit, and for us to quickly share with Kaseya and its customers information about what the adversaries were doing, what to look for, and how the companies could best address the danger,’ said FBI Director Christopher Wray at a press conference Monday.
The U.S. Department of Justice and Federal Bureau of Investigation Monday hailed Kaseya for its role in helping lead officials to the arrests of two individuals behind the massive July ransomware attack, and held the company as an example of what others should do in the fact of a similar attack.
Officials of the two organizations disclosed the cooperation with Kaseya Monday in a press conference at which they unveiled the arrest of Ukrainian national Yaroslav Vasinski for deploying the REvil ransomware attack in July. The DOJ also charged Russian national Yevginiy Polyanin with conspiracy to commit fraud and other charges.
The DOJ also said it had recovered $6.1 million in cryptocurrency allegedly received as ransom payments from the Kaseya ransomware attack from Polyanin.
[Related: The Kaseya Attack]
U.S. Attorney General Merrick Garland said that Kaseya on July 2 and its customers were attacked by REvil, one of the most prolific strains of ransomware.
“To date, REvil ransomware has been deployed on approximately 175,000 computers worldwide, with at least $200 million paid in ransom,” Garland said. ”As a result of the Kaseya attack, businesses that relied on Kaseya services across the United States and around the world were impacted.”
Lisa Monaco, deputy attorney general, said the case proves the importance for victims to come forward and work with the Justice Department and FBI when first hit with an incident.
“I want to make clear that we are here today because, in their darkest hour, Kaseya made the right choice,” Monaco said. ”And they decided to work with the FBI. Almost immediately after they were hit, Kaseya provided the FBI with information they needed to act. And to act fast. In doing so, we were ultimately able to identify and help many victims of this attack and also to follow the trail to Vasinski. Equally important, we worked with our partners at CISA (the Cybersecurity and Infrastructure Security Agency) to provide information to the public and to help prevent future attacks.”
FBI Director Christopher Wray said that Kaseya was one of several organizations worldwide which were impacted by the REvil ransomware.
“When Kaseya realized that some of their customers‘ networks were infected with ransomware, they immediately took action,” Wray said. ”They worked to make sure that both their own customers, the managed service providers, and those MSPs customers downstream quickly disabled Kaseya’s software on their systems.”
Kaseya also engaged early with the FBI, Wray said
“The FBI then coordinated with a host of key partners including CISA and foreign law enforcement and intelligence services so Kaseya could benefit from all of our expertise and reach as it worked to put out the fire,” he said. ”Kaseya’s swift response allowed the FBI and our partners to quickly figure out which of its customers were hit, and for us to quickly share with Kaseya and its customers information about what the adversaries were doing, what to look for, and how the companies could best address the danger.”
The FBI was able to obtain a decryption key that allowed the generation a useable capability to unlock Kaseya‘s customers’ data.
“We immediately strategized with our interagency partners and reached a carefully considered decision about how to help the most companies possible both by providing the key and by maximizing our government‘s impact on our adversaries who were continuing to mount new attacks,” he said. ”Fortunately, we were able to both unlock encrypted data and take back actors out of operation.”
When asked by a reporter if after Kaseya came to the FBI whether the FBI was able to appropriately both work with Kaseya to provide the decryption key and maximize law enforcement activities after reports that the FBI did not immediately release the decryption key, Wray declined to confirm or deny the timeline of those events.
“But what I would say is, I think it’s important for people to understand that, when we find technical information like decryption keys, first of all, I wish we would find them more often,” he said. ”It’s not something that happens in every case. But it’s a specific goal in every investigation. That’s something that our folks are tasked with looking for. It’s not something we just kind of stumble across by happenstance. It’s a specific aim of the investigation so that we can turn around and push it out to companies, victims, and potential victims.”