The FBI Could Help Retrieve Your Data After a Ransomware Attack
To pay or not to pay? That is the question leadership and security teams ask whenever they deal with a ransomware attack.
The recommendation from the FBI is to not pay, stating on its website that “paying a ransom doesn’t guarantee you or your organization will get any data back. It also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity.”
And the FBI could play a role in ensuring you avoid paying the ransom and get your data back without having to deal with the cybercriminal gang.
Tools Unavailable to Most Organizations
One of the first things an organization should do if they are hit with a ransomware attack is contact the FBI. It’s not just because a ransomware attack is a crime—although that is a compelling reason. It’s because law enforcement agencies have tools that can help you get your stolen or encrypted data back.
Perhaps one of the most eye-opening messages at RSA this year was the revelation that the FBI has the ability to decrypt data held for ransom. (If it had been mentioned once, it would have raised some questions, but the advice could have easily been dismissed. But this was repeated in a number of ransomware-related sessions and by a couple of keynote speakers.) As was mentioned more than once, the FBI has access to the encryption codes for a number of ransomware variants and, as at least one speaker suggested, ransomware gangs are lazy and rarely bother to change encryption keys.
In a document aimed at CISOs and security teams, the FBI stated that law enforcement has access to tools that most organizations do not and can enlist the assistance of international partners to help retrieve data. The document also pointed out that the FBI can conduct investigations that minimize disruptions and works closely with the organization to limit “unwarranted disclosure of information.”
Emphasis on Victim Recovery
Ransomware has become so disruptive that the FBI has put a greater emphasis on victim recovery, Deputy Attorney General Lisa Monaco told The Record podcast.
“We need to take those steps that can help prevent the next victim,” Monaco said.
This was evident in the FBI’s recent takedown of the Hive ransomware variant. As the Department of Justice explained, “Since late July 2022, the FBI has penetrated Hive’s computer networks, captured its decryption keys and offered them to victims worldwide, preventing victims from having to pay $130 million in ransom demanded.”
In its focus on victim recovery, the FBI has shifted its strategy. The goal now is to disrupt the threat actors and cut into their revenues. To take down Hive, the FBI infiltrated the Hive crime ring’s servers and “hacked the hackers.” Much like threat actors would do, the FBI’s team moved around Hive’s server network and took over, so much so that they created decryption keys for victims of the ransomware attack.
It’s not the first time that the FBI offered decryption keys to victims. The agency released master keys for GandCrab ransomware variants in 2019. But two years later, the FBI was also condemned for not releasing the decryption keys for the Kaseya ransomware attack in a timely manner, deciding instead to go on the attack against the Russian gang REvil, which was responsible for the ransomware.
Federal law enforcement is uniquely situated to be an ally to your organization’s battle against ransomware. If “contacting the FBI to report ransomware attack” isn’t on your post-attack procedure guidelines already, it should be added as one of the first things to do in the mitigation phase. Taking that step will go a long way in guiding your decision about whether or not to pay a ransom. Chances are favorable that you can recover your data with the FBI’s assistance at no cost and little disruption.
