The Kaseya ransomware assault, which occurred in July and affected as many as 1,500 corporations worldwide, was an enormous, harmful mess—one of many largest and most unwieldy of its sort in current reminiscence. But new info exhibits the FBI might have lightened the blow victims suffered however selected to not.

A new report from the Washington Post exhibits that, shortly after the assault, the FBI got here into possession of a decryption key that might unlock victims’ knowledge—thus permitting them to get their companies again up and operating. However, as an alternative of sharing it with them or Kaseya, the IT agency focused by the assault, the bureau saved it a secret for roughly three weeks.

The feds reportedly did this as a result of they had been planning an operation to “disrupt” the hacker gang behind the assault—the Russia-based ransomware supplier REvil—and didn’t need to tip their hand. However, earlier than the FBI might put its plan into motion, the gang mysteriously disappeared. The bureau lastly shared the decryption key with Kaseya on July 21—a few week after the gang had vanished.

A decryption key, which is usually solely despatched to a sufferer after they’ve paid their attacker, unscrambles the info that’s encrypted throughout a ransomware assault and might help an contaminated firm to get well. However, they don’t all the time work tremendous properly—which is a part of the explanation why authorities insist that victims ought to by no means pay ransoms.

So, how did the FBI come into possession of REvil’s decryption key? That half is kind of odd. The authorities apparently retrieved it by way of “access to the servers” of the ransomware gang, although it’s unclear how they obtained that entry or why it was really easy to return by shortly after the assault.

The finish results of the bureau’s aborted operation, then, is that it apparently withheld a vital software that might have helped organizations affected by the assault to keep away from estimated “millions of dollars in recovery costs.” Such organizations included faculties, hospitals, and droves of small companies.

Sources interviewed by the Washington Post chalk this ordeal as much as a routine cost-benefit evaluation that federal companies should undergo when pursuing criminals.

“The questions we ask each time are, what would be the value of a key if disclosed? How many victims are there? Who could be helped?” one source told the newspaper. “And on the flip side, what would be the value of a potential longer-term operation in disrupting an ecosystem? Those are the questions we will continue to have to balance.”

When reached for remark by way of electronic mail on Tuesday, a spokesperson for Kaseya instructed Gizmodo that they had been “grateful for the support we were given by the FBI” and couldn’t “comment on their decisions regarding timing of the release of the key.”

The FBI didn’t but reply to a request for remark.

Frankly, this improvement raises much more questions than it solutions. For one factor, it implies that the federal government had entry to the hackers’ servers and, due to this fact, the decryption key, nearly instantly after the assault befell. While the Post story doesn’t disclose the exact date that the bureau got here into possession of the important thing, we all know that Kaseya first publicly disclosed that it had the important thing on July 22—round three weeks after the assault befell. How and why the FBI would have been in a position to nab the important thing so rapidly is a bit bit baffling.

That mentioned, it’s not the primary time that the feds have, in the midst of investigating a ransomware assault, conjured up a pivotal piece of the investigative puzzle, seemingly out of skinny air. After the Colonial Pipeline assault occurred in May, the federal government equally managed to get its fingers on the important thing to the attacking ransomware gang’s crypto pockets—permitting them to claw again a lot of the ransom that had been paid to the criminals. This operation, which noticed the Justice Department confiscate thousands and thousands in crypto, was by no means absolutely defined to the general public.

One factor is for certain: The enterprise house owners who suffered on account of the Kaseya assault aren’t notably comfortable in regards to the deferred decryption. Describing July as a “month of hell,” Joshua Justice, who owns affected Maryland IT firm JustTech, told the Post that the interval after the assault had value his enterprise a complete lot of grief.

“I had grown individuals crying to me in person and over the phone asking if their business was going to continue,” he mentioned. “I had one man say ‘Should I just retire? Should I let my employees go?’ ”