REvil Ransomware Ground Down JBS: Sources

Responsible nations don’t harbor cybercrooks, the Biden administration admonished Russia, home to the gang that reportedly froze the global food distributor’s systems.

The cyberattack that flattened operations at JBS Foods over the weekend was indeed a ransomware strike, the global food distributor has confirmed to the Biden administration, with sources pointing to the REvil Group as the responsible gang.

Four people familiar with the matter who weren’t authorized to speak publicly told Bloomberg that the notorious Russia-linked hacking group is behind the attack against JBS SA. The REvil cyber gang also goes by the name Sodinokibi.

REvil is known for both audacious attacks on the world’s biggest organizations and suitably astronomical ransoms. In April, it put the squeeze on Apple just hours before its splashy new product launch, demanding a whopping $50 million extortion fee: a bold move, even for the notorious ransomware-as-a-service (RaaS) gang. The original attack was launched against Quanta, a Global Fortune 500 manufacturer of electronics, which claims Apple among its customers. The Taiwanese-based company was contracted to assemble Apple products, including Apple Watch, Apple Macbook Air and Pro, and ThinkPad, from an Apple-provided set of design schematics.

The JBS attackers targeted several servers supporting North American and Australian IT systems of JBS Foods on Sunday, according to a statement by JBS USA. JBS is a global provider of beef, chicken and pork with 245,000 employees operating on several continents and serving brands such as Country Pride, Swift, Certified Angus Beef, Clear River Farms and Pilgrim’s.

The “vast majority” of JBS Foods’ beef, pork, poultry and prepared foods plants will be operational by today, the company said on Tuesday.

Andre Nogueira, JBS USA CEO, said in a statement that the company’s systems are coming back online and that it’s “not sparing any resources to fight this threat.” JBS has cybersecurity plans in place for these types of incidents and is successfully executing them, he said. In the case of a ransomware attack, that means relying on backups. Fortunately, JBS’ backup servers weren’t affected, and it’s been working with a third-party incident-response firm to restore operations as soon as possible.

It lucked out in that regard: Security experts have noted that attacks are getting more vicious and more destructive, with attackers taking the extra time and effort to remove backups prior to deploying ransomware.

As of Tuesday, JBS USA and Pilgrim’s were able to ship food from nearly all of its U.S. facilities, Nogueira noted, and were still making progress in resuming plant operations in the U.S. and Australia. “Several of the company’s pork, poultry and prepared foods plants were operational today and its Canada beef facility resumed production,” he said.

To date, JBS hasn’t found evidence that any customer, supplier or employee data was compromised.

White House Chides Russia

According to White House Press Secretary Karine Jean-Pierre, JBS told the administration on Sunday that it believes the ransomware attack was launched from a criminal organization, likely based in Russia.

Speaking to reporters Tuesday aboard Air Force One, Jean-Pierre said that the Biden administration told the Russian government that it’s not nice to harbor cybercrooks. “The White House is engaging directly with the Russian government on this matter and delivering the message that responsible states do not harbor ransomware criminals,” she said, according to a transcript of her remarks. She said that JBS notified the White House on Sunday that they were victimized in a ransomware attack.

The White House has offered assistance to JBS: Its team and the Department of Agriculture have spoken to the company’s leadership several times since Sunday’s attack, Jean-Pierre said. As well, the FBI is investigating the incident in coordination with the Cybersecurity and Infrastructure Security Agency (CISA) to offer technical support to the company as it pulls itself back into production.

“Combating ransomware is a priority for the administration,” the press secretary went on. “President Biden has already launched a rapid strategic review to address the increased threat of ransomware to include four lines of effort: one, distribution of ransomware infrastructure and actors working closely with the private sector; two, building an international coalition to hold countries who harbor ransom actors accountable; expanding cryptocurrency analysis to find and pursue criminal transaction; and reviewing the USG’s ransomware policies.”

The government’s reaction to the JBS hit is an echo of the reaction to last month’s attack on a major U.S. oil pipeline, when ransomware group DarkSide targeted operator Colonial Pipeline Co., disrupting fuel supply in the Eastern part of the U.S.

That attack prompted President Joe Biden to declare a state of emergency and caused substantial pain at gas pumps in the Southeast. DarkSide made off with a $5 million ransomware payout from Colonial to decrypt its frozen systems but published a mea culpa over the uproar, emphasizing that it was in it for the cash, not to disrupt people’s lives. Somebody or somebodies weren’t convinced: The ransomware-as-a-server (RaaS) gang’s servers were subsequently shuttered. A week later, DarkSide got hauled into the underground’s “Hacker’s Court” for failing to pay its affiliates.

Biden’s executive order asked for “bold and significant changes” to tight deadlines on complex systems — tethered to a significant shift in technology. It does raise question, however, as noted by David Wolpoff, CTO and co-founder of Randori. Writing for Threatpost’s Infosec Insider, he questioned the EO’s “Heavy emphasis on migrating traditionally on-premises systems to the cloud” and call for rapid change in the name of cybersecurity. “It does not address the issue of the interconnectedness of a cloud migration,” Wolpoff noted. “If we move too fast, while attempting to shift to the cloud, we will create more issues.”

The Meat Industry’s Full of Sitting Ducks

Security ratings provider BitSight has been tracking the ransomware risk to the food production industry and says that the industry is setting itself up, with 40 percent of companies at increased risk due to poor patching practices. On Tuesday, the company told Threatpost in an email that food companies “are taking longer to patch vulnerabilities than the recommended industry standard, leaving them at higher risk.”

In fact, BitSight said, more than 70 percent of food companies are at increased risk of ransomware due to “less-than-ideal” security practices. ” Compared to other sectors, food production is in the 60th percentile of security performance, making it markedly more at-risk to ransomware than other sectors like Credit Unions (52 percent), Insurance (62 percent) and Finance (60 percent), which lead all sectors in security performance excellence,” it said.

But all industries are vulnerable, according to cyber threat intelligence firm Cyber Security Cloud Inc. “The recent cyberattacks on the Colonial Pipeline and now JBS USA show us that all infrastructures are vulnerable,” CEO Toshihiro Koike told Threatpost via email on Tuesday. “If organizations don’t start taking cybersecurity seriously, these attacks will continue to happen. Preventing a cyberattack is like preventing a home invasion: You must continuously update your security and educate the persons behind the walls.”

Threatpost has asked JBS Foods to comment on the attribution of the attack to REvil/Sodinokibi. 

060321 14:31 UPDATE: Clarified source of the confirmation that this was a ransomware attack: According to White House Press Secretary Karine Jean-Pierre, JBS told the White House on Sunday that it had suffered a ransomware attack.

Download our exclusive FREE Threatpost Insider eBook, 2021: The Evolution of Ransomware,” to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what’s next for ransomware and the related emerging risks. Get the whole story and DOWNLOAD the eBook now – on us!

Suggested articles

Discussion

  • Concerned Journalist on

    "JBS Foods over the weekend was indeed a ransomware strike, the global food distributor has confirmed," No they haven't lol. Blatant lie. The source you link to does not mention ransomware or REvil at all.
    • Lisa Vaas on

      They confirmed it to the Biden administration, per White House Press Secretary Karine Jean-Pierre's remarks to the press. I'll clarify that.
  • Rasmus Larsen on

    Seems like a mistake - Thinkpad is Lenovo now right? "including Apple Watch, Apple Macbook Air and Pro, and ThinkPad"

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.