FBI Attributes JBS Attack to REvil Ransomware Operation

Ransomware-as-a-Service Operation REvil - aka Sodinokibi - Has Been Making a Killing
FBI Attributes JBS Attack to REvil Ransomware Operation

The identity of the ransomware operation that hit meat processing giant JBS has been revealed: It was the REvil gang, aka Sodinokibi, that did it.

See Also: Strengthening Microsoft 365 with Human-centric Security

The FBI, late on Wednesday, issued a statement attributing the attack to that ransomware-as-a-service - aka RaaS - operation, which appears to be run from Russia.

"As the lead federal investigative agency fighting cyber threats, combating cybercrime is one of the FBI’s highest priorities," the bureau says in its statement. "We have attributed the JBS attack to REvil and Sodinokibi and are working diligently to bring the threat actors to justice."

JBS, based in Sao Paulo, is the world's largest meat processor, and discovered the attack on Sunday. In response, the company shut down servers in North America and Australia, and experts warned that any prolonged outage could noticeably impact the global supply of meat.

The company has not disclosed if it received any ransom demand. But on Wednesday, JBS reported that its restoration efforts were continuing to proceed quickly, and that it expected to resume full operations on Thursday.

"JBS USA and Pilgrim's continue to make significant progress in restoring our IT systems and returning to business as usual," Andre Nogueira, CEO of JBS USA, said in a statement issued Wednesday.

On Wednesday, "the vast majority of our facilities resumed operations as we forecast yesterday, including all of our pork, poultry and prepared foods facilities around the world and the majority of our beef facilities in the U.S. and Australia," he said.

“Given the progress our teams have made to address this situation, we anticipate operating at close to full capacity across our global operations" on Thursday," he added.

JBS says it has not found any evidence that its attackers accessed or stole customer, supplier or employee data.

No Word From REvil's 'Happy Blog'

As of Thursday, REvil had not formally taken credit for the attack. Such a pronouncement would typically have been issued via its "happy blog" data leak site, reachable only via the anonymizing Tor browser. Such sites, now run by many ransomware operators, are designed to name and shame victims into paying.

The sites are also often used to leak data stolen from victims, again to pressure them into paying. Non-paying victims often see all of their stolen data get dumped, to stand as a threat to future victims that refuse to pay.

But before victims get listed on data leak sites, experts say gangs will typically attempt to engage with victims and begin negotiations. Typically, gangs will demand a ransom for a decryption tool. Some gangs also practice "double extortion" demanding more money for a promise that they'll delete stolen data.

This is far from the first attack attributed to REvil - aka Sodinokibi and Sodin - which experts say has been making a killing for the past couple of years, since it seized the RaaS mantle from GandCrab when that operation was retired in the middle of 2019.

But if it's not clear if any ransomware operators have themselves retired, or simply rejigged their code and set up shop under a new name. Many security experts, notably, suspect that at least some of GandCrab's code - if not people - ended up as part of REvil.

Regardless, REvil was the most-seen type of malware encountered by ransomware victims in the first three months of this year, says ransomware incident response firm Coveware.

Source: Coveware, based on thousands of cases investigated

Security experts say the success of REvil is due in large part to the efficacy of the RaaS business model, which involves operators developing crypto-locking malware, payment portals for victims, data leak sites, as well as sometimes handling negotiations. Operators then vet and recruit affiliates, which in the case of REvil include individuals who are highly skilled at network penetration, working with cloud environments, negotiation and other attributes, experts say.

Affiliates are each given a customized version of the ransomware, then tasked with finding and infecting victims. For each victim that pays, the operator keeps a cut, then distributes the remaining amount to the responsible affiliate, via a profit-sharing model. At least in 2019, REvil was advertising that affiliates would keep 60% of every ransom payment, rising to 70% after they logged three successful ransom payments.

White House Calls Out Russia

The FBI has been probing the JBS attack, with the U.S. Cybersecurity and Infrastructure Security Agency providing technical assistance.

"We continue to focus our efforts on imposing risk and consequences and holding the responsible cyber actors accountable," the FBI said.

From a diplomatic perspective, the Biden administration has moved quickly in response to the attack. On Wednesday, the White House rebuked Moscow, saying that the ransomware attack had originated from inside Russia.

"The White House is engaging directly with the Russian government on this matter and delivering the message that responsible states do not harbor ransomware criminals," Karine Jean-Pierre, a principal deputy press secretary, told reporters.

Russia, however, does not extradite its citizens to other countries.

Ransomware Hits Continue

Security experts say that until other ways are found to disrupt the ransomware business model, attacks will remain common.

"The problem has been spiraling out of control," John Hultquist, who heads intelligence analysis at cybersecurity firm FireEye, tells The Associated Press. "We’re already deep into a vicious cycle."

That cycle has seen many ransomware operations focusing more on big-game hunting, which refers to the practice of taking down larger victims - such as JBS or Colonial Pipeline - in the quest for bigger ransom payoffs. Many gangs have found that with a bit more effort, they can hit much larger targets and reap higher rewards.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.