Endpoint Security , Fraud Management & Cybercrime , Open XDR

White House Puts Russia on Notice Over JBS Ransomware Hit

In Wake of Colonial Pipeline Attack, Ransomware as Unrestrained as Ever, Experts Say
White House Puts Russia on Notice Over JBS Ransomware Hit
JBS's facility in Greeley, Colorado. (Photo: Mizzou CAFNR via Flickr/CC)

The White House says it has put Russia on notice over the ransomware attack against meat processing giant JBS. It's a sign of quick action by the U.S. government after Colonial Pipeline, but experts say the ransomware scourge is clearly still business as usual.

See Also: Live Discussion | Securing Business Growth: The Road to 24/7 Threat Detection and Response

The FBI is probing the attack on JBS, with the U.S. Cybersecurity and Infrastructure Security Agency offering technical assistance to the company, which is based in Sao Paulo but has offices in the United States.

Speaking to reporters Tuesday aboard Air Force One, White House principal deputy press secretary Karine Jean-Pierre said JBS believes the ransomware attack was launched from Russia, which has led the Biden administration to deliver a stern warning to Moscow.

"The White House is engaging directly with the Russian government on this matter and delivering the message that responsible states do not harbor ransomware criminals," Jean-Pierre told reporters, according to a transcript of her remarks. "The FBI is investigating the incident, and CISA is coordinating with the FBI to offer technical support to the company in recovering from the ransomware attack."

JBS: Resuming Production

JBS says it discovered the incident on Sunday. The company has not described which gang might have targeted it or if it has demanded a ransom. But security firms have noted that no ransomware operation has claimed credit for the attack via a data leak site, where gangs often attempt to name, shame and shake down victims.

The meat processor says the attack affected servers in Canada, North America and Australia, and operations were halted in those geographies on Monday. But the company says it continues to make steady progress with its recovery.

"Our systems are coming back online, and we are not sparing any resources to fight this threat," says Andre Nogueira, CEO of JBS USA. "We have cybersecurity plans in place to address these types of issues, and we are successfully executing those plans."

JBS says operations in Canada are fully back online, and that the "vast majority" of affected beef, pork, poultry and prepared food plants should resume operations by the end of Wednesday, including in the U.S. and Australia.

The White House says the U.S. Department of Agriculture is contacting other meat suppliers to ensure they're aware of the JBS incident and taking steps to defend themselves against similar attacks. Agriculture operations and food processing facilities are designated by CISA as being critical infrastructure. But food plants - similar to manufacturing plants - have often proven to be soft targets for ransomware distributors, says Allan Liska, who is part of cybersecurity firm Recorded Future's computer security incident response team.

"In general, food processing has been easy pickings," Liska says.

Pace of Ransomware Attacks Continues

The attack against JBS comes just a few weeks after the May 7 infection of Colonial Pipeline Co., which triggered fuel shortages and more worries about the vulnerability of critical infrastructure. At first, the Colonial Pipeline incident appeared it might be a watershed moment that changed the dynamics of the ransomware scene (see Colonial Pipeline Attack Leads to Calls for Cyber Regs).

With officials signaling a ransomware crackdown, two cybercrime forums - Raid and XSS - claimed they would no longer allow ransomware gangs to advertise on their sites, including recruiting affiliates. But experts say any such bans, if indeed they are real, appear to be only loosely enforced.

The ransomware operation responsible for the hit on Colonial Pipeline was DarkSide. DarkSide used a ransomware-as-a-service model, where affiliates use the group's malware and shared the profits from paid ransoms. RaaS groups often develop other infrastructure for affiliates, such as payment portals for victims and dedicated data-leaking sites.

In the immediate aftermath of the attack, DarkSide claimed it would be more closely monitoring the types of organizations its affiliates target. Subsequently, however, the gang said it would cease affiliate operations altogether. Given the heat generated by the Colonial Pipeline hit, some experts expect the operators to rebrand their efforts under a different name (see: Ransomware Gangs 'Playing Games' With Victims and Public).

Despite public outrage over the increase in ransomware attacks targeting U.S. public infrastructure, attackers don't seem deterred. In recent weeks, "There really hasn't been a slowdown at all in ransomware," Recorded Future's Liska says.

Indeed, at least 16 victim organizations have seen their private data get dumped by ransomware operators since the Colonial Pipeline incident, he says.

Leaks Target CD Projekt Red

On Tuesday, for example, attackers publicly posted source code belonging to Polish game development firm CD Projekt Red. The company first disclosed on Feb. 9 that it had been hit by ransomware. Its attacker claimed to have first stolen the source code for the games Cyberpunk 2077, Witcher 3 and Gwent.

CD Projekt Red said in February, "We will not give in to the demands nor negotiate with the actor." Even four months later, however, the company is still being harassed by its attackers.

Ransomware affiliates also appear unphased by the events of the last few weeks and disappearance of DarkSide. "It's very easy for affiliates to jump from one ransomware to another," Liska says. "We've kind of seen the hole filled by DarkSide's absence with an uptick in attacks from Avaddon and Conti ransomware and other second-tier RaaS [operators]."

The attention around Colonial Pipeline was never going to have a significant impact on ransomware activity itself, says Brett Callow, a threat analyst with Emsisoft. "The only thing it may have changed is governments’ response," he says.

Long-Term Fight

The U.S. government has been moving to more aggressively combat ransomware. In April, the Justice Department launched the Ransomware and Digital Extortion Task Force, which aims to disrupt ransomware-wielding crime syndicates.

Meanwhile, the Institute for Security and Technology has coordinated a new Ransomware Task Force, which has outlined strategies for fighting ransomware. Recommendations include pressuring countries where ransomware gangs operate, improving intelligence efforts, mandating that victims report payments and consider alternatives before paying, and analyzing cryptocurrency payment channels for chokepoints (see: Fighting Ransomware: A Call for Cryptocurrency Regulation).

The U.S. has previously tested using sanctions to disrupt gangs. In December 2019, the Treasury Department added the crime gang called Evil Corp to its list of sanctioned entities, noting that it was one of the world's most prolific cybercriminal organizations.

Arguably, however, these are long-term, as yet unproven strategies for potentially disrupting a threat that still poses an immediate, existential threat to numerous organizations.

Executive Editor Mathew Schwartz contributed to this report.


About the Author

Jeremy Kirk

Jeremy Kirk

Managing Editor, Security and Technology, ISMG

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.