[BreachExchange] REvil, A Notorious Ransomware Gang, Was Behind JBS Cyberattack, The FBI Says

[Sophia Kingsbury]

https://www.wabe.org/revil-a-notorious-ransomware-gang-was-behind-jbs-cyberattack-the-fbi-says/

The world’s largest meat processing company has resumed most production
after a weekend cyberattack, but experts say the vulnerabilities exposed by
this attack and others are far from resolved.

In a statement late Wednesday, the FBI attributed the attack on
Brazil-based meat processor JBS SA to REvil, a Russian-speaking gang that
has made some of the largest ransomware demands on record in recent months.
The FBI said it will work to bring the group to justice and it urged anyone
who is the victim of a cyberattack to contact the bureau immediately.

REvil has not posted anything related to the hack on its dark web site. But
that’s not unusual. Ransomware syndicates as a rule don’t post about
attacks when they are in initial negotiations with victims — or if the
victims have paid a ransom.

In October, a REvil representative who goes by the handle “UNKN” said in an
interview published online that the agriculture sector would now be a main
target for the syndicate. REvil also threatened to auction off sensitive
stolen data from victims who refused to pay it.

The attack targeted servers supporting JBS’s operations in North America
and Australia. Backup servers weren’t affected and the company said it was
not aware of any customer, supplier or employee data being compromised.

JBS said late Wednesday that it expects to resume production at all its
plants on Thursday and be running at “close to full capacity” across its
global operations.

It is not known if JBS paid a ransom. The company hasn’t discussed it in
public statements, and did not respond to phone and email messages
Wednesday seeking comment.

The FBI and the White House declined to comment on the ransom. White House
Press Secretary Jen Psaki said Wednesday the U.S. is considering all
options in dealing with the attack and that President Joe Biden intends to
confront Russia’s leader, Vladimir Putin, about his nation’s harboring of
ransomware criminals when the two meet in Europe in two weeks.

“I can assure you that we are raising this through the highest levels of
the U.S. government,” she said. “The president certainly believes that
President Putin has a role to play in stopping and preventing these
attacks.”

While there is no evidence Russia benefits financially from ransomware
crime — which has hit health care, education and state and local
governments especially hard during the pandemic — U.S. officials say its
practitioners have sometimes worked for Kremlin security services.

Ransomware expert Allan Liska of the cybersecurity firm Recorded Future
said JBS was the largest food manufacturer yet to be hit by ransomware, in
which criminal hackers paralyze entire networks by scrambling their data.
But he said at least 40 food companies have been targeted by ransomware
gangs over the last year, including brewer Molson Coors and E & J Gallo
Winery.

Food companies, Liska said, are at “about the same level of security as
manufacturing and shipping. Which is to say, not very.”

The attack was the second in a month on critical U.S. infrastructure.
Earlier in May, hackers believed to operate with impunity in Russia and
allied states shut down operation of the Colonial Pipeline, the largest
U.S. fuel pipeline, for nearly a week. The closure sparked long lines and
panic buying at gas stations across the Southeast. Colonial Pipeline
confirmed it paid $4.4 million to the hackers, who then turned over a
software decryption key.

Cybersecurity experts said the attacks targeting critical sectors of the
U.S. economy are evidence that industry hasn’t been taking years of
repeated warnings seriously.

Cybercriminals previously active in online ID theft and bank fraud moved
into ransomware in the mid-2010s as programmers developed sophisticated
programs that permitted the software’s more efficient dissemination.

The ransomware scourge reached epidemic dimensions last year. The firm
CrowdStrike observed over 1,400 ransomware and data extortion incidents in
2020. Most targeted manufacturing, industrials, engineering and technology
companies, said Adam Meyers, the company’s senior vice president of
intelligence.

“The problem has been spiraling out of control,” said John Hultquist, who
heads intelligence analysis at FireEye. “We’re already deep into a vicious
cycle.”

Hultquist said ransomware syndicates are going after more critical and
visible targets because they’ve invested heavily in identifying “whales” –
companies they think will yield big ransoms.

JBS is the second-largest producer of beef, pork and chicken in the U.S. If
it were to shut down for even one day, the U.S. would lose almost a quarter
of its beef-processing capacity, or the equivalent of 20,000 beef cows,
according to Trey Malone, an assistant professor of agriculture at Michigan
State University.

Mark Jordan, who follows the meat industry as the executive director of
Leap Market Analytics, said the disruption to the food supply will likely
be minimal in this case. Meat has around a 14-day window to move through
the market, he said. If a plant is closed for a day or two, companies can
usually make up for lost production with extra shifts.

“Several plants owned by a major meatpacker going offline for a couple of
days is a major headache, but it is manageable assuming it doesn’t extend
much beyond that,” he said.

Jordan said a closure that runs closer to a week would be more serious,
especially for a company like JBS, which controls around one-fifth of the
country’s beef, pork and chicken supply.

Critical U.S. infrastructure might be better hardened against ransomware
attacks were it not for the 2012 defeat of legislation that would have set
cybersecurity standards for critical industries.

The U.S. Chamber of Commerce and other business groups lobbied hard against
the bill, condemning it as government interference in the free market. Even
a watered-down version that would have made the standards voluntary was
blocked by a  Republican filibuster in the Senate.

Right now, the U.S. has no cybersecurity requirements for companies outside
of the electric, nuclear and banking systems, said David White, president
of the cyber risk management company Axio.

White said regulations would help, particularly for companies with
inadequate or immature cybersecurity programs. Those rules should be
sector-specific and should consider the national economic risks of outages,
he said.

But he said regulations can also have an unintentional negative effect.
Some companies might consider them the ceiling — not the starting point —
for how they need to manage risk, he said.

“Bottom line: regulation can help, but it is not the panacea,”‘ White said.

JBS plants in Australia resumed limited operations Wednesday in New South
Wales and Victoria states, Agriculture Minister David Littleproud said. The
company hoped to resume work in Queensland state on Thursday, he said.

JBS, which is a majority shareholder of Pilgrim’s Pride, didn’t say which
of its 84 U.S. facilities were closed Monday and Tuesday because of the
attack. It said JBS USA and Pilgrim’s were able to ship meat from nearly
all facilities Tuesday. Several of the company’s pork, poultry and prepared
foods plants were operational Tuesday and its Canada beef facility resumed
production, it said.

The plant closures reflect the reality that modern meat processing is
heavily automated, for both food- and worker-safety reasons. Computers
collect data at multiple stages of the production process; orders, billing,
shipping and other functions are all electronic.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210603/14281742/attachment.html>