FBI Attributes JBS Cyberattack To Russia-Linked 'REvil' Ransomware Operation
GREELEY, Colo. (CBS4) - The cyberattack that disrupted operations at JBS, the world's largest meat supplier, is now attributed to a Russia-linked ransomware operation. In a statement on Wednesday, the Federal Bureau of Investigation said it is working diligently to bring the threat actors known as "REvil" or "Sodinokibi" to justice.
"As the lead Federal investigative agency fighting cyber threats, combatting cybercrime is one of the FBI's highest priorities," the statement reads. "We continue to focus our efforts on imposing risk and consequences and holding the responsible cyber actors accountable. Our private sector partnerships are essential to responding quickly when a cyber intrusion occurs and providing support to victims affected by our cyber adversaries. A cyber attack on one is an attack on us all. We encourage any entity who is the victim of a cyber attack to immediately notify the FBI through one of our 56 field offices."
JBS became aware of the cyberattack on Sunday over Memorial Day weekend. In a statement on Tuesday night, the company said it had made "significant progress" in resolving the hack, which disrupted operations at more than a dozen U.S. facilities, including a beef plant in Greeley. JBS officials said the "vast majority" of its meatpacking plants would be operational by Wednesday.
"Our systems are coming back online and we are not sparing any resources to fight this threat. We have cybersecurity plans in place to address these types of issues and we are successfully executing those plans," stated Andre Nogueira, JBS USA CEO. "The company is not aware of any evidence at this time that any customer, supplier or employee data has been compromised."
The REvil Ransomware-as-a-Service (RaaS) operation, also known as Sodinokibi, provides malware kits for criminal affiliates to launch cyberattacks in exchange for a cut of the profit, usually around 20-30%. In October 2020, REvil reportedly invested $1 million in bitcoin to employ new recruits, according to Forbes.
In previous operations, REvil has used spearphishing techniques to gain access to systems via malicious attachments, including Microsoft Word documents. It's unclear how the criminal group gained access to servers supporting JBS's North American and Australian IT systems.
JBS has not said how much ransom the hackers are demanding and if the company plans to pay. The company's operations in Mexico and the UK were not impacted by the breach.
In a tweet on Wednesday, Rep. Ken Buck, a Republican who represents Colorado's 4th Congressional District, urged the Biden administration to hold REvil distributors and affiliates criminally accountable for the attack.
IBM Security X-Force reports REvil profited at least $81 million from extortion threats in 2020. Cybersecurity experts say the criminal group appears to consider an organization's annual revenue, with ransom demands ranging from $1,500 to $42 million.
"REvil has been one of those most prolific groups and accounts for about 4% of all ransomware activity. The group has also been responsible for some of the largest ransoms to have become publicly known, including a $42 million demand in the case of entertainment law firm Grubman Shire Meiselas & Sacks," said Brett Callow, a threat analyst with the cybersecurity firm Emsisoft. "Like many other groups, REvil operates an affiliate model. While the people who created the ransomware are believed to be based in Russia, the people who use it to carry out the attacks - the affiliates - could be based anywhere."
The JBS cyberattack comes just weeks after a ransomware attack on Colonial Pipeline prompted gas shortages in several states. Colonial paid nearly $5 million in ransom to the Russian hacking group DarkSide. Soon after, the extortion gang claimed it was ending its operation before disappearing offline.
Some meat industry experts estimate JBS may already be tens of thousands of heads short in their processing due to the ransomware attack.
JBS USA, the company's North American subsidiary, is headquartered in northern Colorado. The beef plant in Greeley employs more than 3,000 people.
"The question is whether (the impact of the cyberattack) will be short lived or not. And, that will determine if it has a supply chain impact," said said Keith Belk, head of Colorado State University's Department of Animal Sciences.
On Tuesday, officials say JBS USA and Pilgrim's were able to ship product from nearly all U.S. facilities. UFCW International represents more than 25,000 JBS workers in the U.S. The union tells CBS4 that JBS beef facilities experienced shutdowns on Tuesday in at least eight states, including Colorado. JBS pork plants are still operational, according to the union.
UFCW President Marc Perrone is calling on JBS to resolve the breach and ensure workers are paid on time.
"As the union for JBS meatpacking workers across the country, UFCW is pleased JBS is working around the clock to resolve this and UFCW urging JBS to ensure that all of its meatpacking workers receive their contractually guaranteed pay as these plant shutdowns continue," stated Perrone.
RELATED: 'Following The Money': The Rapid Rise Of Ransomware & How To Defend Against It
