The US FBI has attributed the ransomware attack against multinational food processor JBS to the REvil (a.k.a. Sodinokibi) criminal gang. The Bureau's statement reads in full:
"As the lead federal investigative agency fighting cyber threats, combating cybercrime is one of the FBI’s highest priorities. We have attributed the JBS attack to REvil and Sodinokibi and are working diligently to bring the threat actors to justice. We continue to focus our efforts on imposing risk and consequences and holding the responsible cyber actors accountable. Our private sector partnerships are essential to responding quickly when a cyber intrusion occurs and providing support to victims affected by our cyber adversaries. A cyberattack on one is an attack on us all. We encourage any entity that is the victim of a cyberattack to immediately notify the FBI through one of our 56 field offices."
BleepingComputer notes that REvil is an affiliate operation that surfaced in April of 2019. The gang, which operates from Russia, is generally regarded as a successor to the GandCrab group, which itself nominally suspended operations in June of that year.
This is the second major ransomware incident to disrupt a large player in a sensitive sector in as many months. May saw the DarkSide's attack on Colonial Pipeline, and now REvil has hit a major meat supplier. Reuters reports that most affected JBS plants resumed operation yesterday, but the incident, following as closely as it did the Colonial attack, has put a burr under American saddles as President Biden prepares for a summit with his Russian counterpart later this month. "We're not taking any options off the table in terms of how we may respond, but of course there's an internal policy review process to consider that. We're in direct touch with the Russians, as well, to convey our concerns about these reports," White House press secretary Jen Psaki said.
The ransomware attacks are an increasingly sensitive issue in Russo-American relations because of the evidence that gangs like REvil and DarkSide (and there are many others) operate with the permission (at least tacitly) and effectively under the protection of the Russian state. The Washington Post reports that President Biden intends to "hammer" President Putin over the gangs during their summit, but there's general skepticism that a diplomatic protest, however starchy, will have much effect. The Russian response to complaints about its misbehavior is traditionally to demand evidence, so that Russia and the complaining parties can jointly investigate and arrive at some consensus. The Post quotes Jim Lewis of the Center for Strategic and International Studies on what's likely to happen at the summit: “The president is very determined on this, but the first thing Putin will do is say, ‘prove it.’ And he doesn’t mean ‘prove we did it.’ He means ‘prove you’ll do something back.’ ” Absent some proportional retaliation that hurts the interests of people who count, few see much prospect of a change in Russian policy with respect to cyber privateering.