Meat held for ransom.
JBS, the Sao Paulo-based multinational meat processing company, sustained a ransomware attack this past Sunday. Company servers in the US and Australia were hit, inducing the company to shut down some operations in Australia, the US, and Canada. Operations elsewhere were unaffected. The company summarized the incident in a media release. A follow-up announcement Tuesday said that JBS had begun resumption of deliveries to its customers. No customer, supplier, or employee information appear to have been compromised.
JBS said Thursday that it had resolved the ransomware attack it sustained on Sunday, and that operations had returned to normal. The company's statement reads in part, "The company’s swift response, robust IT systems and encrypted backup servers allowed for a rapid recovery. As a result, JBS USA and Pilgrim’s were able to limit the loss of food produced during the attack to less than one days’ worth of production. Any lost production across the company’s global business will be fully recovered by the end of next week, limiting any potential negative impact on producers, consumers and the company’s workforce."
All things considered, the response seems to have been swift and effective, and it will be interesting to see what lessons may emerge from JBS's experience. The impact of the incident on food availability (and price) appears to have been limited, and Huffpost observes that there appears to have been no impact on food safety whatsoever, which is unsurprising given the nature of the attack.
The BBC quotes the White House as saying, “JBS notified [the White House] that the ransom demand came from a criminal organisation likely based in Russia. The White House is engaging directly with the Russian government on this matter and delivering the message that responsible states do not harbor ransomware criminals.” Russia's Deputy Foreign Minister Sergei Ryabkov confirmed that the US Government had been in touch with Moscow.
The industry publication Beef Central has an account of the effect of ransomware on a food processor: “Like all large meat processors virtually every part of the modern JBS processing business is heavily reliant on computer systems and internet connectivity for record-keeping, regulatory documentation, sortation and countless other functions.” The attack on JBS was, like the earlier attack on Colonial Pipeline, “brazen,” in that, as Recode reports, they picked a high-profile target where an attack would achieve general notoriety.
The US FBI has attributed the ransomware attack against multinational food processor JBS to the REvil (a.k.a. Sodinokibi) criminal gang. The Bureau's statement reads in full:
"As the lead federal investigative agency fighting cyber threats, combating cybercrime is one of the FBI’s highest priorities. We have attributed the JBS attack to REvil and Sodinokibi and are working diligently to bring the threat actors to justice. We continue to focus our efforts on imposing risk and consequences and holding the responsible cyber actors accountable. Our private sector partnerships are essential to responding quickly when a cyber intrusion occurs and providing support to victims affected by our cyber adversaries. A cyberattack on one is an attack on us all. We encourage any entity that is the victim of a cyberattack to immediately notify the FBI through one of our 56 field offices."
BleepingComputer notes that REvil is an affiliate operation that surfaced in April of 2019. The gang, which operates from Russia, is generally regarded as a successor to the GandCrab group, which itself nominally suspended operations in June of that year. REvil told BleepingComputer last October that the gang itself cleared more than $100 million in profit annually. They may have at least two revenue streams: direct ransom payment and the proceeds from auctioning victims' stolen data. REvil's claims about its revenues and operations are difficult to corroborate, but the gang at least gives the appearance of being financially motivated.
As with other Russian criminal groups, however, their activities now arouse suspicions that they're state-tolerated cyber privateers, and that their motivations may be complex. Utah Public Radio quotes Ryan Larsen, a Utah State farm management extension specialist, who said, “When you read that a large percentage of the meat processing has been hacked, it causes concerns for citizens. So, I think a lot of the motivation was purely just to cause concern and to scare people." Fox News talked to various experts who thought that the prospect of the JBS hack's being a "dry run" for a more damaging operation "slightly paranoiac," albeit possible. On balance, the consensus holds that the rise in ransomware attacks has been driven by criminals' realization that there was a great deal of money to be made from extortion. ABC News reasonably sees a convergence of contributing factors: "Ransomware strikes have surged over the past year due to a confluence of factors, experts say, including the rise of hard-to-trace cryptocurrency, a work-from-home boom that has resulted in new IT vulnerabilities and a political climate marked by ongoing tensions between the U.S. and Russia -- the nation from which many of these attacks are believed to emanate."