Dr. Evil Does Not Work for the REvil Gang

The decision to pay the ransom demanded by the cybercriminal group was to avoid any further issues or potential problems for its customers, according to the company’s CEO. JBS Foods paid the equivalent of $11 million in ransom after a cyber-attack that forced the company to shut down some operations in the United States and Australia over the Memorial Day weekend.

The company made the payment to cybercriminals to ensure the protection of its data and mitigate any further damage to its customers, as it was paid even after the world’s largest meat distributor had managed to return most of the facilities affected back to full operational capacity, a company official said.

“This was a very difficult decision to make for our company and for me personally,” said Andre Nogueira, CEO of JBS USA. “However, we felt this decision had to be made to prevent any potential risk for our customers.”

A group believed to be the REvil cyber gang hit several servers supporting North American and Australian IT systems of JBS Foods–a global provider of beef, chicken and pork with 245,000 employees operating on several continents–on the Sunday of Memorial Day weekend. The group later claimed in an interview on Telegram, however, that its original target was a Brazilian entity.

Please see Ransoms with REvil: https://redskyalliance.org/xindustry/redpane-revil

No company or customer data appears to have been exfiltrated during the attack, which the company largely resolved using redundant systems and encrypted backup servers, according to the statement. As of Tuesday, JBS said it had been able to resume shipping food from nearly all of its U.S. facilities and making progress in resuming plant operations in the U.S. and Australia.

The company’s decision to pay despite having the situation nearly under control came after consultation with internal IT professionals and third-party cybersecurity experts, according to the statement. Indeed, experts said that the attack could have had a ripple effect on could have a downstream effect on the food supply chain not only in Australia but also globally had it not been resolved quickly.

The JBS payment is yet another in a series of high-profile extortion payments to ransomware groups that have recently been putting the squeeze on major corporations and government agencies and causing major disruption across numerous industries. The activity has spurred the U.S. government to get involved in a major way to crack down on these groups.

The REvil ransomware group, which also goes by the name Sodinokibi, is one of the more audacious of the bunch, infamous for its attacks against some of the world’s largest organizations and exorbitant ransom demands. Indeed, the FBI called the group who attacked JBS “one of the most specialized and sophisticated cybercriminal groups in the world,” according to the company.

In April, REvil demanded a $50 million extortion fee from Apple just hours before the tech giant was to kick off a new product launch event. The ransom stemmed from an attack on Quanta, a Taiwanese-based company contracted to assemble Apple products, including Apple Watch, Apple Macbook Air and Pro, and ThinkPad, from an Apple-provided set of design schematics that REvil claimed to have gotten its hands on.

The DarkSide ransomware group also has pwned high-profile targets in recent months, including the now-infamous attack on Colonial Pipeline that caused widespread disruption of the fuel supply and which is still under investigation by U.S. authorities. Colonial Pipeline ended up paying about $4.4 million in Bitcoin to DarkSide.

If it seems that ransomware groups are getting bolder about reaping substantial benefits from their nefarious activity, they are, security experts said.

In recent months the U.S. federal government’s involvement in fighting ransomware groups and attacks has been growing. On Monday, the FBI and DOJ announced in a press conference it used blockchain technology to track down the contents of DarkSide’s cryptocurrency wallet and recover approximately $2.3 million of the ransom Colonial Pipeline paid to extortionists last month.

One reason for the rise of this type of cybercriminal is because ransomware groups “face no real consequences” and can reap “high ransoms because the costs of [networks] just being down far exceed the cost of paying the ransoms,” John Bambenek, threat intelligence advisor at Netenrich, said in an email to Threatpost.“Naive statements like ‘never pay the ransom’ simply ignore the reality of the situation and do not have any chance in actually changing anything,” he said.

Red Sky Alliance has been has analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports available at https://redskyalliance.org at no charge. In fact, the RedPane tool now scraps over 40 dark web forums, collecting pro-active data that can be used to defend a network before an attack is initiated.

What can you do to better protect your organization today?

All data in transmission and at rest should be encrypted.
Proper data back-up and off-site storage policies should be adopted and followed.
Implement 2-Factor authentication-company wide.
For USA readers, join and become active in your local Infragard chapter, there is no charge for membership. infragard.org
Update disaster recovery plans and emergency procedures with cyber threat recovery procedures. And test them.
Institute cyber threat and phishing training for all employees, with testing and updating.
Recommend/require cyber security software, services and devices to be used by all at home working employees and consultants.
Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.
Ensure that all software updates and patches are installed immediately.
Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on nine (9) cyber threat categories including Keyloggers, with having to connect to your network.
Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com

Weekly Cyber Intelligence Briefings: