A Russian cyber-criminal group was behind a ransomware attack that has targeted the world’s largest meat processing company, the FBI has said.
The FBI said it would was working to bring the REvil group to justice for the hack on JBS. The cyber-breach over the weekend shut some JBS operations in the US, Canada and Australia. REvil – also known as Sodinokibi – is one of the most prolific and profitable cyber-criminal groups in the world.
“We have attributed the JBS attack to REvil and Sodinokibi and are working diligently to bring the threat actors to justice,” the FBI statement said. “We continue to focus our efforts on imposing risk and consequences and holding the responsible cyber actors accountable.”
The White House said on Wednesday that US President Joe Biden would bring up the issue of cyber-attacks when he meets Russian President Vladimir Putin in two weeks. “Responsible states do not harbour ransomware criminals,” said press secretary Jen Psaki. JBS said it was on schedule to resume meatpacking operations on Thursday in the US, where its five biggest beef plants are located.
The company, which identified the ransomware attack on Sunday, has not disclosed whether it paid the hackers. Ransomware is one of the most prolific forms of cyber-attack. It typically involves hackers gaining access to a computer network and either encrypting files or locking users out of their systems until a ransom is paid. In recent years, the use of ransomware for extortion has become a national security issue of serious concern.
Last month, fuel delivery in the south-east of the US was crippled for several days after a ransomware attack targeted the Colonial Pipeline. Investigators say that attack was linked to another group, DarkSide, with ties to Russia. Colonial Pipeline has confirmed it paid a $4.4m (£3.1m) ransom to the cyber-criminal gang responsible. The US government has recommended in the past that companies do not pay criminals over ransomware attacks, in case they invite further hacks in the future.
REvil is a criminal network of ransomware hackers that first came to prominence in 2019. Most of its members are believed to be based in Russia or countries that were formerly part of the Soviet Union. Pronounced “R” followed by the word “evil”, REvil has been linked to GandCrab, a now-defunct hacker gang that has used similar ransomware in the past. REvil is known as a ransomware-as-a-service (RAAS) enterprise for the way it operates. This involves ransomware developers recruiting affiliates, or partners, to spread their malicious malware.
If the attacks are successful, developers take a percentage of the earned income and provide the other portion to the affiliates. The group threatens to post stolen documents on its website – known as the “Happy Blog” – if victims don’t comply with its demands. One of the group’s best-known attacks was on an Apple Inc supplier named Quanta Computer Inc earlier this year. In a note posted on the dark web, the group said it would release sensitive internal documents unless it received $50m in ransom. REvil was also linked to a co-ordinated attack on nearly two dozen local governments in Texas in 2019.