The cyberattack that stalled some operations at the world’s largest meat processor this week was the work of REvil, a ransomware franchise known for its constantly escalating cutthroat tactics aimed at extorting the highest price.
The FBI made the attribution on Wednesday, the day after it became known that Brazil-based JBS SA had experienced a ransomware attack that resulted in the closure of at least five US plants, as well as facilities in Canada and Australia.
High pressure ransom
REvil and its subsidiaries account for approximately 4 percent of attacks in the public and private sectors. In many ways, REvil is a pretty average ransomware company. What makes it stand out is the cruelty of its tactics, designed to put maximum pressure on the victims.
“In some ways, REvil is a ‘pioneer’ … as one of the early adopters of public blogging victims and a strong propensity for ‘double blackmail’,” said Jim Walter, senior threat researcher at security firm SentinelOne, in a text message. “They were also early experimenters with auctioning stolen data. Some auctions were successful, some were not, but potential data stolen from selected victims would have been available to the highest bidder.”
In one case, REvil’s dark website posted a screenshot allegedly showing that pornography was in a folder of temporary files on a computer belonging to the IT director of a large company that the group recently fell victim to.
“While he was jerking his cock, we were downloading hundreds of gigabytes of private information about the company’s customers,” the post said. “God bless his hairy palms. Amen!”
REvil is also the group that hacked Grubman, Shire, Meiselas & Sacks, the prominent law firm that represented Lady Gaga, Madonna, U2 and other high profile entertainers. When REvil asked for $ 21 million in exchange for not disclosing the data, the law firm allegedly offered $ 365,000. REvil responded by increasing its demand to $ 42 million and later releasing a 2.4 GB archive that contained some of Lady Gaga’s legal documents.
Other REvil victims include Kenneth Copeland, SoftwareOne, Quest, and Travelex.
Last year, REvil began auctioning confidential information from victims who refuse to pay. In March, the group announced a new service that would contact the media and victims’ partners to notify them of a violation. REvil can also threaten victims with DDoS attacks.
REvil first appeared in April 2019 and quickly built a reputation for technical proficiency when it used legitimate CPU functions to bypass security systems. In April of this year, Kaspersky ranked REvil number three in the ransomware group.
Supply chains at risk
In April, REvil stole data from manufacturer Quanta Computer and then claimed $ 50 million from Apple in exchange for non-disclosure of technical data it received for unreleased Apple products. The group released circuit diagrams for two Apple products on the day it was announced. The data has since been removed for reasons unknown.
This week’s incident occurred three weeks after ransomware shut down the Colonial Pipeline, an event that resulted in gasoline and kerosene shortages on the east coast of the United States.
Production at the U.S. JBS beef factories resumed Wednesday, despite thousands of JBS employees in the U.S., Canada and Australia adjusting or canceling shifts earlier this week.
Such ransomware attacks continue to expose the fragility of the country’s supply chains as leaders in the private and public sectors struggle largely in vain to contain the threat.