The FBI has publicly confirmed that the REvil ransomware was used in the cyberattack that forced the world’s largest meat processing company to shut down systems.
Identified on Sunday, the cyberattack affected servers supporting its North American and Australian operations. By Wednesday, the company was able to resume most production.
While JBS did not make public any technical information on the attack, it did notify the federal government of a ransom demand, apparently coming from a Russian hacking group.
“We have attributed the JBS attack to REvil and Sodinokibi and are working diligently to bring the threat actors to justice,” the FBI said on Wednesday.
[ Also Read: Cybersecurity Threats to the Food Supply Chain ]
In an emailed statement, cybersecurity firm CrowdStrike told SecurityWeek that the hacking group it tracks as PINCHY SPIDER was behind the incident.
Based in Eastern Europe/Russia, PINCHY SPIDER is best known for their Ransomware-as-a-Service (RaaS) business. The group provides affiliates with access to the REvil (aka Sodinokibi) ransomware, which has been active since April 2019.
In 2020, the group demanded a $14 million ransom from Brazilian electrical energy company Light S.A., after compromising its network.
Prior to REvil, the threat actor developed and used the GandCrab ransomware (between January 2018 and May 2019). According to CrowdStrike, several overlaps in code and tactics, techniques, and procedures (TTPs) confirm that the two malware families are related.
“As DHS categorizes food supply as one of the 16 sectors of critical infrastructure, this hack represents yet another attack against critical infrastructure. Most critical infrastructure is owned by private sector (85%) showing how vital it is that enterprises protect their networks,” CrowdStrike said.
There have been several high-profile ransomware attacks on U.S. organizations in recent months, with victims including Molson Coors, Colonial Pipeline, and The Steamship Authority ferry service.
Related: DarkSide Ransomware Hits Toshiba Tec Group
Related: Disruptions at Pan-American Life Likely Caused by Ransomware Attack
Related: REvil Ransomware Operator Bids for KPot Stealer Source Code