FBI Confirms REvil Ransomware Involved in JBS Attack
The FBI has publicly confirmed that the REvil ransomware was used in the cyberattack that forced the world’s largest meat processing company to shut down systems.
Identified on Sunday, the cyberattack affected servers supporting its North American and Australian operations. By Wednesday, the company was able to resume most production.
While JBS did not make public any technical information on the attack, it did notify the federal government of a ransom demand, apparently coming from a Russian hacking group.
[ Also Read: Cybersecurity Threats to the Food Supply Chain ]
In an emailed statement, cybersecurity firm CrowdStrike told SecurityWeek that the hacking group it tracks as PINCHY SPIDER was behind the incident.
Based in Eastern Europe/Russia, PINCHY SPIDER is best known for their Ransomware-as-a-Service (RaaS) business. The group provides affiliates with access to the REvil (aka Sodinokibi) ransomware, which has been active since April 2019.
In 2020, the group demanded a $14 million ransom from Brazilian electrical energy company Light S.A., after compromising its network.
Prior to REvil, the threat actor developed and used the GandCrab ransomware (between January 2018 and May 2019). According to CrowdStrike, several overlaps in code and tactics, techniques, and procedures (TTPs) confirm that the two malware families are related.
“As DHS categorizes food supply as one of the 16 sectors of critical infrastructure, this hack represents yet another attack against critical infrastructure. Most critical infrastructure is owned by private sector (85%) showing how vital it is that enterprises protect their networks,” CrowdStrike said.