Getty Images
The cyberattack that shut down some operations at the world’s largest meat processor this week was the work of REvil, a ransomware franchise known for its ever-escalating array of killer tactics designed to extort the highest price.
The FBI made the attribution on Wednesday, a day after it became known that Brazil-based JBS SA had experienced a ransomware attack that led to the shutdown of at least five US-based factories, in addition to facilities in Canada and Australia.
High pressure ransom
REvil and its affiliates account for about 4 percent of public and private sector attacks. In most respects, REvil is a pretty average ransomware venture. What sets it apart is the ferocity of its tactics, which are designed to put maximum pressure on victims.
“In some ways, REvil is a ‘pioneer’… one of the early adopters of victim public blogging and leaning heavily on the ‘double extortion’ side of things,” Jim Walter, a senior threat researcher at security firm SentinelOne, said. said in a text message. “They were also early experiments in auctioning stolen data. Some auctions were successful, others were not, but potentially stolen data from selected victims would have been available to the highest bidder.”
In one case, the dark REvil website posted a screenshot claiming to show that pornography was present in a folder containing temporary files from a computer that belonged to the IT director of a large company that had recently been victimized by the group.
“As he jerked his cock, we downloaded several hundred gigabytes of private information about the company’s customers,” the post read. “God bless his hairy palms. Amen!”
REvil is also the group that hacked Grubman, Shire, Meiselas & Sacks, the famous law firm that represented Lady Gaga, Madonna, U2 and other top entertainers. When REvil demanded $21 million in exchange for not publishing the data, the law firm reportedly offered $365,000. REvil responded by raising the demand to $42 million and later publishing a 2.4GB archive containing some of Lady Gaga’s legal documents.
Other REvil victims include Kenneth Copeland, SoftwareOne, Quest, and Travelex.
Last year, REvil began auctioning the confidential information of victims who refuse to pay. In March, the group announced a new service that contacts victims’ media and partners to notify them of a breach. REvil can also threaten victims with DDoS attacks.
REvil first appeared in April 2019 and quickly developed a reputation for technical prowess as it used legitimate CPU functions to evade security systems. In April this year, Kaspersky ranked REvil as the number three ransomware group.
Supply chains at risk
In April, REvil stole data from manufacturer Quanta Computer and then demanded $50 million from Apple in exchange for not publishing technical data it obtained for unreleased Apple products. The group then published schematics for two Apple products the day they were announced. The data has since been deleted for unknown reasons.
This week’s incident came three weeks after ransomware shut down the Colonial Pipeline, an event that caused a shortage of gasoline and jet fuel along the US East Coast.
Production began Wednesday at JBS US beef plants, even though thousands of JBS workers in the US, Canada and Australia had their shifts adjusted or canceled earlier this week.
Such ransomware attacks continue to expose the fragility of the country’s supply chains as private and public sector leaders struggle, largely unsuccessfully, to contain the threat.