When JBS Met REvil Ransomware | Why We Need to Beef Up Critical Infrastructure Security

The steady drumbeat of news about ransomware attacks continued this week, with the world’s biggest meat processor JBS being hit, as well as the New York Metropolitan Transit Authority and the Massachusetts Steamship Authority. Ransomware attacks are nothing new of course – unscrupulous criminals have been locking the data and demanding payment of individuals and entities for years – but recent attacks represent a significant escalation in scale and kind as attackers increasingly hit essential public services.

Essential Public Services – An Easy Mark for Ransomware Attacks

Two weeks ago a criminal hacker gang calling itself DarkSide attacked the Colonial Pipeline, which supplies much of the East Coast with nearly half of its fuel. The news of the pipeline’s shutdown caused panic buying throughout much of the country resulting in major gasoline shortages in several states.

It wasn’t the first time that ransomware has hit energy suppliers either. In February 2020, CISA advised all operational technology owners to take action after a ransomware attack on a natural gas plant forced it to shutdown for two days. Although that attack was instigated from a spear-phishing email, ransomware operators are increasingly infecting targets through other vectors, including stolen credentials, brute force attacks and installation through desktop sharing apps.

Critical infrastructure such as food and energy suppliers along with schools and healthcare institutions are often easy targets for criminals. Many organizations in those sectors are public-funded and often lack both the budget and the expertise of large, well-resourced private enterprises. For that reason, Government facilities, education and the healthcare sector tend to be the most frequent victims of ransomware among the 16 sectors that CISA designates as ‘critical infrastructure’. The spate of ransomware attacks since 2018 on hospitals, schools and cities like Atlanta, Greenville, Baltimore and Riviera Beach City Council being some of the more high-profile cases in point.

While attacks in the Food and Agriculture sector are not as common, there have reportedly been at least 40 cases in the last twelve months of ransomware targeting food companies. And unfortunately, as we have seen this past week with JBS, the effect of hitting a major food distributor with ransomware can have consequences far beyond that of monetary loss for the organization itself.

Food Suppliers Are Tempting Targets For Ransomware

The attack on JBS represents a massive assault on the food supply not just in the U.S. but in countries around the world. JBS is the world’s largest meat supplier with more than 150 plants and over 150,000 workers employed in fifteen countries. In the US, the company is the second-largest producer of beef, pork and chicken, processing around a quarter of the nation’s beef and about a fifth of its pork.

In a statement last Monday, JBS said that it had been “the target of an organized cybersecurity attack, affecting some of the servers supporting its North American and Australian IT systems.” Meanwhile, the U.S. Department of Agriculture said it had reached out to other major meat processors and encouraged them to accommodate additional capacity where possible. The USDA stressed the importance of keeping supply moving and mitigating any potential price issues.

By Thursday, the company released a further statement claiming it was able to limit the loss of food produced during the attack to less than one days’ worth of production and that lost production across the company’s global business would be “fully recovered by the end of next week”.

JBS Attack Attributed to REvil (Sodinokibi)

Meanwhile, the FBI attributed the attack to the REvil gang in a tweet on Thursday.

The REvil ransomware group has been in operation since at least mid 2019. Earlier this year they made headlines with two high-profile attacks on tech companies Acer in March and Apple supplier Quanta in April, demanding ransom payments to the tune of $50 million (it is not known if either of these were paid).

The operators have also been fine-tuning their RaaS (Ransomware-as-a-Service) offering in a bid to evade weak security controls. A recent version attempts to reboot an infected computer into Windows Safe Mode with Networking using the -smode argument. The ransomware changes the user’s password to a hard-coded value then automatically logs in with the new credentials. The SentinelOne platform protects against this (and all other) versions of the REvil ransomware.

The dust hasn’t yet settled on this attack and many facts remain unknown, including whether the company paid a ransom. JBS projected optimism that production would be restored quickly in places where it had been interrupted, but even a short disruption to a fifth of the U.S. beef harvesting capacity could have large knock-on effects in the market, potentially causing short term supply shortages and raising prices for beef and other proteins. A longer disruption could have had massive impacts on the entire food supply chain.

Criminal hackers have deftly probed for new vulnerabilities and found new opportunities in places that we previously haven’t thought of as being particularly cyber-dependent. At least on its face, few things could seem less vulnerable to hacking than beef harvesting, but every person and every entity is potentially, and increasingly, vulnerable.

What’s Next For Ransomware and Our Critical Infrastructure?

These attacks raise the specter of even more destructive events down the road. What if criminal hackers managed to strike a major blow to the electrical grid, or a sustained attack on a large energy supplier or big city utility?  Previously these kinds of major attacks on civilian critical infrastructure have been the preserve of nation-state actors, and at least in the United States, they’ve been more a threat that we know exists than an everyday reality that we must deal with.

This is the reality of our interconnected world: cyber threats are whole-of-society threats. High-impact attacks are no longer simply a geopolitical concern – they are an ever-present threat from both state and non-state actors. Both are relentlessly searching out vulnerabilities and pain points, and properly dealing with either requires that we recognize the scale and immediacy of the threat. Protecting our food supply, electrical grid, hospital systems and so many other elements of critical infrastructure requires that every public and private entity step up and meet this threat.

If you would like to learn more about how the SentinelOne Singularity Platform can help protect your organization or business, please contact us, or request a free demo.