REvil Ransomware extends its reputation as the world’s deadliest malware in an attack that occurred over the weekend on JBS foods. JBS is the second-largest meat producer in the US and the largest meat producer globally. Plants across the world have had to be shut down following the REvil Ransomware infection. The plants include those in the US, Australia, Canada, the UK, and Mexico. The company has a team of 245,000 employees around the world, serving an extensive portfolio of brands including Swift, Pilgrim’s Pride, Seara, Moy Park, Friboi, Primo, and Just Bare to customers from 190 countries on six continents.
JBS USA issued a press release on May 31st confirming the ransomware attack. “On Sunday, May 30, JBS USA determined that it was the target of an organized cybersecurity attack, affecting some of the servers supporting its North American and Australian IT systems,” JBS USA said.
“The company took immediate action, suspending all affected systems, notifying authorities and activating the company’s global network of IT professionals and third-party experts to resolve the situation. The company’s backup servers were not affected, and it is actively working with an Incident Response firm to restore its systems as soon as possible.”
The company added that there was no evidence of customer, supplier, or employee data compromised during the REvil ransomware attack.
The company also expects transactions with customers and suppliers to be delayed until the incident is fully resolved.
The Australian government has also been informed of the incident and is currently working with JBS to bring back online production facilities around the country.
“The technology they use goes to the heart of the quality assurance of the beef they are processing,” Australia’s Agriculture Minister David Littleproud told ABC. “We need to make sure we can get that up and going to give confidence not just to consumers in Australia, but also to our export markets. They are obviously working with law enforcement agencies here in Australia, and we’re working in partnership with other countries to get to the bottom of this. Since it is a global attack it’s important not to speculate that it’s emanated from any particular place, just yet.”
The US Department of Agriculture has said it expects beef prices to climb 1 percent to 2 percent this year, poultry as much as 1.5 percent, and pork between 2 percent and 3 percent.
If JBS were to shut down for even one day, the U.S. would lose almost a quarter of its beef-processing capacity, or the equivalent of 20,000 beef cows, according to Trey Malone, an assistant professor of agriculture at Michigan State University.
JBS did not say which of its 84 US facilities were closed on Monday and Tuesday because of the attack.
Earlier, a union official confirmed that two shifts at the company’s largest US beef plant, in Greeley, Colorado, were canceled. Some plant shifts in Canada were also canceled Monday and Tuesday, according to JBS Facebook posts.
The attack vector and malware strain used was initially unknown. On Tuesday, the White House announced the attack came from Russia. By Wednesday, the FBI released a short statement confirmed the malware strain to be REvil Ransomware.
“As the lead federal investigative agency fighting cyber threats, combating cybercrime is one of the FBI’s highest priorities. We have attributed the JBS attack to REvil and Sodinokibi and are working diligently to bring the threat actors to justice,” the agency said.
“We continue to focus our efforts on imposing risk and consequences and holding the responsible cyber actors accountable. Our private sector partnerships are essential to responding quickly when a cyber intrusion occurs and providing support to victims affected by our cyber adversaries.
“A cyber attack on one is an attack on us all. We encourage any entity that is the victim of a cyber attack to immediately notify the FBI through one of our 56 field offices.”
REvil Ransomware Analysis
REvil Ransomware is a Ransomware-as-a-Service (RaaS), meaning it can be sold on a subscription basis and is usable by just about anybody. In 2020, it extorted large amounts of money for corporations and individuals. According to researchers, it is the most widespread ransomware strain. Groups using have a knack for shaking down businesses that don’t meet their demands, often through threats or leaking dating.
REvil Ransomware, also known as Sodinokibi, first appeared in April 2019 and rose to prominence after another RaaS gang called GandCrab shut down its service. REvil was first advertised on Russian-language cybercrime forums. The main actor associated with advertising and promoting REvil ransomware is called Unknown aka UNKN. In the early days of REvil, researchers and security firms identified it as a strain of GandCrab, or at least established multiple links between the two. An alleged member of the group, using the handle Unknown, confirmed in an interview that the ransomware was not a new creation and that it was built on top of an older codebase that the group acquired.
The group behind REvil Ransomware and other groups selling RaaS often do so on a commission basis. Usually, this means a cut of between 20% and 30% of the money earned through infecting victims with ransomware.
In 2020, the IBM Security X-Force Incident Response reported that 1 in 3 Ransomware infections were caused by REvil Ransomware.
In February 2021, the REvil ransomware operation posted a job notice where they were looking to recruit people to perform DDoS attacks and use VOIP calls to contact victims and their partners.
In March, a security researcher known as 3xp0rt discovered that REvil has announced that they were introducing new tactics that affiliates can use to exert even more pressure on victims.
These new tactics include a free service where the threat actors, or affiliated partners, will perform voice-scrambled VOIP calls to the media and victim’s business partners with information about the attack. The ransomware gang is likely assuming that warning businesses that their data may have been exposed in an attack on of their partners, will create further pressure for the victim to pay.
REvil Ransomware is also providing a paid service that allows affiliates to perform Layer 3 and Layer 7 DDoS attacks against a company for maximum pressure. A Layer 3 attack is commonly used to take down the company’s Internet connection. In contrast, threat actors would use a Layer 7 attack to take down a publicly accessible application, such as a web server.
It is highly configurable, and it can be customized to behave differently depending on the host. This makes it a highly attractive RaaS client. Some of its features include:
- Exploits a kernel privilege escalation vulnerability to gain SYSTEM privileges using CVE-2018-8453.
- Whitelists files, folders and extensions from encryption.
- Kills specific processes and services prior to encryption.
- Encrypts files on local and network storage.
- Customizes the name and body of the ransom note, and the contents of the background image.
- Exfiltrates encrypted information on the infected host to remote controllers.
- REvil Ransomware uses Hypertext Transfer Protocol Secure (HTTPS) for communication with its controllers.
REvil ransomware exploits a kernel privilege escalation vulnerability in win32k.sys tracked as CVE-2018-8453 to gain SYSTEM privileges on the infected host. If the configuration instructs a sample to execute this exploit, it will allocate executable memory, decrypt the exploit code in the newly allocated region and invoke it.
Protection Against Ransomware
REvil Ransomware and other Ransomware clients are some of the most common and deadly cybersecurity threats out there today. Families and businesses should be aware of these threats, and equip the right tools to tackle them. One of these tools is SaferNet.
SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories
Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.