FBI: REvil cybergang behind the JBS ransomware attack:
The Federal Bureau of Investigations has officially stated that the REvil operation, aka Sodinokibi, is behind the ransomware attack targeting JBS, the world's largest meat producer.
"We have attributed the JBS attack to REvil and Sodinokibi and are working diligently to bring the threat actors to justice," says an FBI Statement on JBS Cyberattack.
[...] The REvil ransomware operation is believed to be operated by a core group of Russian threat actors who recruit affiliates, or partners, who breach corporate networks, steal their data, and encrypt their devices.
This operation is run as a ransomware-as-a-service, where the core team earns 20-30% of all ransom payments, while the rest goes to their affiliates.
REvil, also known as Sodinokibi, launched its operation in April 2019 and is believed to be an offshoot or rebranding of the notorious GandCrab ransomware gang, which closed shop in June 2019.
[...] The operation claims to have earned $100 million in a single year through ransom payments.
[...] The JBS ransomware attack occurred in the early morning hours of Sunday, May 31st, causing JBS to shut down its network to prevent the spread of the attack.
"The company took immediate action, suspending all affected systems, notifying authorities and activating the company's global network of IT professionals and third-party experts to resolve the situation," JBS USA said in a statement.
The attack also led to JBS shutting down multiple food production sites as they lost access to portions of their network.
[...] "Our systems are coming back online and we are not sparing any resources to fight this threat. We have cybersecurity plans in place to address these types of issues and we are successfully executing those plans," said Andre Nogueira, JBS USA CEO.
"Given the progress our IT professionals and plant teams have made in the last 24 hours, the vast majority of our beef, pork, poultry and prepared foods plants will be operational tomorrow."
Previously: Meat Producer JBS Says It Expects Most Plants to Resume Working Wednesday
Related Stories
Meat Producer JBS Says Expects Most Plants Working Wednesday:
A ransomware attack on the world's largest meat processing company disrupted production around the world just weeks after a similar incident shut down a U.S. oil pipeline.
Brazil's JBS SA, however, said late Tuesday that it had made "significant progress" in dealing with the cyberattack and expected the "vast majority" of its plants to be operating on Wednesday.
"Our systems are coming back online and we are not sparing any resources to fight this threat," Andre Nogueira, the CEO of JBS USA said in a statement.
[...] JBS is the second-largest producer of beef, pork and chicken in the U.S. If it were to shut down for even one day, the U.S. would lose almost a quarter of its beef-processing capacity, or the equivalent of 20,000 beef cows, according to Trey Malone, an assistant professor of agriculture at Michigan State University.
JBS said the cyberattack affected servers supporting its operations in North America and Australia. The company said it notified authorities and engaged third-party experts to resolve the problem as soon as possible. Backup servers weren't affected.
Malone said the disruption could further raise meat prices ahead of summer barbecues. Even before the attack, U.S. meat prices were rising due to coronavirus shutdowns, bad weather and high plant absenteeism. The U.S. Department of Agriculture has said it expects beef prices to climb 1% to 2% this year, poultry as much as 1.5% and pork between by from 2% and 3%.
(Score: 2, Insightful) by Anonymous Coward on Thursday June 03 2021, @01:50AM (8 children)
Should we blame the Rrrussians, as the media are pushing us to again, or the company for shitty security practices?
(Score: -1, Troll) by Anonymous Coward on Thursday June 03 2021, @01:57AM (1 child)
FBI have been exposed as partisan crooks working for the DNC crime syndicate for quite awhile. The real surprise here is that they didn't groom some crazy to shoot up the place and then provide them with guns and ammo to finish the job, then cover it all up and blame it on Trump somehow. I guess they can afford to be more subtle since Obama allowed them all access to the NSA data hoover, but never forget that they are both crooked and incompetent, and shall remain until America's federal criminal justice system manages to unfuck itself.
(Score: 0) by Anonymous Coward on Thursday June 03 2021, @03:12AM
OK Comrade.
(Score: 0) by Anonymous Coward on Thursday June 03 2021, @02:30AM
It's like fixing cars now -- try one fix (replace some computer), if that doesn't work, try the next one in line.
In this case, a drone attack on the REvil hq becomes the first "fix". If this doesn't cure the current ransomware problem, well, we have lots of drones to try again.
(Score: 5, Insightful) by mhajicek on Thursday June 03 2021, @03:15AM
Blame everyone who paid ransom.
The spacelike surfaces of time foliations can have a cusp at the surface of discontinuity. - P. Hajicek
(Score: 5, Funny) by Rosco P. Coltrane on Thursday June 03 2021, @03:31AM
China.
You forgot China.
It's either Russia or China. I know because I read it in the news, so it must be true.
(Score: -1, Offtopic) by Anonymous Coward on Thursday June 03 2021, @04:51AM
Fuck you mods.
(Score: 1, Insightful) by Anonymous Coward on Thursday June 03 2021, @01:27PM
No clue if its russians, chinese or the iranians. None are our friends exactly. Sadly, FBI has 0 credibility left. They are narrative above all else.
Fit that narrative and your crimes get a pass, don't and you get the book thrown at you.
Some people don't think post rule of law anarcho-tyranny be like it is, but it do.
(Score: 3, Insightful) by epitaxial on Thursday June 03 2021, @02:12PM
Why not both?
(Score: 3, Funny) by fustakrakich on Thursday June 03 2021, @02:12AM (3 children)
Man! they're laying it on thick! It's like Romania and Ukraine and mom's basement don't even exist...
La politica e i criminali sono la stessa cosa..
(Score: 0) by Anonymous Coward on Thursday June 03 2021, @06:56AM (2 children)
I wonder if claiming X is done by a nation state actor as opposed to leet basement haxxor brings with it insurrance payout benefits to the entities affected.
(Score: 1) by fustakrakich on Thursday June 03 2021, @04:13PM (1 child)
Insurance fraud should be investigated
La politica e i criminali sono la stessa cosa..
(Score: 1) by fustakrakich on Thursday June 03 2021, @04:16PM
Tax fraud too, no doubt they will deduct the "losses"
La politica e i criminali sono la stessa cosa..
(Score: 2) by Rosco P. Coltrane on Thursday June 03 2021, @03:08AM
Russian famously doesn't extradite its citizens, and they sure ain't gonna prosecute someone for stuff they did to an American company.
So, war with Russia then?
What a load of crap...
(Score: 5, Insightful) by Thexalon on Thursday June 03 2021, @03:33AM (10 children)
My understanding is that the three-letter agencies in the US have a general policy of emphasizing offense over defense when it comes to cyberattacks: They'd rather both US-based companies vulnerable and the bad guys vulnerable than have everybody safe from that particular attack vector. And where this plan goes horribly wrong is that what the NSA can do, the FSB can probably also do.
If you're a sysadmin for anything important, now would be a good time to push your boss on getting a really solid backup and disaster-recovery plan in place, including off-site and air-gapped stuff, because it's looking more and more like you're going to need it.
"Think of how stupid the average person is. Then realize half of 'em are stupider than that." - George Carlin
(Score: 0) by Anonymous Coward on Thursday June 03 2021, @04:53AM
This is the way to enlightenment. Don't need to be better than the evil, just better prepared.
(Score: 0) by Anonymous Coward on Thursday June 03 2021, @12:37PM (8 children)
The feds have been telling them for years to secure their systems. Maybe now they'll start listening.
(Score: 2) by canopic jug on Thursday June 03 2021, @12:54PM (4 children)
The feds have been telling them for years to secure their systems. Maybe now they'll start listening.
Not really. The first step in securing their computing environment would be the elimination and removal of M$ products and services. That, unfortunately, is a staffing problem and that means inter-office polictics and going up against empire builders. They may not do a damn thing all week, every week, at best, but the large head count ensures that they have the votes and the ear of the top management.
Though on the other hand one of the fast and easy ways to boost stock prices is to fire a shitload of people. The M$ resellers on staff could be zapped in a twofer. Getting rid of them would get them out of the way and pave the way forward for modernizing the technical infrastructure. At the same time they'd still count as fired redundant staff in boosting the stock prices.
Money is not free speech. Elections should not be auctions.
(Score: 0) by Anonymous Coward on Thursday June 03 2021, @01:18PM
Wake up to reality and get a clue. Non-MS stuff like Apple/Linux stuff gets pwned regularly too.
Ransomware doesn't need root/admin access to cause damage. Just encrypting what the user has access to is usually good enough.
So all it takes is some drive by exploit or user running something the user shouldn't. Which can happen whatever OS it is. Switching away from MS doesn't do much against ransomware.
See also: https://www.theguardian.com/technology/2016/mar/16/major-sites-new-york-times-bbc-ransomware-malvertising [theguardian.com]
The corporate browsers for Desktop Linux or Windows will be pretty much the same. The adblockers too.
What might help is having many/most files in file shares and having honeypot/decoy directories and sentinel files. If stuff is touched the file shares go read-only, except maybe for the decoy folders/shares (to try to buy some time till all the shares go read-only).
There's ransomware for MacOS: https://www.wired.com/story/new-mac-ransomware-thiefquest-evilquest/ [wired.com]
And ransomware that works for Linux: https://www.wordfence.com/blog/2016/02/wordpress-ransomware-teslacrypt-mint-linux-hacked/ [wordfence.com]
(Score: 0) by Anonymous Coward on Thursday June 03 2021, @01:58PM
"The first step in securing their computing environment would be the elimination and removal of M$ products and services. "
Sadly, M$ seems not securable, or removable.
One wonders if the doable list can ever include machines which allow random folks to run code on. IE, almost any machine with a useful web browser.
Securing office PC's seems unlikely. CEO's should know that they can survive having to rebuild and restore from backup every PC in an enterprise.
It seems far from perfect, but what if you had a safe(er) central storage systems?
Putting all the eggs in one basket gives you a single thing to make offline backups for.
Also is a juicy target for a supply chain attack, but hopefully one that is simpler, with a managable attack surface.
Seems a use case crying for open, auditable source.
After doing the best you can on office pc's and knowing it is not enough, make a rule that random office pc's get wiped and rebuilt occasionally for good measure.
IT comes in and swaps out the machine and sets it up and the user is expected to continue or explain why not.
If it doesn't work, the user gets his old machine back and they adjust the process.
If it does work, they are continually refreshing the builds on their machines.
Same plan should apply to servers and VM's.
Imagine running a store where every customer is a skilled shoplifter.
It takes an incredibly inefficient amount of extra work to run an economic engine without trust.
So, bringing the bad guys and any countries supporting them to account needs to be done.
That said, a store that treats this threat lightly is partly to blame.
Revent news shows we have way to much of that.
(Score: 2) by epitaxial on Thursday June 03 2021, @02:14PM
I'll start using Linux when they release builds for Altium and Solidworks.
(Score: 1, Interesting) by Anonymous Coward on Thursday June 03 2021, @10:00PM
Which is a far bigger threat with many known locally or remotely exploitable flaws and very few user/administrator accessable ways to disable them without physical access and a clip-flasher (since almost all bios chips are soldered down now.)
Furthermore all development on the system is in Israel, which has strong ties to the US, Russia, and China and has been shown to be perfectly willing to betray any of them to any of the others if the benefits outweigh tthe risks, although it has usually been US -> others rather than others -> US.
Why do I mention this? Because every processor line, x86, arm, etc (Maybe not PowerPC? MIPS Older unsigned embedded arches?) is now running arbitrary and sometimes blackboxed code that you can't alter, replace, or in most cases remove. Much of this code has been proven insecure. Some of the companies have been proven compromised either by third parties or govenment intervention. And yet the majority of chips worldwide are done like this with a factory or OEM signing key effectively locking the end user or business technical administrators out of patching, repairing or replacing questionable or compromised 'superprivileged' code. Code which is an even bigger threat than the mere system level compromises of Windows, where at least there are usually traces you can discover, or data forensics when you remove the drive and scan it in another system.
(Score: 3, Interesting) by Thexalon on Thursday June 03 2021, @03:39PM (2 children)
They may try, but there's a big difference between trying to secure your systems and succeeding at securing your systems. Especially when the people in charge of the computer systems are in over their heads, which happens more than anybody would like.
For example, I worked for a while for a small organization whose head of IT was investing heavily in security, by which I mean spending large sums of money on a cybersecurity vendor who was happy to sell them stuff that didn't work. What actually fixed their gaping holes in security wasn't any of that, but me going through and doing what the head of IT thought was impossible, namely spending my first couple of months fixing the roughly 2100 places in their custom code vulnerable to injection, and the break-ins stopped happening.
(As it turned out, the guy who had built this ridiculously insecure system had worked as a programmer for about a week at another place I had worked, and during that week had learned about this newfangled thingy called an "array", but somehow had fooled this organization for years.)
"Think of how stupid the average person is. Then realize half of 'em are stupider than that." - George Carlin
(Score: 2) by Common Joe on Friday June 04 2021, @08:36AM (1 child)
You're giving me flashbacks. A bunch of years ago when I was considered still green and fresh from school, I started a new job and made some friends. About a year into the job, one of my friends called me over to help him with code because I was good in a particular language. At first, I wasn't sure I could help him because he worked on a different part of the system than me, but as he described his problem, I became horrified. He didn't know how to write an if-then-else statement. Like, literally, he could barely write the syntax and definitively couldn't do the logic.
I still wonder how he got a job where he earned more than some contractors (he told me how much earned) because I'd love to have those skills. I suck at job hunting, but at least I can write an if statement.
(Score: 0) by Anonymous Coward on Friday June 04 2021, @01:46PM
At a place I worked some guy knew how to write if-then statements.
The code he wrote was basically hundreds of hard coded if then statements in PHP.
Data on sites in database that can be dynamically updated easily? Nope, none of that stuff. All in if-then statements.
Well maybe that kept it safe from the other guy who dropped an entire production database.
Backups? What's that?
(Score: 0) by Anonymous Coward on Thursday June 03 2021, @02:03PM
maybe if you don't do business is u.s.a. you don't get ransomware attack?