We’re back with another issue of the _secpro’s Top Ten Worst Ransomware Attacks of 2021. This time, we turn to something that everyone is probably familiar with due to how widespread the coverage of this attack was – this time, we are looking at JBS.
“Austin”, you tell me, “What do you mean the JBS attack is only at number eight?!” I’m well aware that this might come as a shock to some. This attack was culturally huge at the time. This attack came in the wake of another massive attack, the Colonial Pipeline cyberattack, so the mainstream media was in hysteria. When will the cybercriminals stop? They’ve taken gas and food, what are they planning to take away from us next?
It was an understandable worry. I remember getting caught up in the emotion of the time too. But the most important thing to analyze is how the attackers took down JBS. Not only was the attack only sustained over a short period of time, but the ransom itself was also a rather small sum (in the context of ransomware attacks, that is). That’s why it is low down on our list of ransomware attacks. We look forward to hearing why you disagree!
What happened?
Cast your mind back to May 2021. The United States still dealing with the side effects of the Colonial Pipeline attack earlier in the month. People without the slightest interest in cybersecurity know about DarkSide, the group responsible for that attack. A growing interest in cybersecurity among non-specialists really pushed this attack into the forefront of everyone’s minds. With the world not ready for another cyberattack, news started to report that there would be disruption in the worldwide meat distribution business for the foreseeable future.
Who are JBS?
As with many of the world’s largest companies, a lot of people weren’t aware of JBS until the REvil attack. Starting in 1953 as a minor slaughterhouse in Brazil, the company has since grown to have over 150,000 workers all around the world. As any cybersecurity professional knows, with rapid expansion comes the rapid expansion of endpoints.
The attack itself locked down the business’s presence in Canada, the UK, and the US, as well as in the company’s Brazilian home. Among these big-name targets were JBS’s five biggest processing plants, all of which are found in the USA. As with the Colonial Pipeline attack, it seems that the majority of the problem for the JBS team was related to billing and shipping.
How did REvil lock down JBS?
First things first: the JBS response to the ransomware attack was actually quite good. When we compare the JBS ransomware attack with nightmarish examples such as the NHS and WannaCry, we can see how the company positioned itself well to overcome a ransomware attack:
- A fast response from the cybersecurity team that stopped the attack from spiraling out of control,
- Outside help was immediately called in to support the security team,
- Backups were safely stored off-site,
- The recovery process was quickly put into action after the breach had taken place.
Obviously, however, these defences weren’t enough to lock out the attacks altogether. Instead, what we found was that JBS had been compromised months beforehand and they were only quick to respond to the lockdown.
Let’s have a look at the findings that came out after the attack:
- Forensic research shows that the initial attack from REvil was started in February 2021, making their way into the systems.
- JBS Australia seems to have been the point of entry for the threat actors.
- The exploited attack vector is still not released to the public (there has been much speculation, often contradictory), but we can say for a fact that terabytes worth of data was sent to IP address in Hong Kong in the first half of 2021.
- Between March and May 2021, REvil started to exfiltrate data from JBS.
- On June 1st 2021, the ransomware attack was launched.
- Due to the wide-reaching nature of this attack, REvil’s ransomware is still considered a supply chain risk in many places.
For that reason, despite the heroics of the JBS cybersecurity team in reacting to the ransomware attack, there is much for us to learn about how we deal with the attack that comes before that. Lots of advice has been shared by _secpro and other security analysts all around the world, but remember: backup, store safely, and always be ready – the best mindset for dealing with ransomware is a paranoid one!
Did JBS pay the ransom?
Although JBS had initially attempted to resist paying the ransom, the REvil gang walked away from the assault on the global meat supply company with $11 million. This sum seemed large at the time, but by the end of the year, it had been overshadowed by some extremely large-scale attacks.
Are you ready for another unhappy ending, _secpro readers? As threat actors tend to do, REvil disappeared off the map completely at the end of July 2021. We have seen similar attack patterns and ransomware types since, but it seems the REvil brand is very much a thing of the past.
