Attack on meat supplier came from REvil, ransomware’s most cutthroat gang

Ransomware
Enlarge / Ransomware
Getty Images

The cyberattack that halted some operations at the world’s biggest meat processor this week was the work of REvil, a ransomware franchise known for its ever-escalating series of cutthroat tactics designed to extort the highest price.

The FBI made the attribution on Wednesday, a day after word emerged that Brazil-based JBS SA had experienced a ransomware attack that prompted the closure of at least five US-based plants, in addition to facilities in Canada and Australia.

High-pressure ransom

REvil and its affiliates account for about 4 percent of attacks on the public and private sectors. In most respects, REvil is a fairly average ransomware enterprise. What sets it apart is the cruelty of its tactics, which are designed to exert maximum pressure on victims.

“In some respects REvil is a ‘pioneer’… being one of the early adopters of publicly blogging victims and leaning heavily into the ‘double-extortion’ side of things,” Jim Walter, a senior threat researcher at security firm SentinelOne, said in a text message. “They were also early experimenters with auctioning off stolen data. Some auctions were successful, some where not, but potentially data stolen from select victims would have been available to the highest bidder.”

In one case, the REvil dark web site posted a screenshot purporting to show that pornography was present in a temporary files folder of a computer belonging to the IT director of a large company that had recently fallen victim to the group.

“While he was jerking his cock, we downloaded several hundred gigabytes of private information about the company’s customers,” said the post. “God bless his hairy palms. Amen!”

REvil is also the group that hacked Grubman, Shire, Meiselas & Sacks, the celebrity law firm that represented Lady Gaga, Madonna, U2, and other top-flight entertainers. When REvil demanded $21 million in return for not publishing the data, the law firm reportedly offered $365,000. REvil responded by upping its demand to $42 million and later publishing a 2.4GB archive containing some Lady Gaga legal documents.

Other REvil victims include Kenneth Copeland, SoftwareOne, Quest, and Travelex.

Last year, REvil started auctioning off the confidential information of victims who refuse to pay. In March, the group announced a new service that contacts the media and victims’ partners to inform them of a breach. REvil can also threaten victims with DDoS attacks.

REvil first appeared in April 2019 and quickly developed a reputation for technical prowess when it used legitimate CPU functions to bypass security systems. In April of this year, Kaspersky ranked REvil as the number-three ransomware group.

Supply chains under threat

In April, REvil stole data from manufacturer Quanta Computer and then demanded $50 million from Apple in exchange for not publishing technical data it had obtained for unreleased Apple products. The group went on to publish schematics for two Apple products on the day they were announced. The data has since been removed, for reasons unknown.

This week’s incident came three weeks after ransomware closed down the Colonial Pipeline, an event that caused shortages of gasoline and jet fuel up and down the east coast of the US.

Production began to resume at US-based JBS beef plants on Wednesday, though thousands of JBS workers in the US, Canada, and Australia had shifts adjusted or canceled earlier this week.

Such ransomware attacks continue to expose the fragility of the country’s supply chains as leaders in the private and public sectors struggle, largely in vain, to contain the threat.