Global Meat Supplier Operating Again After REvil Cyberattack

Published: 08 June 2021

Meat FridgeThe attack and others like it has led government officials to increasingly recognize the threat that cybercrime poses on various industries, even those outside of high tech. (Photo: borkazoid, Flickr, License)

By Emily Tian

After a cyberattack linked to Russian hacker group REvil forced the world’s largest meat supplier JBS to shut down all of its systems, including plants in North America and Australia, the Brazil-based company has returned to full global operations. An expert said on Tuesday that  attacked companies won’t tell whether they paid ransom.  

The attack, which took place on May 30, affected servers that supported the company’s North American and Australian operating systems, according to a press release from JBS. 

Since the company’s encrypted backup servers were not affected by the attack, JBS was able to limit the loss to less than one day’s worth of production, which it expects to recover by the end of this week. JBS USA CEO Andre Nogueria said in a separate statement that JBS and Pilgrim’s core systems were not affected by the attack, “which greatly reduced potential impact.”

According to the company, there is no evidence that any consumer or employee data was compromised as a result of the attack.

The FBI has attributed the attack to REvil (also known as Sodinokibi) and wrote that the agency is working to hold the responsible actors accountable. In light of the recent rapid increase in ransomware attacks on private companies, the FBI has also made cyberattack investigations a top priority, according to another statement released last week. 

REvil is a ransomware-as-a-service operation, thought to be based in Russia, that has gained a reputation for the hefty ransoms it exacts on its victims. According to an analysis by antivirus software company Emsisoft, 4.6% of reported ransomware strains in the first quarter of 2021 can be traced to REvil. 

There have not been any posts regarding the JBS cyberattack on REvil’s dark web site, known as “Happy Blog,” where they usually claim responsibility for past hacks. It is not known whether JBS paid a ransom. The company did not respond to requests for comment. 

Andrew Grotto, a cybersecurity researcher at Stanford, told OCCRP on Tuesday that  companies that have paid the ransom may not have an incentive to disclose that information to the public, unless they have reported obligations to their shareholders. 

The JBS attack follows shortly after the Colonial Pipeline cyberattack that shut down the operator for days in May until it allegedly paid a $4.4 million ransom to Darkside, another Russian hacker group linked to the attack. 

The attack and others like it has led government officials to increasingly recognize the threat that cybercrime poses on various industries, even those outside of traditionally high-risk sectors like financial services and energy. 

“A distinction has been drawn for many decades between IT and customer records and Operations Technology, which handles industrial processes,” Grotto said. “The assumption is falling apart that OT presents a hard target for adversaries since it relies on specialized equipment that might not be embedded in the IT infrastructure.” 

The White House’s Deputy Press Secretary, Karine Jean-Pierre, told reporters on June 1 that the White House and the U.S. Department of Agriculture had been supporting JBS leadership, along with the FBI. The White House is also delivering the message to the Russian government that “responsible states do not harbor ransomware criminals,” according to Jeane-Pierre.