When the scuttlebutt of a new ransomware attack comes down the “pipeline,” one might expect the victim to be a known entity in the technology, consulting, or energy sector. This time, the high-profile target was one of the largest meat suppliers in the world. In the waning days of May, JBS USA Holdings, Inc. halted all production following a breach of its North American and Australian IT systems by REvil ransomware operators.
With around 250,000 employees on payroll and supply deals with 190 countries, JBS could not afford itself a protracted recovery period. Despite a fairly quick turnaround on system recovery, this latest campaign is especially frightening for its role in establishing a modus operandi for ransomers. Commercial industries and suppliers with tangible products, particularly ones such as Colonial Pipeline that automatically transmit the affliction to consumers writ large, are ill-equipped on the IT security front for any battles to maintain functionality.
JBS had not done anything revolutionary in terms of preventative measures. Many food-based companies have limited security protocols due to the assumption that the associated intellectual property is not hack-worthy. An analysis by rating firm SecurityScorecard, Inc., administered days after the attack, placed JBS in the bottom tenth of 57,251 food industry companies based on publicly-accessible cybersecurity metrics.
JBS says its systems were back online expeditiously because backup servers were intact, and production assets were prioritized to save face in the event of a food supply chain crisis. Government intervention, however, may have been the true linchpin for recovery, as U.S., Australian, and Canadian officials came out of the woodwork to lend a hand. JBS had the guidance of the FBI and CISA in managing the technical aspects of operational restoration. A possible ransom payment agreement was not made public, unlike the known $5 million sum shelled out by Colonial Pipeline, and JBS Chief Executive Officer Andre Nogueira noted that the company’s core systems were undamaged.
The relative ease with which JBS recuperated is prompting a discussion about government involvement, and how paramount those resources might be for IT-challenged commercial supply industries in dealing with ransomware and other data attacks. The news-making contaminations are undoubtedly amassing to a point that begs further political action and increased general awareness. The U.S. Department of Justice has released new guidelines that elevate ransomware inquiries to a similar level of priority as terrorism. Investigators will now be required to share real-time case developments and active technical details with higher-ups in D.C. In getting a grasp on a worldwide cybercrime ecosystem, central notification investigations are to include cases involving counter anti-virus technology, illicit online marketplaces, cryptocurrency exchanges, and bulletproof hosting services, and online money laundering platforms.
A Ransomware and Digital Extortion Task Force has been established to aggregate and coordinate all federal ransomware probes, with protocols in place that are akin to terrorism threat counteraction following 9/11. Armed with intelligence reports that tie many of the recent ransomware groups (including REvil) to Russia, President Biden is set to broach the subject with Russian President Putin during the Geneva summit in mid-June.