White House Puts Russia on Notice Over JBS Ransomware HitIn Wake of Colonial Pipeline Attack, Ransomware as Unrestrained as Ever, Experts Say
The White House says it has put Russia on notice over the ransomware attack against meat processing giant JBS. It's a sign of quick action by the U.S. government after Colonial Pipeline, but experts say the ransomware scourge is clearly still business as usual.
The FBI is probing the attack on JBS, with the U.S. Cybersecurity and Infrastructure Security Agency offering technical assistance to the company, which is based in Sao Paulo but has offices in the United States.
Speaking to reporters Tuesday aboard Air Force One, White House principal deputy press secretary Karine Jean-Pierre said JBS believes the ransomware attack was launched from Russia, which has led the Biden administration to deliver a stern warning to Moscow.
"The White House is engaging directly with the Russian government on this matter and delivering the message that responsible states do not harbor ransomware criminals," Jean-Pierre told reporters, according to a transcript of her remarks. "The FBI is investigating the incident, and CISA is coordinating with the FBI to offer technical support to the company in recovering from the ransomware attack."
JBS: Resuming Production
JBS says it discovered the incident on Sunday. The company has not described which gang might have targeted it or if it has demanded a ransom. But security firms have noted that no ransomware operation has claimed credit for the attack via a data leak site, where gangs often attempt to name, shame and shake down victims.
The meat processor says the attack affected servers in Canada, North America and Australia, and operations were halted in those geographies on Monday. But the company says it continues to make steady progress with its recovery.
"Our systems are coming back online, and we are not sparing any resources to fight this threat," says Andre Nogueira, CEO of JBS USA. "We have cybersecurity plans in place to address these types of issues, and we are successfully executing those plans."
JBS says operations in Canada are fully back online, and that the "vast majority" of affected beef, pork, poultry and prepared food plants should resume operations by the end of Wednesday, including in the U.S. and Australia.
The White House says the U.S. Department of Agriculture is contacting other meat suppliers to ensure they're aware of the JBS incident and taking steps to defend themselves against similar attacks. Agriculture operations and food processing facilities are designated by CISA as being critical infrastructure. But food plants - similar to manufacturing plants - have often proven to be soft targets for ransomware distributors, says Allan Liska, who is part of cybersecurity firm Recorded Future's computer security incident response team.
"In general, food processing has been easy pickings," Liska says.
Pace of Ransomware Attacks Continues
The attack against JBS comes just a few weeks after the May 7 infection of Colonial Pipeline Co., which triggered fuel shortages and more worries about the vulnerability of critical infrastructure. At first, the Colonial Pipeline incident appeared it might be a watershed moment that changed the dynamics of the ransomware scene (see Colonial Pipeline Attack Leads to Calls for Cyber Regs).
With officials signaling a ransomware crackdown, two cybercrime forums - Raid and XSS - claimed they would no longer allow ransomware gangs to advertise on their sites, including recruiting affiliates. But experts say any such bans, if indeed they are real, appear to be only loosely enforced.
The ransomware operation responsible for the hit on Colonial Pipeline was DarkSide. DarkSide used a ransomware-as-a-service model, where affiliates use the group's malware and shared the profits from paid ransoms. RaaS groups often develop other infrastructure for affiliates, such as payment portals for victims and dedicated data-leaking sites.
In the immediate aftermath of the attack, DarkSide claimed it would be more closely monitoring the types of organizations its affiliates target. Subsequently, however, the gang said it would cease affiliate operations altogether. Given the heat generated by the Colonial Pipeline hit, some experts expect the operators to rebrand their efforts under a different name (see: Ransomware Gangs 'Playing Games' With Victims and Public).
Despite public outrage over the increase in ransomware attacks targeting U.S. public infrastructure, attackers don't seem deterred. In recent weeks, "There really hasn't been a slowdown at all in ransomware," Recorded Future's Liska says.
Indeed, at least 16 victim organizations have seen their private data get dumped by ransomware operators since the Colonial Pipeline incident, he says.
Leaks Target CD Projekt Red
On Tuesday, for example, attackers publicly posted source code belonging to Polish game development firm CD Projekt Red. The company first disclosed on Feb. 9 that it had been hit by ransomware. Its attacker claimed to have first stolen the source code for the games Cyberpunk 2077, Witcher 3 and Gwent.
CD Projekt Red said in February, "We will not give in to the demands nor negotiate with the actor." Even four months later, however, the company is still being harassed by its attackers.
Important Update pic.twitter.com/PCEuhAJosR— CD PROJEKT RED (@CDPROJEKTRED) February 9, 2021
Ransomware affiliates also appear unphased by the events of the last few weeks and disappearance of DarkSide. "It's very easy for affiliates to jump from one ransomware to another," Liska says. "We've kind of seen the hole filled by DarkSide's absence with an uptick in attacks from Avaddon and Conti ransomware and other second-tier RaaS [operators]."
The attention around Colonial Pipeline was never going to have a significant impact on ransomware activity itself, says Brett Callow, a threat analyst with Emsisoft. "The only thing it may have changed is governments’ response," he says.
The U.S. government has been moving to more aggressively combat ransomware. In April, the Justice Department launched the Ransomware and Digital Extortion Task Force, which aims to disrupt ransomware-wielding crime syndicates.
Meanwhile, the Institute for Security and Technology has coordinated a new Ransomware Task Force, which has outlined strategies for fighting ransomware. Recommendations include pressuring countries where ransomware gangs operate, improving intelligence efforts, mandating that victims report payments and consider alternatives before paying, and analyzing cryptocurrency payment channels for chokepoints (see: Fighting Ransomware: A Call for Cryptocurrency Regulation).
The U.S. has previously tested using sanctions to disrupt gangs. In December 2019, the Treasury Department added the crime gang called Evil Corp to its list of sanctioned entities, noting that it was one of the world's most prolific cybercriminal organizations.
Arguably, however, these are long-term, as yet unproven strategies for potentially disrupting a threat that still poses an immediate, existential threat to numerous organizations.
Executive Editor Mathew Schwartz contributed to this report.