The Federal Bureau of Investigation has officially stated that Operation REvil, also known as Sodinokibi, is behind the ransomware attack targeting JBS, the world’s largest meat producer.
“We have attributed the JBS attack to REvil and Sodinokibi and we are working diligently to bring the threat actors to justice,” he added. He says to the FBI statement on the JBS cyberattack.
“We continue to focus our efforts on imposing risks and consequences and holding responsible cyber actors accountable.”
Ransomware attacks have intensified over the past month as threat actors targeted critical infrastructure and services.
Last month, the DarkSide ransomware operation attacked Colonial Pipeline, the largest fuel pipeline in the United States, and caused a temporary shutdown of fuel transportation to the southeast and northeast of the United States.
A week later, Ireland’s national healthcare system, the HSE, suffered a Conti ransomware attack that severely disrupted healthcare services across the country.
All of these ransomware gangs, including REvil, are believed to be operating out of Russia.
At a press conference today, press secretary Jen Psaki said that President Biden will discuss these attacks with Russian President Vladimir Putin at the June 16 Geneva summit.
“It will be a topic of discussion in direct, one-on-one discussions, or direct discussions with President Putin and President Biden in just a couple of weeks,” Psaki said at the press conference.
The REvil ransomware operation
The REvil ransomware operation is believed to be operated by a core group of Russian threat actors who recruit affiliates or partners who breach corporate networks, steal your data, and encrypt your devices.
This operation runs as a ransomware-as-a-service, where the central team earns between 20% and 30% of all ransom payments, while the rest goes to its affiliates.
REvil, also known as Sodinokibi, launched its operation in April 2019 and is believed to be an offshoot or rebrand of the notorious GandCrab ransomware gang, which closed its operations in June 2019.
The operation claims to have made $ 100 million in a single year through ransom payments.
The REvil ransomware group is responsible for numerous high-profile attacks, including Travelex, Grubman Shire Meiselas & Sacks (GSMLaw), Brown-Forman, SeaChange International, CyrusOne, Artech Information Systems, Albany International Airport, Kenneth Cole, Asteelflash, Pierre Fabre and Quanta Computer.
More recently, the REvil ransomware operation is suspected of being behind a ransomware attack on FUJIFILM.
The JBS ransomware attack
The JBS ransomware attack occurred in the early hours of Sunday morning, May 31, prompting JBS to shut down its network to prevent the attack from spreading.
“The company took immediate action, suspending all affected systems, notifying authorities, and activating the company’s global network of IT professionals and external experts to resolve the situation,” JBS USA said in a statement.
The attack also caused JBS to shut down several food production sites by losing access to parts of its network.
JBS stated that their backups were not affected and would be restored from the backup.
However, Bleeping Computer learned from sources familiar with the attack that there were two encrypted / corrupted data sets that had prevented the company from reconnecting.
The problems with these databases appear to have been resolved and JBS claims that most of its plants should be operational tomorrow.
“Our systems are coming back online and we are not wasting resources to combat this threat. We have cybersecurity plans to address these types of issues and we are executing them successfully.” saying Andre Nogueira, Executive Director of JBS USA.
“Given the progress of our IT professionals and plant teams in the last 24 hours, the vast majority of our beef, pork, poultry and prepared food plants will be operational tomorrow.”
Bleeping Computer has contacted JBS with further questions about the attack, but has not received a response.