JBS, the world’s largest meat processing company by sales, paid $11 million in bitcoin to hackers for the purpose of regaining access to its systems following the destructive ransomware attack late last month. However, JBS had to do this in order to recover systems and restore its operations. There are not yet any confirmed accounts of the hackers holding up their end of the ransom agreement. The company has recovered most of its systems with the remaining coming back online soon. In total, there were 11 million files encrypted by Ransomware impacting over 500 companies and organizations worldwide.

Fortunately, although there were millions of files affected by the attack, the company noted that no company, customer, or employee data was ever compromised as a consequence of the breach. The FBI discourages any victims from paying the ransoms set by the attackers because doing so will enable and establish a profitable criminal marketplace for cyberattackers.

The attack was attributed to REvil (aka Sobinokibi), a prolific Russian-linked cybercrime group that has emerged as one of the top-earning ransomware cartels by revenue. The group has been known to organize attacks that can cripple organizations for up to six months at a time. In December 2016, REvil struck companies including the National Bank of Ukraine, Avtovaz Group, and the Russian Ministry of Defence causing millions in damage.

REvil was also one of the early adopters of the so-called “double extortion” model that has since been emulated by other groups to exert further pressure on the victim company to meet ransom demands within the designated timeframe to maximize their chances of making a profit. The double extortion model typically requires cybercriminals to extort the victim for a portion of the ransom payment in advance. In this case, the attackers demand that JBS pay 10 percent of the ransom amount in advance, followed by a further 10 percent after successful payment and delivery of decryption keys.

REvil and those who are connected, accounted for 4.6% of attacks on the public and private sectors in the first quarter of 2021, according to Emsisoft last month, making it the fifth most commonly reported ransomware strain after STOP (5134%), Phobos (6.6%), Dharma (5.1%), and Makop (4.7%).

The attack on JBS follows the recent ransomware attack on the Colonial Pipeline that brought about 75 bitcoins ($4.4 million) in ransom for the decryption key. This second attack was also attributed by security analysts to a Russian-linked group. The first Colonial Pipeline attack was reported by security researcher Brian Krebs and resulted in $1.5 million in ransom payment with the attackers demanding an additional $2 million in bitcoin after successful decryption of the files.

Krebs noted that the cybercriminals behind both attacks were likely members of a global cybercrime syndicate known as “The Carbanak Group” which has risen to prominence over the past 18 months through various notable ransomware attacks.

In addition to the recent ransoms paid by US companies, U.S. insurance firm CNA is said to have allegedly paid off $40 million to the attackers to recover access to its systems and is believed to be one of the most expensive ransoms settled to date.

The rise in cyberattacks and cybercriminal activity has prompted U.S. Cybersecurity and Infrastructure Security Agency (CISA) to publish a fact sheet detailing the threat of ransomware to operational technology and control systems and help organizations build effective resilience.

If you would like to read more about ransomware, the article Darkside Ransomware Extorts Millions is an article on the same group that was behind the Colonial Pipeline attack.

Liquid Video Technologies Logo, zero trust, Security, Video Surveillance, Greenville South Carolina, ransom

If you would like liquidvideotechnologies.com to discuss developing your Home Security System, Networking, Access ControlFire, IT consultant, or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com.