Hackers in JBS meat firm attack known for their audaciousness

In this model, hacker groups provide malware for others to use in an attack in exchange for a cut of the ransom payments. PHOTO: AFP

NEW YORK (BLOOMBERG) - They patronise hacking forums to recruit affiliates, advertise profit-sharing schemes and provide interviews on their techniques.

REvil, the Russian-linked hacker group that the United States Federal Bureau of Investigation said is responsible for the cyber attack on JBS, the largest meat producer in the world, has emerged as one of the most prolific - and public - ransomware groups in recent years.

The hackers, also known as Sodinokibi, have been at the forefront of the ransomware-as-a-service model of cyber attacks since the group first came to prominence as a security threat in 2019.

In this model, hacker groups provide malware for others to use in an attack in exchange for a cut of the ransom payments. In order to recruit talent, REvil deposited US$1 million (S$1.3 million) in bitcoins as a way to give potential affiliates peace of mind that they would get paid.

"Audaciousness is part of their persona," said Mr Allan Liska, a senior threat analyst at cyber-security firm Recorded Future.

Ransomware has become a thorny problem for the Biden administration, particularly after an attack last month on Colonial Pipeline squeezed fuel supplies along the East Coast. Other recent attacks have targeted the police department in Washington, a hospital network in California and now a major meat supplier.

Ransomware is a type of hack in which a victim's computer files are encrypted, rendering them unusable until a ransom is paid.

Some ransomware groups steal files too, providing another avenue for extortion.

REvil maintains a page on the Dark Web, called the Happy Blog, where it leaks or auctions sensitive documents from victims as an extra incentive to pressure them to pay.

Since 2017, ransomware has come to dominate other financially motivated cyber attacks in volume and profitability, said Ms Kelli Vanderlee, senior manager of analysis at Mandiant Threat Intelligence, part of FireEye.

While the attacks are not limited to a particular type of victim, available data suggests it disproportionately affects the manufacturing sector, Ms Vanderlee said.

"There are likely several contributing factors, including the perception that manufacturers may be more likely to pay to prevent monetary losses from production downtime," she said.

REvil emerged from the former GandCrab group, a ransomware-as-a-service outfit that announced it was closing shop in 2019, according to CrowdStrike Holdings, which confirmed that REvil was behind the JBS attack.

"We are getting a well-deserved retirement," GandCrab wrote, according to cyber-security blog KrebsonSecurity. "We are living proof that you can do evil and get off scot-free."

It is not clear if the operators of GandCrab simply rebranded themselves with a new name, or if REvil's operators bought - or stole - GandCrab's code. Either way, by the time GandCrab signed off, REvil was already under way as a more exclusive ransomware programme that was also known as Sodin or Sodinokibi.

In May 2019, a representative of the group, going by the nickname Unknown, sought out a small number of partners on hacking forums for a new ransomware-as-a-service programme.

"Five affiliates more can join the programme and then we'll go under the radar," according to KrebsonSecurity. "Each affiliate is guaranteed US$10,000. Your cut is 60 per cent at the beginning and 70 per cent after the first three payments are made. Five affiliates are guaranteed (US$)50,000 in total. We have been working for several years, specifically five years in this field. We are interested in professionals."

Mr Jon DiMaggio, chief security strategist at Virginia-based Analyst1, said: "They advertise sharing profits and provide infrastructure and ransomware, ransom negotiations and the distribution of funds. They handle all the bitcoin transactions and things of that nature."

Like many of the more established ransomware groups, REvil researches potential targets to ensure they have the means to pay, including determining if victims carry insurance against cyber attacks, he said.

A REvil associate said in an interview that targeting firms with cyber insurance was "one of the tastiest morsels".

Recorded Future said it is aware of at least 237 REvil victims since 2019.

REvil took credit for hacking hardware supplier Quanta Computer earlier this year, and in the process published secret blueprints for new Apple devices.

Last year, REvil executed a ransomware attack against a law firm that it claimed once represented some of former US president Donald Trump's television enterprises. In 2019, the group also attacked a group of Louisiana election clerks a week before election day.

REvil is so immersed in the ransomware domain that its members weigh in regularly on discussions about malware on hacker forums, according to Mr DiMaggio.

They also maintain direct relationships with other ransomware groups, including DarkSide, which is accused of being behind last month's attack on Colonial Pipeline, he said.

When DarkSide's site went down after the Colonial attack, REvil alerted the hacking community about it, said Mr DiMaggio, who has long studied Russian cyber-criminal gangs. "They're extremely involved. They're the kid in class who always has to raise his hand. They're very vocal in the community."

Mr DiMaggio and other analysts have said that REvil hackers communicate largely in Russian and steer clear of targets that use Cyrillic script - the system for languages of Eastern Europe and Slavic states. In the interview, REvil's Unknown said the group avoided those countries because of geopolitics, laws and patriotism.

The arrangement also gives Russian President Vladimir Putin "plausible deniability" against accusations by the White House and others that Russia is involved in the attacks.

"The whole ransomware model fits into the tactics we've seen from Russia over the years," Mr DiMaggio said.

The appeal for hackers is potentially big profits with minimal risks.

"As a child, I scrounged through the trash heaps and smoked cigarette butts," a person claiming to be REvil's Unknown said in a March interview with Recorded Future.

"I wore the same clothes for six months. In my (youth), in a communal apartment, I didn't eat for two or even three days. Now I am a millionaire."

Join ST's Telegram channel and get the latest breaking news delivered to you.