Takeaways from this post:
- The JBS Foods ransomware attack was one of several in a wave of ransomware attacks that has shifted from data denial towards exfiltration.
- Ransomware attacks are now more heavily targeting industrial sectors.
- The attack had the potential to negatively impact all the companies in the victim’s supply chain and cause exponential damage.
The ransomware attack that recently infected JBS Foods, one of the largest meat processing companies globally, was one of several in a wave that has shifted from data denial towards exfiltration. After being forced to shut down temporarily, JBS paid $11 million to REvil (AKA Sodinokibi) to decrypt their systems and ensure no data was exfiltrated.
According to reports from the FBI, REvil, the group behind the JBS attack, is a known Ransomware as a Service (RaaS) group based in Russia and has been seen a lot over the last few years. REvil has been reported to have made millions of dollars from companies who pay the ransom, in the form of bitcoin, to decrypt their systems and receive a guarantee by REvil not to leak their private information to the public. REvil is known to demand extremely high amounts of money as ransom, as we saw in its attack on Apple, in which the group demanded $50 million.
The attack on JBS came on the heels of a ransomware attack on the Colonial Pipeline by the DarkSide, which disrupted fuel distribution in the US for several days before the ransom was finally paid (and eventually recovered).
Potential Ransomware Shifts
In an interview conducted by a YouTube group called Russian OSINT with a REvil representative known as UNKN, the representative stated that the agriculture industry was the primary target for the REvil group. UNKN also said that the REvil group is confident that ransomware will shift away from denial of data and move towards data extraction. If this comes to fruition, this means that ransomware groups will now hold important data hostage in exchange for a monetary ransom or even blackmail.
An infographic provided by Digital Shadows shows that industrial goods and services were the targets of about 29% of ransomware attacks last year.
The fact that ransomware attackers have shifted their sights to the industrial goods and services sector could be due to the agriculture industry evolving its technologies to become more reliant on IT systems. Another factor could potentially be that the industrial goods and services sector substantially impacts our daily lives. Any threat that could degrade or deny industrial goods and services could heavily impact third parties. That provides a good reason why a company like JBS would want to pay the ransom quickly: other organizations are heavily reliant on their services.
Ransomware and Its Effect On Third Parties
As stated above, the attack on JBS could have made a much more significant impact on restaurants, grocery stores, and farmers that rely on the company for its products. It focuses on how ransomware could have a catastrophic effect on third parties that depend on the infected organizations’ services.
An example of this was the attack on BlackBaud, a cloud services provider. The breach resulted in class-action lawsuits being filed against the company, following the disclosure that customers’ data had been breached. It is imperative to understand that successful ransomware attacks against an organization can affect the customers who use their systems or products. Such an attack could lead to damage to third parties in the form of system degradation or leaked data (even if the third party didn’t get infected by the ransomware). Regulatory violations and data privacy disclosures can also come into play if customer or third-party data is breached.
How You Can Protect Your Organization From Ransomware
Ransomware attacks are becoming more common in today’s world, and it is more important than ever for an organization to defend itself against attacks. A successful attack can lead to millions of dollars of lost revenue and potentially cause catastrophic damage in downtime and leaked personal data. Below are some steps recommended by Safeguard Cyber to help mitigate the risk of being infected by ransomware:
Backup your data and test your restoration
- Identify critical company data for back-up prioritization
- Regularly create and test backups
- Create a response plan that outlines employee roles and responsibilities
Gain powers of detection
- Deploy digital risk protection controls to secure communications in third party cloud appliances against phishing attempts and suspicious payloads
- Ensure your organization possesses the capability to detect and respond to malicious links, attachments, and URLs
Educate employees on best practices
- Educate employees about the latest phishing scams and lures and how they should respond to them
- Educate employees on the importance of keeping personal and business systems up to date with the latest security updates and patches
Updates and patches
- Establish patching and system update procedures for internet facing architecture
Monitor beyond the endpoint
- Deploy cross-layered detection and response to monitor activities across email, collaboration tools, and social media applications
- Ensure your solution can capture raw events that have been deemed malicious
Ransomware attacks can have devastating impacts. Malware and its techniques are constantly evolving, and once encryption takes place, it can be tough to reverse. The reality is that once they are hit with a sophisticated ransomware attack, most enterprises ultimately pay a steep price.
For this reason, the absolute best course of action against ransomware is proactive prevention, combined with continuous data backup. To learn more on how SafeGuard Cyber can protect your organization through multi-layered detection and response capabilities that stop ransomware and other digital threats, please contact us to schedule a meeting or request a demo.
Guide: Read our guide to learn more
on how to prevent ransomware attacks