Experts Say Ransomware Hasn’t Slowed Down Since Colonial Pipeline
The White House says on Tuesday it has contacted Russia regarding the ransomware attack against JBS SA, the multinational meat producer. It’s a positive sign of more forward action by the U.S. government after Colonial Pipeline, but experts say the ransomware scourge is clearly still business as usual.
JBS informed the White House that it believes the ransom demand is likely coming from Russia, says Karine Jean-Pierre, principal deputy press secretary, during a press briefing on Air Force One.
“The White House is engaging directly with the Russian government on this matter and delivering the message that responsible states do not harbor ransomware criminals,” Jean-Pierre says according to a transcript. “The FBI is investigating the incident and CISA [Cybersecurity and Infrastructure Security Agency] is coordinating with the FBI to offer technical support to the company in recovering from the ransomware attack.”
JBS: Resuming Production
JBS, which is based in São Paulo, Brazil, notified the White House of the incident on Sunday. The company has not disclosed how much attackers are demanding for a ransom.
The attack affected servers in North America and Australia, where meat processing operations were halted on Monday. But it is making progress recovering.
Andre Nogueira, CEO of JBS USA, says in a statement that “our systems are coming back online, and we are not sparing any resources to fight this threat. We have cybersecurity plans in place to address these types of issues, and we are successfully executing those plans.”
The “vast majority” of its beef, pork, poultry and prepared food plants should be operational by Wednesday, JBS says. It is still working on resuming operations at some plants in the U.S. and Australia. A beef facility in Canada has resumed production.
Jean-Pierre says the U.S. Department of Agriculture is reaching out to other meat suppliers to ensure they’re aware of the JBS incident. Agriculture operations and food processing facilities are considered critical infrastructure by CISA. But food plants — similar to manufacturing plants — have often proven to be soft targets for ransomware distributors, says Allan Liska, who is part of Recorded Future’s Computer Security Incident Response Team.
“In general, food processing has been easy pickings,” Liska says.
Experts: No Ransomware Pause
The attack against JBS comes just a few weeks after the May 7 infection of Colonial Pipeline Co., which triggered fuel shortages and more worries about the vulnerability of critical infrastructure. At first, the Colonial Pipeline incident appeared it might be a watershed moment that changed the ransomware scene (see Colonial Pipeline Attack Leads to Calls for Cyber Regs).
For example, two cybercrime forums, Raid and XSS, announced they would no longer allow ransomware actors to advertise on their sites, although that ban now appears to be only loosely enforced.
DarkSide, the group that created the ransomware used in Colonial Pipeline, said it would more closely watch the type of organizations its affiliates target. Affiliates are criminal partners that rent the ransomware from coding groups such as DarkSide and deploy it. Then DarkSide seemingly disappeared, presumably because of the unwanted attention.
And the U.S. government seem more determined to defend the security of its critical infrastructure after fuel shortages that saw some people hoarding fuel. But nothing has really changed over the last few weeks, experts say.
“There really hasn’t been slow down at all in ransomware,” Liska says.
Liska says at least 16 victim organizations have seen their private data dumped by ransomware operators since the Colonial Pipeline incident. Ransomware groups often exfiltrate data before launching the file-encrypting component, giving them more leverage to pressure organizations to pay.
On Tuesday, attackers publicly posted source code belonging to CD Projekt Red, the Polish game developer. The company disclosed a ransomware infection on Feb. 9, with the attacker claiming to have stolen the source code for the games Cyberpunk 2077, Witcher 3 and Gwent.
CD Projekt Red said from the start of the incident that “we will not give in to the demands nor negotiate with the actor.” Even four months later, the company is still being harassed by its attackers.
Important Update pic.twitter.com/PCEuhAJosR
— CD PROJEKT RED (@CDPROJEKTRED) February 9, 2021
Ransomware affiliates also appear unphased. “It’s very easy for affiliates to jump from one ransomware to another,” Liska says. “We’ve kind of seen the hole filled by DarkSide’s absence with an uptick in attacks from Avaddon and Conti ransomware and other second-tier RAAS [ransomware-as-a-service operators].”
The attention around Colonial Pipeline was never going to have a significant impact on ransomware activity itself, says Brett Callow, a threat analyst with Emsisoft. “The only thing it may have changed is governments’ response,” he says.
The U.S. has been brewing plans for combating ransomware. In April, the Justice Department launched the Ransomware and Digital Extortion Task Force, which aims to exert pressure on cybercriminals (see DOJ Launches Task Force to Battle Ransomware Threat).
Also, a separate effort called the Ransomware Task Force released a comprehensive report on strategies for fighting ransomware. Those strategies include pressuring countries where ransomware actors operate, bolstering intelligence efforts, mandating that victims report payments and consider alternatives before paying and analyzing cryptocurrency payment channels for choke points (see Fighting Ransomware: A Call for Cryptocurrency Regulation).
The U.S. has also taken aim using sanctions. One group, Evil Corp., was placed under sanction by the U.S. government in December 2019 after being labelled one of the most prolific cybercriminal organizations.
But fighting ransomware using any of those strategies is a long-term game that doesn’t help near-term victims. Larger companies may survive a ransomware attack. But an attack can be existential threat for smaller ones, who will be left vulnerable until the threat has diminished.