US JBS ransomware hack likely from Russia as meatpacker prepares to resume operations

Brazil’s JBS SA told the US government that a ransomware attack on the company that disrupted meat production in North America and Australia originated from a criminal organisation likely based in Russia, the White House said on Tuesday.

JBS, the world’s largest meatpacker, said on Tuesday night it had made “significant progress in resolving the cyberattack”. The “vast majority” of the company’s beef, pork, poultry and prepared foods plants will be operational on Wednesday, according to a statement, easing concerns over rising food prices.

The cybergang goes by the name REvil or Sodinokibi, according to four people familiar with the assault who were not authorised to speak publicly on the matter.

While it’s unclear if all of REvil’s hackers operate in Russia, the group’s public face, a user on the dark web cybercrime forum XSS who goes by the name “Unknown,” exclusively publishes in Russian. REvil typically uses a dark web blog dubbed, “Happy Blog” to name and shame victims when they decline to engage in ransom negotiations. REvil has yet to post a blog item dedicated to JBS.

The JBS attack comes just three weeks after Colonial Pipeline, operator of the biggest US gasoline pipeline, was targeted in a ransomware attack that was attributed to a group called DarkSide. Experts have said there is some evidence linking the group to Russia. That followed a series of devastating hacks against American government agencies, businesses and health facilities, also often blamed on Russia or Russia-based hackers at a fraught time in relations between the countries.

Earlier this year, REvil took credit for hacking the Taiwanese hardware supplier Quanta Computer and in the process published secret blueprints for new Apple devices. Last year, REvil executed a ransomware attack against a law firm they claimed once represented some of Donald Trump’s television enterprises.