Critical Infrastructure Security , Cybercrime , Cybercrime as-a-service
Ransomware to Riches Story: JBS Pays Criminals $11 MillionWith Nonstop Cryptocurrency Paydays, No Wonder Extortionists Love Ransomware
Is it any wonder that criminals keep flocking to ransomware when their individual haul from a well-executed digital heist can be worth $11 million?
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
That's the amount paid to attackers by the wholly owned U.S. subsidiary of the world's largest meat processer, JBS, based in Sao Paulo.
"This was a very difficult decision to make for our company and for me personally. However, we felt this decision had to be made to prevent any potential risk for our customers."
—Andre Nogueira, CEO of JBS USA
JBS discovered the attack on May 30, and said operations in the U.S., Canada and Australia had been disrupted. Days later, the FBI attributed the attack to REvil, aka Sodinokibi, which is a ransomware-as-a-service operation believed to be at least partially based in Russia.
Both the bureau and the U.S. Cybersecurity and Infrastructure Security Agency have been assisting the company with remediation.
On Wednesday, JBS USA, based in Greeley, Colorado, said in a statement that it paid $11 million worth of cryptocurrency to REvil. The payment seems to have been made not just for the promise of a decryption tool, but also a guarantee from REvil that it would not leak stolen data. Of course, there's no guarantee for whether guarantees offered by criminals can or should be trusted.
Payment: Equivalent to 6% of Annual IT Budget
JBS USA says it paid the ransom - equivalent to nearly 6% of its annual IT budget - even though "the vast majority of the company’s facilities were operational." Thus far, JBS says it does not believe that any data was stolen.
Even so, the company says that "in consultation with internal IT professionals and third-party cybersecurity experts, the company made the decision to mitigate any unforeseen issues related to the attack and ensure no data was exfiltrated."
"This was a very difficult decision to make for our company and for me personally," says Andre Nogueira, CEO of JBS USA. "However, we felt this decision had to be made to prevent any potential risk for our customers."
The FBI, Britain's National Crime Agency and other law enforcement agencies have made this clear: Legally speaking, the choice of whether or not to pay a ransom remains with victims. One caveat is if the attacker is known or suspected to be on the U.S. Treasury Department’s Office of Foreign Assets Control sanctions list, in which case organizations are meant to first liaise with the U.S. Treasury Department before they send any money, or else face potential legal peril.
In an ideal world, organizations will have the best possible defenses in place, including robust backup and restore processes, allowing them to wipe and restore systems in the event that any type of attack does get through. Likewise, ideally, organizations will have robust logging and monitoring, to better spot signs of an attack and shut it down as quickly as possible.
What was in place at JBS isn't clear, although the company claims that it was robust. "JBS USA’s ability to quickly resolve the issues resulting from the attack was due to its cybersecurity protocols, redundant systems and encrypted backup servers," backed by the expertise of its 850 IT professionals globally and more than $200 million of annual IT spending, it says.
Ransomware Is a Business
Obviously, attackers got through, and then the meat processing giant opted to pay them a ransom. It's not clear how much attackers initially demanded, but oftentimes they start with a high number and let victims bargain them down a bit.
That's a reminder that cybercrime is a business, and ransomware gangs are no exception. REvil is one of many gangs run as a RaaS operation, which involves an operator or group that develops the malware and supporting services - such as a data leak site and payment portal, where negotiations may also take place - and then provides it to affiliates, who infect targets. Every time a victim pays, the operator keeps a share and routes the rest to the responsible affiliate.
At least in REvil's early days, the profit-sharing involved affiliates receiving 60% of every haul, rising to 70% after three victims paid.
Affiliates tend to come and go, based on whether they "retire" - many seem to return - or if they receive better offers from other gangs. REvil's "Unknown," who appears to be a major player in the operation, has previously said that the greatest number of affiliates the operation has had is 60 (see: Charm Offensive: Ransomware Gangs 'Tell All' in Interviews).
Affiliates say they regularly compare notes via underground forums. An individual known as "Aleks" who was, at least then, a LockBit affiliate, told Cisco Talos researchers late last year that "REvil can make your files unstable and Netwalker slows the system down too much," and says some affiliates previously avoided working with Maze because it kept up to 35% of all profits.
Big Game Hunting Bags Big Targets
In part by recruiting more highly skilled affiliates, many ransomware gangs continue to pursue larger targets, via a big game hunting strategy. With a bit more effort and skills, these gangs have found that they can take down larger targets, leading to bigger payoffs.
Recently, for example, Colonial Pipeline, which supplies about 45% of the fuel used along the East Coast - from Georgia north to Pennsylvania and New Jersey - paid $4.4 million worth of bitcoins to its attacker, the DarkSide gang.
Charles Carmakal, CTO of cybersecurity firm FireEye, which is assisting Colonial Pipeline, testified Tuesday before the House Committee on Homeland Security that the decryptor worked, albeit with some bugs, but said the company ultimately didn't use it, as it was able to restore systems using backups.
Luckily for the company, the FBI was able to recover 63.7 bitcoins - worth $2.3 million - of the approximately 75 bitcoins paid. But most DarkSide victims who paid a ransom won’t have been so lucky.
Paying for What?
Unluckily for Colonial Pipeline, besides getting hit in the first place, the payment - per FireEye's Carmakal - apparently bought it little, which security experts say is not uncommon. Paying for a decryptor in particular does not buy a Get Out of Jail Free card. Remediating and cleaning networks and restoring systems can take weeks or months of expensive, follow-on work.
Another downside is that at least some of the ransom payment appears to have remained with the DarkSide operation and responsible affiliates. The gang, furthermore, has been making massive profits. Cryptocurrency tracking firm Elliptic has counted about 100 DarkSide victims, of which nearly 50% paid an average ransom of $1.9 million to the gang.
Every one of these ransom payments continues to validate ransomware as a potent moneymaker for criminals and draw more criminals to join the fray. No wonder the White House has urged U.S. businesses to take ransomware defense more seriously. Likewise, it has pledged to do more from a diplomatic and law enforcement perspective to disrupt this criminal business model.
So long as victims pay, more organizations will become future victims.