X

This is not a paywall.

Register for free to continue reading.

We made a promise to you that we’ll never erect a paywall and we intend to keep that promise. We also want to continually improve your reading experience and you can help us do that by registering with us. It’s quick, easy and will cost you nothing.



Nearly there! Create a password to finish up registering with us:


Please enter your password or get a login link if you’ve forgotten


Open Sesame! Thanks for registering.

Ramaphosa's energy plan Webinar banner

We'd like our readers to start paying for Daily Maverick

More specifically, we'd like those who can afford to pay to start paying. What it comes down to is whether or not you value Daily Maverick. Think of us in terms of your daily cappuccino from your favourite coffee shop. It costs around R35. That’s R1,050 per month on frothy milk. Don’t get us wrong, we’re almost exclusively fuelled by coffee. BUT maybe R200 of that R1,050 could go to the journalism that’s fighting for the country?

We don’t dictate how much we’d like our readers to contribute. After all, how much you value our work is subjective (and frankly, every amount helps). At R200, you get it back in Uber Eats and ride vouchers every month, but that’s just a suggestion. A little less than a week’s worth of cappuccinos.

We can't survive on hope and our own determination. Our country is going to be considerably worse off if we don’t have a strong, sustainable news media. If you’re rejigging your budgets, and it comes to choosing between frothy milk and Daily Maverick, we hope you might reconsider that cappuccino.

We need your help. And we’re not ashamed to ask for it.

Our mission is to Defend Truth. Join Maverick Insider.

Support Daily Maverick→
Payment options

Russia-Linked Group Behind JBS Attack Revels in ‘Auda...

Business Maverick

Business Maverick

Russia-Linked Group Behind JBS Attack Revels in ‘Audaciousness’

(Photo: Chris Ratcliffe / Bloomberg)
By Bloomberg
03 Jun 2021 0

They patronize hacking forums to recruit affiliates, advertise profit-sharing schemes and provide interviews on their techniques.

REvil, the Russian-linked hacker group the FBI said is responsible for the cyberattack on JBS SA, the largest meat producer in the world, has emerged as one of the most prolific — and public — ransomware groups in recent years.

The hackers, also known as Sodinokibi, have been at the forefront of the ransomware-as-a-service model of cyberattacks since the group first came to prominence as a security threat in 2019. In this model, hacker groups provide malware for others to use in an attack in exchange for a cut of the ransom payments. In order to recruit talent, REvil deposited $1 million in Bitcoin as a way to give potential affiliates peace of mind that they would get paid.

“Audaciousness is part of their persona,” said Allan Liska, a senior threat analyst at the cybersecurity firm Recorded Future Inc.

Read more: JBS Plants Limp Back From Hack With Old-School Manual Labor

Ransomware has become a thorny problem for the Biden administration, particularly after an attack last month on Colonial Pipeline Co. squeezed fuel supplies along the East Coast. Other recent attacks have targeted the police department in Washington, D.C., a hospital network in California and now a major meat supplier.

Ransomware is a type of hack in which a victim’s computer files are encrypted, rendering them unusable until a ransom is paid. Some ransomware groups steal files too, providing another avenue for extortion. REvil maintains a page on the dark web page, called the “Happy Blog,” where it leaks or auctions sensitive documents from victims as an extra incentive to pressure them to pay.

Since 2017, ransomware has come to dominate other financially motivated cyberattacks in volume and profitability, said Kelli Vanderlee, senior manager of analysis at Mandiant Threat Intelligence, part of FireEye Inc. While the attacks aren’t limited to a particular type of victim, available data suggests it disproportionately affects the manufacturing sector, Vanderlee said. “There are likely several contributing factors, including the perception that manufacturers may be more likely to pay to prevent monetary losses from production downtime,” she said.

REvil emerged from the former GandCrab group, a ransomware-as-a-service outfit that announced they were closing up shop in 2019, according to CrowdStrike Holdings Inc., which confirmed that REvil was behind the JBS attack. “We are getting a well-deserved retirement,” GandCrab wrote, according to the cybersecurity blog KrebsonSecurity. “We are living proof that you can do evil and get off scot-free.”

It’s not clear if the operators of GandCrab simply rebranded themselves with a new name, or if REvil’s operators bought — or stole — GandCrab’s code. Either way, by the time GandCrab signed off, REvil was already underway as a more exclusive ransomware program that was also known as “Sodin” or “Sodinokibi.”

In May 2019, a representative of the group, going by the nickname “Unknown,” sought out a small number of partners on hacking forums for a new ransomware-as-a-service program. “Five affiliates more can join the program and then we’ll go under the radar,” according to KrebsonSecurity. “Each affiliate is guaranteed USD 10,000. Your cut is 60% at the beginning and 70% after the first three payments are made. Five affiliates are guaranteed [USD] 50,000 in total. We have been working for several years, specifically five years in this field. We are interested in professionals.”

“They advertise sharing profits and provide infrastructure and ransomware, ransom negotiations and the distribution of funds,” said Jon DiMaggio, chief security strategist at Virginia-based Analyst1. “They handle all the Bitcoin transactions and things of that nature.”

Like many of the more established ransomware groups, REvil researches potential targets to ensure they have the means to pay, including determining if victims carry insurance against cyberattacks, he said. A REvil associate said in an interview that targeting firms with cyber-insurance was “one of the tastiest morsels.”

Read more: Pipeline Attack Stirs Debate on Whether Insurance Lures Hackers

Recorded Future said it’s aware of at least 237 REvil victims since 2019.

REvil took credit for hacking the hardware supplier Quanta Computer Inc. earlier this year, and in the process published secret blueprints for new Apple Inc. devices. In 2020, REvil executed a ransomware attack against a law firm they claimed once represented some of Donald Trump’s television enterprises. In 2019, the group also attacked a group of Louisiana election clerks a week before Election Day.

REvil is so immersed in the ransomware domain that its members weigh in regularly on discussions about malware on hacker forums, according to DiMaggio. They also maintain direct relationships with other ransomware groups including DarkSide, the hackers accused of being behind the May attack on Colonial Pipeline, he said.

Read more: DarkSide Hacker Mint Money With Ransomware Franchise

When DarkSide’s site went down after the Colonial attack, REvil alerted the hacking community about it, said DiMaggio, who has long studied Russian cybercriminal gangs. “They’re extremely involved. They’re the kid in class who always has to raise his hand. They’re very vocal in the community.”

DiMaggio and other analysts have said that Revil hackers communicate largely in Russian and steer clear of targets that use Cyrillic script — the system for languages of eastern Europe and Slavic states. In the interview, REvil’s Unknown said the group avoided those countries because of geopolitics, laws and patriotism.

The arrangement also gives Russian President Vladimir Putin “plausible deniability” against accusations by the White House and others that Russia is involved in the attacks.

“The whole ransomware model fits into the tactics we’ve seen from Russia over the years,” DiMaggio said.

The appeal for hackers is potentially big profits with minimal risks. “As a child I scrounged through the trash heaps and smoked cigarette butts,” a person claiming to be REvil’s “Unknown” said in a March interview with Recorded Future. “I wore the same clothes for six months. In my young, in a communal apartment, I didn’t eat for two or even three days. Now I am a millionaire.”

Gallery

Comments - share your knowledge and experience

Please note you must be a Maverick Insider to comment. Sign up here or sign in if you are already an Insider.

Everybody has an opinion but not everyone has the knowledge and the experience to contribute meaningfully to a discussion. That’s what we want from our members. Help us learn with your expertise and insights on articles that we publish. We encourage different, respectful viewpoints to further our understanding of the world. View our comments policy here.

No Comments, yet

Please peer review 3 community comments before your comment can be posted