Ransomware Attack on JBS Creates Disruptions in Food Chain

JBS, the largest meat company in the world, realized they were the targets of a ransomware attack on Sunday, May 30th, 2021, and would end up paying 11 million dollars in the form of 301 bitcoins to hackers in an attempt to mitigate disruptions in operations. It's believed that REvil, the Russia-based ransomware group responsible for the Colonial Pipeline attack in May, also completed the JBS attack.

CEOs of large corporations who are integral to the US economy often have little to no choice but to negotiate with cybercriminals. With JBS earning $53 billion in sales globally in 2020, the cost of the attack "would be immaterial to the company," according to the CEO. Blockchain analysts believe JBS paid off the ransom after 7pm ET on Tuesday, June 1st, and operations were restored on June 3rd. After they received payment, the attackers admitted that they had not captured JBS’ data.

Even though JBS restored operations within days of the attack, the event still had a ripple effect on the national economy. Dwight Mogler, an Iowa hog farmer, had a surplus of hogs after not being able to deliver his load to JBS, which was due the Monday after the attack. JBS’ suspended operations caused a drop in prices due to more hogs being on the U.S. market. Mogler estimates that the sudden drop in prices cut roughly $17,000 from his sales for the week.

The disruption also caused a drop in the number of cattle and hogs slaughtered in the U.S., “driving wholesale prices for beef and pork higher." Prices for bone-in pork butts soared 25% to a record $2.48 a pound after the JBS attack. Disruptions in the food industry have had huge ripple effects in recent history. After Covid-19 affected plant workers in the spring of 2020, major slaughterhouses had to close “for weeks at a time, backing up livestock on farms and leading farmers to euthanize tens of thousands of hogs.” With restaurants and food distributors already having to manage the uncertainty of a post-Covid-19 world, they also now had to manage the cybercrime-induced spike in prices.

Senator Chuck Grassley, a farmer himself, believes the meatpacking industry is too consolidated among a few big companies. In response to the attack, the USDA said “it would invest more than $4 billion to strengthen and diversify the food system, including investments in small and medium-sized meat-processing facilities,” in the hopes that something like this doesn’t happen again.

New Ransomware Gang, Prometheus, Emerges

A new ransomware group that goes by the name Prometheus has emerged. They’re among other new groups that have been able to scale up operations by "procuring ransomware code, infrastructure, and access to compromised networks via third-party providers." The group claims to be connected to REvil, the group behind the JBS and Colonial Pipeline hack, though this claim is most likely false.

Prometheus admits that they use a combination of data encryption and data theft to create a double extortion method. They claim to have hacked “at least 30 organizations across multiple sectors, including government, manufacturing, financial services, logistics, insurance, and healthcare,” most of which were US-based. They’re one of many new ransomware groups that are branding themselves as businesses. Prometheus seems to choose victims based on vulnerability rather than a particular sector.

Prometheus follows the same TTPs as prominent groups like Maze, Ryuk, and NetWalker. The Prometheus ransomware strain itself “appears to be a new variant of Thanos, a previously known ransomware tool that has been available for sale on Dark Web markets for months.”

While other ransomware groups are following similar patterns as Prometheus, Prometheus presents themselves as a legitimate business despite their unethical practices, referring to their victims as customers, developing a customer service experience, and sending reminders and notices as to upcoming payment due dates.

We need to develop better defense strategies in response to the growing ransomware economy. Rick Holland, senior vice president of strategy at Digital Shadows, reminds us that "while treating the ransomware threat like terrorism is helpful, it is good to remember that the global war on terrorism, also known as the 'forever war,' has been going on for more than 30 years." Ransomware as a business model only grows more promising with every ransom payment.

Deepfake Social Engineering is on the Rise; So is Deepfake Detection

As generative adversarial networks (GANs), better known as deepfake technologies, improve, we will see more synthetic media in social engineering attacks. Like other elements of ransomware and cybercrimes, there are spaces online where deepfakes as a service (DaaS) can also be found. Currently, deepfake audio is more effective than deepfake video because “without visual cues to rely on, users have a difficult time recognizing synthetic audio.”

Facebook partnered with Michigan State University (MSU) on research into deepfake detection technology. They created a method of detecting deepfakes that uses reverse engineering from a single AI-generated image to "learn" about the generative model behind the image. This goes a step further than image attribution via “close-set” classification. They can also use this information to tell whether a series of images were created from the same generative model.

With deepfakes becoming more convincing, the FBI Cyber division warned in March that “malicious actors almost certainly will leverage synthetic content for cyberinfluence operations in the next 12-18 months.” While we will almost undoubtedly see deepfakes play a role in future social engineering tactics, we’re making headway on deepfake detection as well.