Download Ransomware Q2 Index Update

REvil Brings Down JBS - the World’s Largest Meat Packer

Posted on 16th Jun, 2021 | By Sumeetha Manikandan

REvil Ransomware uses six vulnerabilities to target their victims and if these had been remediated and patched on priority, JBS - the world’s largest meat packer could have escaped this attack.

CSW warned about these vulnerabilities in its Ransomware Spotlight Report published in February 2021.

On May 30, 2021, JBS, the world’s largest meat producer, fell victim to a REvil Ransomware attack forcing them to shut down their operations, not just in the US, but also in Canada and Australia. This disruption to the food and meat industry halted cattle slaughter and resulted in increased meat prices during the Memorial Day weekend in the US. It also stopped beef production in Canada and Australia and it took around a week for them to restore operations. 

Sources indicate that an APT group named Pinchy Spider (from Russia) might be behind this attack. 

We know that attackers are going after critical sectors such as food, manufacturing, energy, oil & gas to create maximum disruption and collect millions of dollars as ransom. Colonial Pipeline paid over $5 Million to its attackers to restore gasoline supply. CNA Financial paid a whopping $40 Million - one of the largest ransomware payments till date. The FBI recovered $ 2.3 Million - about half of the ransom paid by Colonial Pipeline - after gaining access to the bitcoin account where the money was deposited. Most recently, JBS paid an $11 Million ransom to the attackers to protect its customers and to resume operations.

Most ransomware gangs like REvil are going after organizations whose supply chain, if affected, can cause widespread panic and chaos. 

REvil has so far attacked the Telecom website of Sri Lanka, Fujifilm in Japan, and Sol Oriens, a nuclear weapons subcontractor to the US Department of Energy, just in the month of May 2021, and it will continue to go after critical entities that wouldn’t hesitate to pay the ransom. The latest in the spate of attacks by REvil is a cyberattack on Invenergy, a renewable energy company based in the US, and on Grupo Fleury, the largest medical diagnostics company in Brazil. A $5 Million ransom has been supposedly demanded in the latter.

 

CSW analysts delved deep into the vulnerabilities they go after and provide actionable insights that would help organizations stay safe from these types of attacks.

 

All about REvil

REvil ransomware gangs typically target six vulnerabilities and incidentally, all of them featured in CSW’s Ransomware report published in February 2021.

 

 

CSW also called out two of these vulnerabilities in 2020 as part of its reports on the Cyber Risk in Virtual Private Networks (VPN) and Remote desktops

Vulnerabilities exploited by REvil ransomware

 

REvil Cheat Sheet

Here are a few quick facts about these vulnerabilities -

  • REvil typically targets its victims through Software Vulnerabilities, Remote Desktop Protocol (RDP) Sessions and Phishing. 

  • Out of the six vulnerabilities in the list, five are Remote Code Execution (RCE), and the sixth CVE-2018-8453 enables Privilege Escalation (PE).

  • CVE-2012-0507, CVE-2013-0074, CVE-2018-8453 and CVE-2019-2725 are found in Microsoft and Oracle products such as Windows, JRE etc.

  • CVE-2019-19781 - a Citrix vulnerability - is a favorite of ransomware gangs and is exploited the most. To date, this vulnerability is found associated with at least ten ransomware families apart from REvil.

An excerpt from CSW’s Cyber Risk in Remote Desktop report published in June 2020

  • CVE-2019-11510 - a Pulse Secure vulnerability - is yet another favorite of ransomware gangs as it creates a pivot through the VPN endpoint, allowing for easy access to internal systems. This vulnerability is associated with five ransomware families. 

An excerpt from Cyber Risk in VPNs published in May 2020

  • Our analysts have found that all six vulnerabilities have been trending in the past few months in hacker channels and the dark web.

  • The REvil ransomware is associated with Russian APT Group named Pinchy Spider and an uncategorized group called UNC2628.

  • Sectors and industries that REvil typically targets includes - Manufacturing, Telecommunications, Information Technology , Law, Computer Hardware, Tourism, Pharmaceuticals And Biotechnology, Banking, Insurance, Agriculture, Construction, Education, Healthcare, Media And Entertainment, Finance, Food And Beverage, Hospitals and Ecommerce.

  • CWEs that enabled these vulnerabilities are CWE-404, CWE-22, CWE-74, CWE-399 and CWE-119.

 

IOCs & MITRE ATT&CK

MITRE ATT&CK IOC

T1027 - Obfuscated Files or Information

T1036 - Masquerading 

T1054 - Indicator Blocking 

T1059 - Command and Scripting Interpreter 

T1076 - Remote Desktop Protocol 

T1133 - External Remote Services 

T1189 - Drive-by Compromise 

T1190 - Exploit Public-Facing Application 

T1193 - Spearphishing Attachment 

T1195 - Supply Chain Compromise 

T1486 - Data Encrypted for Impact 

T1490 - Inhibit System Recovery 

39e4eb1ab854c4a7929e8e77ca0dbca37049154d

ef777a861ede95d3b02b0b135952d43a

246aea5a28ed117238ed0da8e6c96a9a9f1c627613d0f9f57da3e819f57231eb

ccfde149220e87e97198c23fb8115d5a

 

Global Exposure Analysis

The exposure for CVE-2012-0507 outnumbers the other two CVEs with over 600,000 products with the vulnerability being used around the world.

 

CVE-2019-11510 (Pulse secure Vulnerability)
CVE-2019-19781 (Citrix Vulnerability)
CVE-2012-0507 (SUN & Oracle)

 

The Way Forward

Our research shows that there has been a 17% increase in the number of vulnerabilities associated with Ransomware and a 6.5% increase in the number of trending exploits. To date, 260 vulnerabilities have been associated with ransomware. 

 

With Ransomware going after critical sectors and industries, organizations and governments should adopt a risk-based approach to prioritize vulnerabilities based on weaponization and threat associations. 

 

CSW’s in-depth research has helped many organizations become resilient against ransomware. Our recommendation to organizations is to get a Ransomware Assessment to know the gaps, understand the exposure to ransomware and become resilient to it.

 

 

Test your defense to know how secure you are…