Tag: ransomware

World’s biggest meat supplier JBS under cyberattack; what we know so far

KV Prasad Jun 13, 2022, 06:35 AM IST (Published)

Listen to the Article (6 Minutes)

Sao Paulo-headquartered JBS, the world’s largest meat processing company, suffered from a cyberattack in its North America and Australia systems on May 30, resulting in work being disrupted for thousands of employees.

Well-known hacker collective REvil Group is behind the cyberattack on JBS, CNBC reported quoting a source.

Nearly 7,000 workers in its Australian abattoirs and at least 3,000 workers across Canada and the US have been asked to quit. The company has issued a statement that they would commence operations from Wednesday.

JBS holds 20 percent of the meat processing market share in the US.

Where was the Cyberattack?

After the group realised that they had been attacked on May 30, they immediately swung into action by suspending operations of the affected systems and notifying concerned authorities. The cyberattack has hit some servers supporting its Australian and Northern American information technology systems.

Has JBS been Compromised?

As officials sift through data and try and get operations up and running, the company said they are not aware of any breach of data for customers, suppliers or employees. It would take time to sort out and there are chances of a delay in transactions for some customers and suppliers.

How it Affects JBS?

The systems for JBS run smoothly as the company and the industry per se relies on software and IT systems for tracing and sorting of animals. Also, records are to be maintained meticulously to meet the strict regulatory standards. With these plants closed, the US Department of Agriculture had to delay its reports on livestock and meat prices. The reason they shared was “packer submission issues.”

Plants Closed

JBS’ beef plant in Cactus, Texas, Brooks, Alberta, and the Greeley plant, which is the largest US slaughterhouse, were closed. Further, JBS has not given any indication as to when they will open processing of cattle, pigs and sheep at its 47 facilities in Australia.

Meat on the Table?

The longer the shutdown, the more severe will be the impact on food production. Since JBS exports about 60 percent of its products, the impact will be minimal in the US market for now.

Market Reaction

The Financial Times reported that cattle futures declined on the expectation that herds would back up outside slaughterhouses and the benchmark contract in Chicago fell almost 4 percent at one point on June 1.

White House Steps in

After the Colonial Pipeline ransomware attack last month, JBS is the second serious cyberattack on a large US corporate house.

The White House has engaged directly with the Kremlin on this matter and has delivered a strong message that responsible states do not harbour ransomware criminals. Even the FBI has launched an investigation into this attack. US President Joe Biden has also directed the administration to look at ways to mitigate supply disruptions, according to a Financial Times report.

The government is getting into the act as JBS is the world’s largest meat processor, controlling a 20 percent market share of meat processing in the US alone. A shutdown or attacks like this one can lead to massive implications for the US national food supply.

Kremlin Reacts

The Kremlin denied that it has any knowledge of these attacks. If any official request for assistance is asked, the Russian government will be happy to oblige, it has said.

The likelihood of cybercrime figuring on the agenda of the proposed meeting between Putin and Biden at Geneva this month is high.

Other Attacks on US food cos

Three months ago, JFC International, a subsidiary of Japanese food manufacturer Kikkoman and a major distributor and wholesaler of Asian food products, faced a similar cyberattack. The company was targeted in a ransomware attack that disrupted some of its IT systems and affected its subsidiary Europe Group.

Elon Musk forms several ‘X Holdings’ companies to fund potential Twitter buyout

3 Mins Read

Thursday’s filing dispelled some doubts, though Musk still has work to do. He and his advisers will spend the coming days vetting potential investors for the equity portion of his offer, according to people familiar with the matter

KV Prasad Journo follow politics, process in Parliament and US Congress. Former Congressional APSA-Fulbright Fellow

World’s largest meat producer JBS getting back online after cyberattack

KV Prasad Jun 13, 2022, 06:35 AM IST (Published)

Listen to the Article (6 Minutes)

The world’s largest meat processing company is getting back online after production around the world was disrupted by a cyberattack just weeks after a similar incident shut down a U.S. oil pipeline.

Brazils JBS SA said late Tuesday that it had made significant progress in dealing with the cyberattack and expected the vast majority of its plants to be operating on Wednesday.

Our systems are coming back online and we are not sparing any resources to fight this threat, Andre Nogueira, CEO of JBS USA, said in a statement.

Earlier, the White House said JBS had notified the U.S. of a ransom demand from a criminal organization likely based in Russia. White House principal deputy press secretary Karine Jean-Pierre said the White House and the Department of Agriculture have been in touch with the company several times this week.

JBS is the second-largest producer of beef, pork and chicken in the U.S. If it were to shut down for even one day, the U.S. would lose almost a quarter of its beef-processing capacity, or the equivalent of 20,000 beef cows, according to Trey Malone, an assistant professor of agriculture at Michigan State University.

The closures reflect the reality that modern meat processing plants are heavily automated, for both food- and worker-safety reasons. Computers collect data at multiple stages of the production process, and orders, billing, shipping and other functions are all electronic.

JBS, which has not stated publicly that the attack was ransomware, said the cyberattack affected servers supporting its operations in North America and Australia. Backup servers werent affected and it said it was not aware of any customer, supplier or employee data being compromised.

JBS plants in Australia resumed limited operations as of Wednesday in New South Wales and Victoria states, Agriculture Minister David Littleproud said. The company hoped to resume work in Queensland state on Thursday, he said.

JBS is the largest meat and food processing company in Australia, with 47 facilities including abattoirs, feedlots and meat processing sites.

Littleproud said his department and Australian law enforcement officials were due to meet with their counterparts in the U.S. on Wednesday.

Even before the attack, U.S. meat prices were rising due to coronavirus shutdowns, bad weather and high plant absenteeism. Malone said the disruption could further raise meat prices ahead of summer barbecues. The U.S. Department of Agriculture estimates beef prices will climb 1%-2% this year, poultry as much as 1.5% and pork 2%-3%.

JBS, which is a majority shareholder of Pilgrims Pride, didnt say which of its 84 U.S. facilities were closed Monday and Tuesday because of the attack. It said JBS USA and Pilgrims were able to ship meat from nearly all of its facilities Tuesday. The company also said it was making progress toward resuming plant operations in the U.S. and Australia. Several of the companys pork, poultry and prepared foods plants were operational Tuesday and its Canada beef facility resumed production, it said.

Earlier Tuesday, a union official confirmed that two shifts at the companys largest U.S. beef plant, in Greeley, Colorado, were canceled. Some plant shifts in Canada were also canceled Monday and Tuesday, according to JBS Facebook posts.

Jean-Pierre said the White House is engaging directly with the Russian government on this matter and delivering the message that responsible states do not harbor ransomware criminals. The FBI is investigating the incident, and the Cybersecurity and Infrastructure Security Agency is offering technical support to JBS.

In addition, USDA has spoken to several major meat processors in the U.S. to alert them to the situation, and the White House is assessing any potential impact on the nations meat supply.

JBS has more than 150,000 employees worldwide.

Its not the first time a ransomware attack has targeted a food company. Last November, Milan-based Campari Group said it was the victim of a ransomware attack that caused a temporary technology outage and compromised some business and personal data.

In March, Molson Coors announced a cyber attack that affected its production and shipping. Molson Coors said it was able to get some of its breweries running after 24 hours; others took several days.

Ransomware expert Brett Callow, a threat analyst at the security firm Emsisoft, said companies like JBS make ideal targets.

They play a critical role in the food supply chain and threat actors likely believe this increases their chances of getting a speedy payout, Callow said.

Mark Jordan, who follows the meat industry as the executive director of Leap Market Analytics, said the disruption would be minimal if JBS recovers in the next few days. Meat processers are accustomed to delays because of various factors including industrial accidents and power outages. They make up for lost production with extra shifts, he said.

Several plants owned by a major meatpacker going offline for a couple of days is a major headache, but it is manageable assuming it doesnt extend much beyond that, he said.

U.S. meat demand generally eases for a few weeks between Memorial Day and the July 4 Independence Day holiday.

But such attacks can wreak havoc. Last month, a gang of hackers shut down operation of the Colonial Pipeline, the largest U.S. fuel pipeline, for nearly a week. The closure sparked long lines and panic buying at gas stations across the Southeast. Colonial Pipeline confirmed it paid $4.4 million to the hackers.

Jason Crabtree, the co-founder of QOMPLX, a Virginia-based artificial intelligence and machine learning company, said Marriott, FedEx and others have also been targeted by ransomware attacks. He said companies need to do a better job of rapidly detecting bad actors in their systems.

A lot of organizations arent able to find and fix different vulnerabilities faster than the adversaries that theyre fighting, Crabtree said.

Crabtree said the government also plays a critical role, and said President Joe Bidens recent executive order on cybersecurity which requires all federal agencies to use basic security measures, like multi-factor authentication is a good start.

Elon Musk forms several ‘X Holdings’ companies to fund potential Twitter buyout

3 Mins Read

Thursday’s filing dispelled some doubts, though Musk still has work to do. He and his advisers will spend the coming days vetting potential investors for the equity portion of his offer, according to people familiar with the matter

KV Prasad Journo follow politics, process in Parliament and US Congress. Former Congressional APSA-Fulbright Fellow

US says ransomware attack on meatpacker JBS likely from Russia

KV Prasad Jun 13, 2022, 06:35 AM IST (Published)

Listen to the Article (6 Minutes)

The White House said on Tuesday that Brazil’s JBS SA has informed the U.S. government that a ransomware attack against the company that has disrupted meat production in North America and Australia originated from a criminal organization likely based in Russia.

JBS is the world’s largest meatpacker and the incident caused its Australian operations to shut down on Monday and has stopped livestock slaughter at its plants in several U.S. states.

The ransomware attack follows one last month on Colonial Pipeline, the largest fuel pipeline in the United States, that crippled fuel delivery for several days in the U.S. Southeast.

White House spokeswoman Karine Jean-Pierre said the United States has contacted Russia’s government about the matter and that the FBI is investigating.

“The White House has offered assistance to JBS and our team at the Department of Agriculture have spoken to their leadership several times in the last day,” Jean-Pierre said.

“JBS notified the administration that the ransom demand came from a criminal organization likely based in Russia. The White House is engaging directly with the Russian government on this matter and delivering the message that responsible states do not harbor ransomware criminals,” Jean-Pierre added.

If the outages continue, consumers could see higher meat prices during summer grilling season in the United States and meat exports could be disrupted at a time of strong demand from China.

JBS said it suspended all affected systems and notified authorities. It said its backup servers were not affected.

“On Sunday, May 30, JBS USA determined that it was the target of an organised cybersecurity attack, affecting some of the servers supporting its North American and Australian IT systems,” the company said in a Monday statement.

“Resolution of the incident will take time, which may delay certain transactions with customers and suppliers,” the company’s statement said.

The company, which has its North American operations headquartered in Greeley, Colorado, controls about 20% of the slaughtering capacity for U.S. cattle and hogs, according to industry estimates.

Two kill and fabrication shifts were canceled at JBS’s beef plant in Greeley due to the cyberattack, representatives of the United Food and Commercial Workers International Union Local 7 said in an email. JBS Beef in Cactus, Texas, also said on Facebook it would not run on Tuesday – updating an earlier post that had said the plant would run as normal.

JBS Canada said in a Facebook post that shifts had been canceled at its plant in Brooks, Alberta, on Monday and one shift so far had been canceled on Tuesday.

A representative in Sao Paulo said the company’s Brazilian operations were not impacted.

Elon Musk forms several ‘X Holdings’ companies to fund potential Twitter buyout

3 Mins Read

Thursday’s filing dispelled some doubts, though Musk still has work to do. He and his advisers will spend the coming days vetting potential investors for the equity portion of his offer, according to people familiar with the matter

KV Prasad Journo follow politics, process in Parliament and US Congress. Former Congressional APSA-Fulbright Fellow

Explained: Why hackers prefer ransomware payment in Bitcoin

KV Prasad Jun 13, 2022, 06:35 AM IST (Published)

Listen to the Article (6 Minutes)

Colonial Pipeline, which operates the largest fuel network in the United States, was forced to pay a ransom of $5 million to hacker group DarkSide recently after a ransomware attack disrupted its operations.

A report from blockchain analytics firm Elliptic has found that the DarkSide hackers group received $90 million in Bitcoin from around 47 victims.

In a blog post on May 18, Elliptic co-founder chief scientist Tom Robinson said the $90 million in ransom payments came from 47 different wallets over the last nine months, indicating that almost half of DarkSide victims paid a ransom.

Elliptic also claimed that Colonial Pipeline paid ransom in 75 Bitcoins to DarkSide.

“Elliptic has identified the Bitcoin wallet used by the DarkSide ransomware group to receive ransom payments from its victims, based on our intelligence collection and analysis of blockchain transactions. This wallet received the 75 BTC payment (worth $4.4 million at the time of the transaction) made by Colonial Pipeline on May 8,” claimed the blockchain analytics firm.

Why Hackers Love Bitcoin?

Hackers prefer Bitcoin over any other form of payment as it is a digital currency that is totally anonymous, confidential, and hard to trace. Bitcoin is currently traded at $39,998 and an average ransomware that a corporate pays is in the $0.2-1.2 million range depending on the hacker and vulnerability of the corporate.

According to Jason Kotler, founder and CEO of a cyber negotiation company called Cypfer, the going ransomware is half a percent for billion-dollar companies. The hackers even read annual reports, reported CNBC.

Marc Bleicher, managing director at cybersecurity consulting firm Arete Incident Response and a specialist who helps companies, said he has overseen the payment of hundreds of millions of corporate dollars to criminal hackers, and that he is seeing ransom demands growing larger and larger, the CNBC report added.

With Bitcoin, the hackers have anonymity, speed and easy access and transactions are difficult to track. Bitcoin operates on a public blockchain that allows anyone to see all Bitcoin transactions, yet there is no direct way to determine the account owner. The other cryptocurrencies such as Monero and Zcash are even better encrypted and offer more privacy but not many prefer them.

Elon Musk forms several ‘X Holdings’ companies to fund potential Twitter buyout

3 Mins Read

Thursday’s filing dispelled some doubts, though Musk still has work to do. He and his advisers will spend the coming days vetting potential investors for the equity portion of his offer, according to people familiar with the matter

KV Prasad Journo follow politics, process in Parliament and US Congress. Former Congressional APSA-Fulbright Fellow

Ransomware gangs disrupted by response to Colonial Pipeline hack

KV Prasad Jun 13, 2022, 06:35 AM IST (Published)

Listen to the Article (6 Minutes)

Multiple ransomware groups claimed they were shutting down or scaling back operations on Friday as the US government ramped up pressure while tech companies, cryptocurrency exchanges and others worried about getting caught in the crossfire.

DarkSide, the Russian-speaking gang blamed by the FBI for a hacking attack that led to a six-day fuel pipeline shutdown, said it was going out of business after losing access to some of its servers.

Another major criminal gang said it would forbid encryption attacks on critical infrastructure, and forums where such gangs recruit partners said they were banning ads related to ransomware, analysts said.

U.S. President Joe Biden repeatedly warned the gangs and major host country Russia about consequences for a ransomware attack that prompted Colonial Pipeline to shut down the main supply line to the East Coast. That line was resuming full operation, but many pumps remain empty at stations in some states after days of panic buying.

Investigators said DarkSide provided the encryption software that a criminal affiliate used to render Colonial’s internal files inaccessible. It planned to split any ransom to recover that data with the affiliate, who the investigators have identified as another Russian criminal.

DarkSide claimed that some of its money had been transferred to new electronic wallets, though rivals and some U.S. experts warned the group could be using the uproar as an excuse to cash out. Ransomware gangs commonly change names and membership.

It was not immediately clear whether the professed retreat was due to U.S. diplomatic pressure, legal demands on technology providers or even government-backed hacking.

The FBI, Justice Department and White House National Security Council all declined to comment.

“Ransomware criminals are clearly getting nervous with all the heat coming down from U.S. government and industry,” said Dmitri Alperovitch, who co-founded security provider CrowdStrike before starting thinktank Silverado Policy Accelerator.

If it continues, the moves would reverse a trend in the past two years of the gangs targeting more vital companies that are likely to pay to resume operations, or to have insurance coverage that will pay for them.

“Many will likely try to lie low for a few months in hopes that it will pass,” Alperovitch said. “The key will be to keep up the pressure on both the criminal gangs themselves as well as the states like Russia that offer them safe haven from prosecution.”

Earlier this year, U.S. authorities cited the ransomware surge as a national security threat and noted some overlaps with foreign government interests.

The Justice Department established a ransomware task force, and a public-private study panel issued recommendations including greater regulation of cryptocurrency.

Also Read: US fuel supplier Colonial Pipeline paid $5 million in ransom to hackers

Elon Musk forms several ‘X Holdings’ companies to fund potential Twitter buyout

3 Mins Read

Thursday’s filing dispelled some doubts, though Musk still has work to do. He and his advisers will spend the coming days vetting potential investors for the equity portion of his offer, according to people familiar with the matter

KV Prasad Journo follow politics, process in Parliament and US Congress. Former Congressional APSA-Fulbright Fellow

US fuel supplier Colonial Pipeline paid $5 million in ransom to hackers

KV Prasad Jun 13, 2022, 06:35 AM IST (Published)

Listen to the Article (6 Minutes)

Colonial Pipeline, which had to close its network due to a ransomware attack earlier this week, reportedly paid $5 million to the hackers’ group on May 13. Colonial Pipeline, which operates the largest fuel network in the US, announced on May 7 about the ransomware attack.

The company had closed over 5,000 miles (8,046 km) of pipeline that carried 100 million gallons (37,85,41,178 litres) petrol, jet fuel, and kerosene from Texas to the New York area as a preventive measure, which led to severe fuel shortages and a sharp increase in the price of fuel across the US, especially in the East Coast.

Bloomberg reported, quoting a US official, that the company paid over $5 million in ransom to the hacking group, DarkSide. The company’s shutdown of its network, which contributes to 45 percent of all daily fuel consumption on the Eastern Seaboard, saw gas prices rise as a result and fuel shortages across the coast.

The company announced on May 13 that it resumed operations but declined to comment on the payment of ransom.

The Federal Bureau of Investigation (FBI) and the White House’s official policy on ransomware is to discourage companies from paying the ransom. However, the government has not yet prohibited companies from paying the ransom. The rationale behind the policy is that paying a ransom is not guaranteed to get the data back, and will encourage cybercrime groups to further target more companies.

Anne Neuberger, the White House’s deputy national security adviser for cyber and emerging technologies, said on May 10 many companies find that paying off the criminals is the best course of action to be taken when facing such an attack.

“We recognise though that companies are often in a difficult position if their data is encrypted and they do not have backups and cannot recover the data,” she said.

Neuberger highlighted the fact that the official stand of the government remains that ransom should not be paid as it encourages the proliferation of cybercrimes.

In an interview with MSNBC on May 13, Neuberger said, “At the federal government, we discourage the payment of ransoms, because the prolific payment of ransoms encourages ransomware.”

Colonial Pipeline’s hack is just another name on the list of large corporations to be hit by a ransomware attack. And it is not just private corporations that are at risk. The attack highlights the fragility of the world’s critical infrastructures’ dependence on cybersecurity systems that can be breached.

Jennifer Granholm, the energy secretary, told Bloomberg TV, “This is a serious example of what we are seeing across the board in many places and it tells you that we need to invest in our systems, our transmission grid for electricity. We need to invest in cyber defence in these energy systems.”

Elon Musk forms several ‘X Holdings’ companies to fund potential Twitter buyout

3 Mins Read

Thursday’s filing dispelled some doubts, though Musk still has work to do. He and his advisers will spend the coming days vetting potential investors for the equity portion of his offer, according to people familiar with the matter

KV Prasad Journo follow politics, process in Parliament and US Congress. Former Congressional APSA-Fulbright Fellow

US petrol pipeline ransom-ware attack: What we know so far

KV Prasad Jun 13, 2022, 06:35 AM IST (Published)

Listen to the Article (6 Minutes)

The Colonial Pipeline, one of the largest fuel pipelines in the US, was forced to temporarily shut down all its operations last weekend following a massive ransomware attack.

The pipeline transports over 100 million gallons of gasoline and other fuel from Houston to New York Harbor, according to a report in CNN.

The company, in a statement on Friday, May 7, said that it learned of the cybersecurity attack and was quick to take certain systems offline to ensure there was no further threat. “These actions temporarily halted all pipeline operations and affected some of our IT systems, which we are actively in the process of restoring,” it said.

What happened?

Colonial Pipeline operates a 5,500-mile pipeline and supplies 45 percent of jet fuel and gasoline to the US East Coast. It came under a ransomware attack following which the company took certain systems offline to contain the threat, Colonial Pipeline said on Friday. In a statement, it further said that leading, third-party cybersecurity experts were engaged and an investigation was launched to understand the nature and scope of this incident.

Who was behind the attack?

On May 10, the FBI confirmed that DarkSide, a criminal group from Russia, was behind the ransomware attack on the Colonial pipeline.

In a statement, the agency said: “The FBI confirms that the Darkside ransom-ware is responsible for the compromise of the Colonial Pipeline networks,” adding they continue to work with the company and our government partners on the investigation.

According to a BBC report, the DarkSide stole nearly 100 GB of data and was now threatening to leak it, should the company fail to pay an undisclosed ransom.

Meanwhile, the cyber gang also acknowledged on its website that they were behind the ransomware attack on the Colonial Pipeline and their goal was to make money and not creating problems for society.

What did the US administration say?

Speaking at the White House on May 10, US President Joe Biden said the concerned agencies were ‘personally briefing’ him on the pipeline situation every day. Biden further said that he is going to meet President Vladimir Putin soon, adding that there was no evidence so far about Russian involvement.

“Although there’s evidence that the actors’ ransom-ware is in Russia – they have some responsibility to deal with this,” he added.

How long will the pipeline remain shut?

Nothing can be said about this with surety, nothing just as yet. The Colonial Pipeline has said the situation remains fluid and continues to evolve. “The Colonial operations team is executing a plan that involves an incremental process that will facilitate a return to service in a phased approach,” it said.

Sherwood-Randall, the Homeland Security Advisor, said the company had informed them that the pipeline had not suffered damage and can be brought back online relatively quickly.  Randall added that the company emphasised the need for safety “given that it has never before taken the entire pipeline down.”

Elon Musk forms several ‘X Holdings’ companies to fund potential Twitter buyout

3 Mins Read

Thursday’s filing dispelled some doubts, though Musk still has work to do. He and his advisers will spend the coming days vetting potential investors for the equity portion of his offer, according to people familiar with the matter

KV Prasad Journo follow politics, process in Parliament and US Congress. Former Congressional APSA-Fulbright Fellow

US petrol pipeline hit by ransom-ware attack: Report

KV Prasad Jun 13, 2022, 06:35 AM IST (Published)

Listen to the Article (6 Minutes)

The Colonial Pipeline in the US had to close its network recently due to a ransom-ware attack, said the company in a statement. The pipeline is responsible for carrying nearly half the petrol of America’s East Coast, according to reports.

The company closed off 5,000 miles (8,046 km) of pipeline that carry petrol, jet fuel and kerosene from Texas to the New York area. The pipeline carries 100 million gallons ( 37,85,41,178 litres) of refined fuel each day, which makes up to about 45 percent of all the fuel used on the East Coast, a Forbes report mentioned.

“At this time, our primary focus is the safe and efficient restoration of our service and our efforts to return to normal operation,” the company said in a statement, according to an ABCNews report.

A ransom attack is a type of cyber security attack in which hackers threaten to damage the company in some way unless they’re paid a ransom.

The attack on Colonial Pipeline is just the latest in an increasing line of cyber-attack victims.

These attacks do not discriminate between private or state actors either. Just days before the Colonial attack, information about attacks on police departments in the US capitol were revealed, along with the Illinois State Attorney General’s office and against a Californian healthcare facility where patient’s procedures were cancelled and emergency cases were diverted to other hospitals.

Last month, Apple was targeted by an unprecedented ransom-ware attack that demanded $50 million from the American tech giant. The attacking group, REvil, had stolen data and schematics about unreleased Apple products.

Last year also saw one of the largest information hacks when information systems company SolarWinds, which counted various government agencies amongst its users and multiple Fortune 500 companies.

US agencies like the Pentagon, the Department of Homeland Security, the State Department, the Department of Energy, the National Nuclear Security Administration and the Treasury were affected.

Private companies like Microsoft, Cisco, Intel, and Deloitte, and other organizations like the California Department of State Hospitals, and Kent State University, the Wall Street Journal reported.

Elon Musk forms several ‘X Holdings’ companies to fund potential Twitter buyout

3 Mins Read

Thursday’s filing dispelled some doubts, though Musk still has work to do. He and his advisers will spend the coming days vetting potential investors for the equity portion of his offer, according to people familiar with the matter

KV Prasad Journo follow politics, process in Parliament and US Congress. Former Congressional APSA-Fulbright Fellow

How the Kremlin provides a safe harbor for ransomware

KV Prasad Jun 13, 2022, 06:35 AM IST (Published)

Listen to the Article (6 Minutes)

A global epidemic of digital extortion known as ransomware is crippling local governments, hospitals, school districts and businesses by scrambling their data files until they pay up. Law enforcement has been largely powerless to stop it.

One big reason: Ransomware rackets are dominated by Russian-speaking cybercriminals who are shielded and sometimes employed by Russian intelligence agencies, according to security researchers, US law enforcement, and now the Biden administration.

On Thursday, as the US slapped sanctions on Russia for malign activities including state-backed hacking, the Treasury Department said Russian intelligence has enabled ransomware attacks by cultivating and co-opting criminal hackers and giving them safe harbor. With ransomware damages now well into the tens of billions of dollars, former British intelligence cyber chief Marcus Willett recently deemed the scourge arguably more strategically damaging than state cyber-spying.

The value of Kremlin protection isnt lost on the cybercriminals themselves. Earlier this year, a Russian-language dark-web forum lit up with criticism of a ransomware purveyor known only as Bugatti, whose gang had been caught in a rare US-Europol sting. The assembled posters accused him of inviting the crackdown with technical sloppiness and by recruiting non-Russian affiliates who might be snitches or undercover cops.

Worst of all, in the view of one long-active forum member, Bugatti had allowed Western authorities to seize ransomware servers that could have been sheltered in Russia instead. Mother Russia will help, that individual wrote. Love your country and nothing will happen to you. The conversation was captured by the security firm Advanced Intelligence, which shared it with the Associated Press.

Like almost any major industry in Russia, (cybercriminals) work kind of with the tacit consent and sometimes explicit consent of the security services, said Michael van Landingham, a former CIA analyst who runs the consultancy Active Measures LLC.

Russian authorities have a simple rule, said Karen Kazaryan, CEO of the software industry-supported Internet Research Institute in Moscow: Just don’t ever work against your country and businesses in this country. If you steal something from Americans, that’s fine.

Unlike North Korea, there is no indication Russian government benefits directly from ransomware crime, although Russian President Vladimir Putin may consider the resulting havoc a strategic bonus.

In the US alone last year, ransomware struck more than a hundred federal, state, and municipal agencies, upward of 500 hospitals and other health care centers, some 1,680 schools, colleges and universities, and hundreds of businesses, according to the cybersecurity firm Emsisoft.

Damage in the public sector alone is measured in rerouted ambulances, postponed cancer treatments, interrupted municipal bill collection, canceled classes and rising insurance costs all during the worst public health crisis in more than a century.

The idea behind these attacks is simple: Criminals infiltrate malicious data-scrambling software into computer networks, use it to kidnap an organizations data files, then demand huge payments, now as high as USD 50 million, to restore them. The latest twist: if victims fail to pay up, the criminals may publish their unscrambled data on the open internet.

In recent months, US law enforcement has worked with partners including Ukraine and Bulgaria to bust up these networks. But with the criminal masterminds out of reach, such operations are generally little more than whac-a-mole.

Collusion between criminals and the government is nothing new in Russia, said Adam Hickey, a US deputy assistant attorney general, who noted that cybercrime can provide good cover for espionage.

Back in the 1990s, Russian intelligence frequently recruited hackers for that purpose, said Kazaryan. Now, he said, ransomware criminals are just as likely to be moonlighting state-employed hackers.

The Kremlin sometimes enlists arrested criminal hackers by offering them a choice between prison and working for the state, said Dmitri Alperovitch, former chief technical officer of the cybersecurity firm Crowdstrike. Sometimes the hackers use the same computer systems for state-sanctioned hacking and off-the-clock cybercrime for personal enrichment, he said. They may even mix state with personal business.

That’s what happened in a 2014 hack of Yahoo that compromised more than 500 million user accounts, allegedly including those of Russian journalists and US and Russian government officials. A US investigation led to the 2017 indictment of four men, including two officers of Russia’s FSB security service a successor to the KGB. One of them, Dmitry Dokuchaev, worked in the same FSB office that cooperates with the FBI on computer crime. Another defendant, Alexsey Belan, allegedly used the hack for personal gain.

A Russian Embassy spokesman declined to address questions about his government’s alleged ties to ransomware criminals and state employees’ alleged involvement in cybercrime. We do not comment on any indictments or rumors, said Anton Azizov, the deputy press attache in Washington.

Proving links between the Russian state and ransomware gangs is not easy. The criminals hide behind pseudonyms and periodically change the names of their malware strains to confuse Western law enforcement.

But at least one ransomware purveyor has been linked to the Kremlin. Maksim Yakubets, 33, is best known as co-leader of a cybergang that cockily calls itself Evil Corp. The Ukraine-born Yakubets lives a flashy lifestyle, He drives a customized Lamborghini supercar with a personalized number plate that translates to Thief, according to Britains National Crime Agency.

Yakubets started working for the FSB in 2017, tasked with projects including acquiring confidential documents through cyber-enabled means and conducting cyber-enabled operations on its behalf, according to a December 2019 U.S. indictment. At the same time, the US Treasury Department slapped sanctions on Yakubets and offered a USD 5 million reward for information leading to his capture. It said he was known to have been in the process of obtaining a license to work with Russian classified information from the FSB.

The indictment charged Evil Corp. with developing and distributing ransomware used to steal at least USD 100 million in more than 40 countries over the previous decade, including payrolls pilfered from towns in the American heartland.

By the time Yakubets was indicted, Evil Corp. had become a major ransomware player, security researchers say. By May 2020, the gang was distributing a ransomware strain that was used to attack eight Fortune 500 companies, including the GPS device maker Garmin, whose network was offline for days after an attack, according to Advanced Intelligence.

Yakubets remains at large. Another Russian currently imprisoned in France, however, might offer more insight into the dealings of cybercriminals and the Russian state. Alexander Vinnick was convicted of laundering $160 million in criminal proceeds through a cryptocurrency exchange called BTC-e. A 2017 U.S. indictment charged that some of the largest known purveyors of ransomware actually used it to launder USD 4 billion. But Vinnick can’t be extradited until he completes his 5-year French prison sentence in 2024.

Still, a 2018 study by the nonpartisan think tank Third Way found the odds of successfully prosecuting authors of cyberattacks against US targets ransomware and online bank theft are the costliest are no better than three in a thousand. Experts say that those odds have gotten longer.

This week’s sanctions send a strong message, but aren’t likely to deter Putin unless the financial sting hits closer to home, many analysts believe.

That might require the kind of massive multinational coordination that followed the 9/11 terror attacks. For instance, allied countries could identify banking institutions known to launder ransomware proceeds and cut them off from the global financial community.

If you’re able to follow the money and disrupt the money and take the economic incentive out, that’ll go a long way in stopping ransomware attacks, said John Riggi, cybersecurity advisor for the American Hospital Association and a former FBI official.

Elon Musk forms several ‘X Holdings’ companies to fund potential Twitter buyout

3 Mins Read

Thursday’s filing dispelled some doubts, though Musk still has work to do. He and his advisers will spend the coming days vetting potential investors for the equity portion of his offer, according to people familiar with the matter

KV Prasad Journo follow politics, process in Parliament and US Congress. Former Congressional APSA-Fulbright Fellow

Explained: Sarbloh, the ‘justice’ seeking ransomware and its farmers protest connect

KV Prasad Jun 13, 2022, 06:35 AM IST (Published)

Listen to the Article (6 Minutes)

Of late, a new ransomware has made its way through Word documents claiming to contain a political message in support of farmers protesting at Delhi borders against the farm laws. Security firms such as Malwarebytes, Cyble, and QuickHeal have admitted to the presence of this ransomware. Interestingly, the ransomware bucks the trend and doesn’t ask for money but seeks justice for farmers.

Thousands of farmers have been protesting along the Delhi border since November 26. These farmers, especially from Punjab and Haryana, are on a sit-in, demanding a complete rollback of three farm laws and a guarantee on the minimum support price (MSP).

What does the term ‘Sarbloh’ mean?

Sarbloh, or wrought iron, is the metal used in the bowl used by Guru Gobind Singh Ji to make ‘amrit’ during the Khalsa initiation ceremony. Khanda, the double-edged knife or sword, is made of Sarbloh. Till date, Amrit Sanchaars are conducted using a bowl and ‘Khanda’ made of ‘Sarbloh’.

What is ransomware?

First, let’s look at what ransomware is. In simple terms, it’s a form of extortion. Hackers use malware or malicious software to take your computer data hostage by encrypting or locking all the data on any system using a strong encryption key, and then demand money to release the data. It’s akin to locking a door with the keys being in the hacker’s possession. To let you open the door, the hacker seeks ransom. The most popular way to spread ransomware is by sending phishing emails.

How does the Sarbloh ransomware affect your files?

The ransomware, once downloaded, encrypts the files on your computer with the extension .sarbloh. It also shows a ransom note. The beginning of the note reads: “Your files are locked. Your files are gone. They will not be recoverable until the demands of the farmers have been met.”

The group that has claimed responsibility for the ransomware, Khalsa Cyber Fauj, claims to use military-grade encryption on the files in your system, making them useless.

How can you prevent your PC / laptop from getting infected with the Sarbloh ransomware?

• The primary source of the malware is emails. So, you have to be extra cautious while handling your emails.
• Install anti-virus software, if you don’t have it.
• In case you don’t recognise the sender of an email, don’t ever download attachments from such emails.
• Don’t make any payment or provide your OTP or any password to anyone for such information on email. Just mark such emails as spam. You won’t get them in your inbox anymore.

Elon Musk forms several ‘X Holdings’ companies to fund potential Twitter buyout

3 Mins Read

Thursday’s filing dispelled some doubts, though Musk still has work to do. He and his advisers will spend the coming days vetting potential investors for the equity portion of his offer, according to people familiar with the matter

KV Prasad Journo follow politics, process in Parliament and US Congress. Former Congressional APSA-Fulbright Fellow