JBS Ransomware Attack and Small to Midsize Business

An overview of the JBS Foods ransomware attack and the effect on small to midsize business and best practices for preventing a cyberattack.

The link between small to midsize businesses and the meatpacking giant JBS Foods may not seem obvious. However, the recent attack on JBS Foods and the growing threat of ransomware being used by internet hackers and criminals should not be ignored. A concerning pattern is emerging in the cybercriminal arena. Attackers are using a method of “ordering” ransomware from a separate criminal entity and then paying a commission after the attack is completed and a ransom is paid. Learn more about these trends and tips on how to make your network more secure.

JBS Foods Attack

American food processor JBS Foods is the largest distributor of beef worldwide. On May 30, JBS was struck by a ransomware attack so severe that they were forced to shut down servers temporarily and cease operations of all JBS-owned facilities in the US for over a day, sending costly trickling effects down the line to grocery stores, restaurants, and farmers. JBS Foods reported that hackers never reached their backup servers and customer, supplier, and employee data was never compromised, however, these companies do not tend to document the extent of damage unless required by law. On June 9, JBS Foods confirmed that they had made the decision to pay $11 million in ransom to quickly get back up and running and ensure the protection of their data. It is believed that this payment was made on the evening of June 1. This attack was likely far more costly considering that the ransom payment does not include the cost of mitigation, lost business, and damage to supply chain and relationships.

On June 2, US federal officials confirmed that the group behind the JBS attack was a Russian criminal group called REvil. Although JBS was able to get back up and running quickly, what is not known from public sources was the “dwell time” of this attack. Dwell time is the amount of time that hackers remain quiet once they have illegally entered a network. During this time, it is the hacker’s goal to poke around and investigate the victim’s network to determine what type of information they can exploit for later use. After the information has been located and stolen, these criminals acknowledge the attack publicly by launching something like a ransomware attack. Dwell time is a critical issue and should always be investigated thoroughly to identify all compromised data and points of weakness. Depending on the skill level of hackers and the type of attack, dwell time can last for weeks to months. A full analysis of this specific attack is not available at this time, but cybercriminals work by finding weak entry into a system and use account escalation until they can find critical vulnerable resources.

Small and Medium-Sized Businesses (SMB) as a Target

The Department of Homeland Security has reported a significant increase in cyberattacks on small and medium-sized businesses. It is estimated that over 50% of all ransomware attacks are focused on small and medium-sized businesses. Losses after a breach are staggering, ranging from $8,000 to over $300,000 per incident for businesses with less than 10 employees, according to the 2021 Hiscox Cyber Readiness Report. In addition, The National Cybersecurity Alliance reports that 60% of all SMB victims of cybercrime do not reopen their doors. In the past hackers focused primarily on large-scale organizations. While these larger targets are still at risk, “ransomware as a service” attacks are broadening the market of cybercrime. Leased ransomware services allow smaller-time cybercriminals to purchase software for a commission on profit extorted from a wider pool of victims. DHS has reported the development of a plan to help strengthen cybersecurity by raising awareness, beefing up workforce, and improving protections in cybersecurity.

Know The Trends

Mitigation after a breach is costly. Prevention is key. It is important to understand current trends in cybercrime to identify the most valuable ways to focus efforts on prevention.

Ransomware is increasing. Both scope and sophistication of ransomware are increasing. Ransomware attacks on small and medium-sized businesses have increased by over 300%. News reports of giants such as JBS Foods quickly handing over millions of dollars has hackers salivating for a piece of the pie. Smaller businesses typically have fewer protections in place, making for easier targets.

Ransomware as a service. Ransomware is a type of malware that is introduced into the network of a victim that threatens to leak private data or block access until a ransom is paid. “Ransomware as a service” means that a skilled hacker has created a virus for this purpose which they lease out. This allows any inexperienced criminal entity to easily secure the means to carry out a cyberattack without being knowledgeable in hacking. The recent attacks on JBS Foods and Colonial Pipeline were carried out as ransomware as a service.

Advanced Persistent Threats. An advanced persistent threat is an unauthorized actor that has gained access to a network and remains undetected for a prolonged period. This period, known as dwell time, is when APTs hide inside a network searching for a point of weakness to act upon. They move laterally inside a network, moving between servers until they find critical access to control the entire system. In March of 2017, Equifax was hacked due to a series of failures in its cybersecurity monitoring. The hackers were able to dwell in Equifax’s network for a staggering 4 months before the breach was discovered. Ensuring that a network can detect advanced persistent threats is critical.

Best Practices

Most cyberattacks occur because the victim was not properly protected. Applying basic cybersecurity techniques will make it exponentially harder for a criminal to gain unauthorized access to your network.

Know your data inventory. Developing a plan for cybersecurity begins with performing an inventory of data to ensure that all facets of protection are considered. Know the chain of storage of data. What do you store? Where is it stored? Who has access to it? Do they need access? Why do you need certain data?

How well is your system protected? A proactive and aggressive approach to protecting your network is vital. A reactionary approach puts a company at risk for a breach which is costly and detrimental to business relationships with customers and other vendors as well. Proactive tools should be in place that are regularly tested to ensure effectiveness. Controls should be in place such as sandboxing, a method of segregating data in a controlled environment before it is released to the main network, as well as intrusion detection and prevention systems that are updated on a regular basis.

Get a risk assessment. Regular security assessments are beneficial to any organization. In an assessment, a cybersecurity expert utilizes tools to uncover weaknesses within a network and attempts to breach these weaknesses to gain access to the client’s network. A thorough assessment will also include an analysis of user practices and knowledge to identify areas for process improvement and training opportunities.

Ongoing monitoring and management. An ongoing plan should be developed to ensure that an organization remains in compliance with cybersecurity practices and regards protocols with constant vigilance. Small to medium-sized businesses often lack the knowledge and resources to effectively understand and track threats to their networks. As the means of cybercrime evolve, it is prudent to engage a team of experts that are knowledgeable in network security and hacking trends.

Lumos Technology Services is a team of experts providing general risk assessments as well as ongoing monitoring and management. Our technicians are knowledgeable in threat prevention, detection, and disaster recovery. We will protect your network using state-of-the-art intrusion detection and prevention methods, while constantly monitoring network traffic for threats. We also use tools such as disk encryption and multifactor authentication to ensure that you are protected. We monitor your devices around the clock and prioritize and resolve alerts to ensure that your data is secure.