The disruptive power of ransomware was already on full display last month, thanks to the Colonial Pipeline attack that for days halted fuel distribution from a crucial pipeline on the East Coast of the United States. Now, a different attack over the weekend is threatening the food supply chain—and underscoring, once again, that ransomware is an urgent national and international security issue.
JBS SA is the world's largest meat processing company, with headquarters in Brazil and more than 250,000 employees worldwide. In a statement on Monday, its American subsidiary, JBS USA, said that “it was the target of an organized cybersecurity attack, affecting some of the servers supporting its North American and Australian IT systems.” The company added that its system backups are intact. In response to the attack, JBS USA took impacted systems offline, notified law enforcement, and began working with an outside incident response firm on remediation. JBS facilities in Australia, the US, and Canada have faced disruptions since the attack was first detected on Sunday.
The JBS incident is now rippling out through the meat industry, causing some plants to shut down, workers to be sent home, and livestock to be sent back to farmers after being transported for slaughter. In Australia, the situation is having a particularly noticeable impact on local supply chains, though officials say the ramifications may be contained if JBS can restore operations quickly.
“JBS are working closely with law enforcement agencies here and overseas to get back up and running and to bring those responsible to account,” Australia's minister for Agriculture, Drought and Emergency Management, David Littleproud, tweeted on Tuesday.
JBS has not publicly called the incident a ransomware attack, but White House principal deputy press secretary Karine Jean-Pierre said in an Air Force One briefing on Tuesday that the company alerted the Biden administration to a ransomware attack on Sunday. She added that it was perpetrated by a “criminal organization likely based in Russia.”
“The White House is engaging directly with the Russian government on this matter and delivering the message that responsible states do not harbor ransomware criminals,” Jean-Pierre told reporters.
Multiple US presidential administrations now have grappled with how to exert meaningful deterrence against foreign hacking. Ransomware attacks are, in general, financially motivated and perpetrated by criminal hackers, not explicitly state-sponsored actors. When foreign countries don't prosecute offenders or cooperate with international investigations, they land in a geopolitical gray area.
“Ransomware is a risk to everything from national security to food security to the provision of health care—it should absolutely be considered as one of the most pressing global security issues," says Brett Callow, a threat analyst at the antivirus firm Emsisoft who has studied and tracked ransomware for years. “Unless governments quickly devise and implement strategies to effectively combat ransomware, the problems will only get worse.”
Ransomware has been a known and active threat to critical infrastructure, particularly health care, for years now, and the situation notably escalated as the Covid-19 pandemic raged. Recent attempts by the US government to address the issue include joining a public-private task force in December. The task force released a series of recommendations at the end of April.
Researchers and incident responders emphasize, though, that there is a pressing need for tangible action. But the step that would be most effective—stopping all payments to ransomware actors so they have no incentive to continue—is difficult to carry out in practice.
“It's all about payment—the second it stops being profitable, it stops,” says Jake Williams, a former NSA hacker and founder of the security firm Rendition Infosec. “You can't outlaw payments. That will put business operators in bad positions. What law enforcement needs to do is aggressively analyze cryptocurrency exchanges and tools like mixers, so hackers can't cover their tracks and convert ransom payments to fiat currency.”
The recent ransomware task force recommendations mention the need to track payments but don't go into great detail about how US law enforcement should do that. In the meantime, ransomware attacks on all sorts of critical industries and infrastructure are unrelenting and, increasingly, generating fear.
“The latest ransomware attack against JBS serves as yet another stark reminder that ransomware is a serious threat that affects the average person, not just the cybersecurity community,” says Katie Nickels, director of intelligence at the security firm Red Canary. “Coming off of the Colonial Pipeline attack, the JBS compromise illuminates how brittle supply chains are, whether they involve gasoline, food, or other essentials. Cybersecurity practitioners can’t continue to combat ransomware alone—it’s time policymakers acknowledge this fact and take action.”
Jean-Pierre of the White House said on Tuesday that the US Department of Agriculture is working on communicating with other meat processors. The USDA did not return a request for comment.
"Ransomware makes cyberthreats personal, and this attack [on JBS] affects multiple countries with ripple effects," says Meg King, director of the Science and Technology Innovation Program at the Wilson Center and a former manager for the US Department of Defense’s Cooperative Threat Reduction Program. “Citizens will demand action from their governments."
As ransomware actors stoop ever lower, decisive action can't come quickly enough.