PRECURSOR ANALYSIS REPORT: JBS FOODS RANSOMWARE ATTACK 2021

The JBS Foods 2021 Ransomware Attack Precursor Analysis Report leverages publicly available information about the JBS ransomware cyber attack and catalogs anomalous observables for each technique employed in the attack. This analysis is based upon the methodology of the Cybersecurity for the Operational Technology Environment (CyOTE) program. In late May 2021, one of the world’s largest meat producers, JBS Foods, announced they had fallen victim to a worldwide ransomware attack, later found to be REvil ransomware. In the United States alone, JBS Foods accounts for nearly 25% of beef and roughly 20% of pork production. Adversaries initially launched a Distributed Denial of Service (DDoS) attack on the company’s Information Technology (IT) networks in Australia, but the attack impacted operations in Brazil, Canada, and the United States, as well. The attack caused plant operations in all four countries to shut down for at least one day. All nine of the U.S. meatpacking plants temporarily shut down because of the attack. The adversaries initially demanded a $22 million ransom for the company’s data, but later negotiated the ransom down to $11 million even after JBS Foods restored most of their systems. JBS Foods eventually paid the $11 Million for reassurance from the adversaries that none of their customers’ data would be compromised in the future. Despite its short duration, the attack still caused large stocks of meat to spoil. The incident also underscored how adversaries can simultaneously compromise and move laterally through global subsidiaries of an organization. Researchers and analysts identified 22 unique techniques (in a sequence of 21 steps) utilized during the attack with a total of 361 observables using MITRE ATT&CK® for Industrial Control Systems. The CyOTE program assesses observables accompanying techniques used prior to the triggering event to identify opportunities to detect malicious activity. If observables accompanying the attack techniques are perceived and investigated prior to the triggering event, earlier comprehension of malicious activity can take place. Sixteen of the identified techniques used during the JBS Foods cyber attack were precursors to the triggering event. Analysis identified 308 observables associated with these precursor techniques, 163 of which were assessed to have an increased likelihood of being perceived in the 75 days preceding the triggering event. The response and comprehension time could have been reduced if the observables had been identified earlier. The information gathered in this report contributes to a library of observables tied to a repository of artifacts, data sources, and technique detection references for practitioners and developers to support the comprehension of indicators of attack. Asset owners and operators can use these products if they experience similar observables or to prepare for comparable scenarios.