The Sodin/REvil Ransomware Group, Cited as Perpetrator of the JBS SA Cyberattack, Claims to Have Hit a Second Large Meat Producer in France

News broke on June 1 that the world’s largest meatpacker, JBS SA, was hit by a ransomware attack which disrupted meat production in the company’s North American and Australian facilities. Late on June 2, JBS was quoted as saying that most of their operations resumed on Wednesday, including all of their pork, poultry and prepared foods facilities around the world, in addition to the majority of their beef facilities in the U.S. and Australia. The FBI and several top news outlets are reporting that the Sodin/REvil ransomware group is the cybercriminal gang behind the ransomware attack. Interestingly, eSentire’s TRU team, who has been tracking the Sodin ransomware group since its inception, found that the Sodin gang claims to have hit another large meat manufacturer in France in the past two weeks.

“It is certainly plausible that the Sodin/REvil ransomware group launched the attack against meat packer and producer JBS, as well as another company in the same industry,” said Rob McLeod, Sr. Director of eSentire’s security research team, the Threat Resistance Unit (TRU). The TRU has been tracking the top ransomware groups for several years, and the Sodin/REvil gang ranks in the number one or number two spot, amongst all the ransomware gangs. The Sodin group is only rivaled by the Ryuk/Conti ransomware organization when it comes to high profile attacks, ransoms collected and news coverage. “The Sodin/REvil gang has all the technical capabilities, the infrastructure and the criminal network to pull off the attack against JBS, ” continued McLeod.

SODIN/REVIL RANSOMWARE ATTACK STATS

Sodin/REvil Claims New Manufacturing Victims and Boasts a Long History of Attacking Manufacturers

In tracking the activities of the Sodin/REvil ransomware group, eSentire found that the Sodin group reports to have compromised 161 victims since inception until April 31, 2021, and 52 in the first four months of 2021. These numbers do not include JBS or the other victims they have named on their blog/leak site Happy Blog since April 31. Many of the businesses the Sodin gang has been confirmed to have compromised and the businesses it claims to have compromised are manufacturers.

Some of the manufacturers that have publicly confirmed that they have suffered a ransomware attack by the Sodin group this year include Quanta Computer, Tata Steel, Acer, Pierre Fabre, Asteelflash and Evraz. Other manufacturers the Sodin group claims to have compromised this year on their blog/leak site, titled Happy Blog, include a Virginia-based manufacturer of comfort cushioning products, a Virginia-based manufacturer of motors, a Swiss manufacturer of hand tools, a California-based manufacturer of packaging for the beauty industry, e.g., makeup, perfume; a France-based manufacturer of paints and resins and a Hong Kong-based manufacturer of beauty products.

And the Sodin ransomware gang is, not surprisingly, targeting other types of lucrative organizations. In the past two weeks, the threat group reports that they have compromised new victims including: a large U.S.-based manufacturer of steel and aluminum for the auto industry, a court system in southeastern U.S. , a large chain of luxurious resorts in Mexico; a 70-year-old, established London-based accounting firm; one of the largest and oldest maritime logistics providers in Brazil; a U.S.-based luxury clothing line; a law firm based in Florida and one in California; and a large meat producer in France.

Costs of Ransomware Attacks to Businesses

While we don’t know if all these incidents reaped any ransom money for Sodin/REvil, we do know that ransomware operators are making plenty of money. Cybersecurity company Emisoft estimates that the true global cost of ransomware, including business interruption and ransom payments in 2020, was a minimum of $42bn and a maximum of nearly $170bn. A survey by Veritas Technologies found that 66 percent of victims admitted to paying part or all of the ransom.

"The ransomware attacks reported in the media are just the tip of the iceberg," continued McLeod. "The deep dive report our TRU Team did in May has exposed a veritable hornet's nest of attacks perpetrated by not just Sodin/REvil but other top ransomware gangs.”

With so many ransomware incidents being reported by the press and by the hackers themselves on their personal blog/leak sites, it’s tempting to think you’re fully aware of just how pervasive this threat has become. The reality is that the victim organizations we hear about publicly are a mere drop in the bucket compared to the actual incidents. One ransomware incident, which occurred in April 2021 but was never made public, involved a small private U.S. company. The threat actors demanded $12 million, and the company paid it, according to a high-ranking employee of the organization who asked not to be named.

Added McLeod: "Underestimating your risk of falling prey to ransomware is a dangerous game for companies. Increasingly, threat actors are widening their scope and have put manufacturers, transportation and logistics companies, and construction firms in their crosshairs. With so much at stake from both a financial and reputational standpoint, companies can't afford not to secure their networks, as we have seen with Meatpacker JBS, Quanta Computer, Acer and Tata Steel.”

Sodin, like the Darkside ransomware group (the ransomware gang behind the Colonial Pipeline incident), also utilizes an affiliate model. The Sodin threat actors are known to selectively recruit other cybercriminal groups to work with them, and these are known as affiliates. The affiliates recruited often run large botnets (networks of compromised business computers, which are totally under the threat actors’ control). The affiliates will infect their bots with the Sodin ransomware, and whichever victim companies and/or organizations pays the ransom then the Sodin leaders will take a percentage of the ransom monies collected.

Sodin Group Behind Two of the Biggest Attacks Against Manufacturers in 2021

Two of this year’s most notable ransomware attacks against manufacturers involved the Sodin threat group. In March, the group hit computer and electronics manufacturer Acer and demanded a $50 million ransom. Quanta Computer, which manufactures the Notebook computer, was another victim. The Sodin gang demanded $50 million from Quanta. The company refused to negotiate, and the Sodin criminals reportedly turned to Apple for the ransom. The Sodin hackers posted on their blog “Happy Blog,” a warning stating that if they did not get paid, they would publish what they claimed were technical details for current and future Apple hardware. The website 9to5Mac.com published several images of blueprints, which the Sodin threat actors claim is from Quanta. See images 1-3.

Image 1: Technical design of Apple hardware stolen from hardware manufacturer Quanta, according to Sodin.

Image 2: Technical design of Apple hardware stolen from hardware manufacturer Quanta, according to Sodin.

Image 3: Technical design of Apple hardware stolen from hardware manufacturer Quanta, according to Sodin.

The Sodin gang threatened to publish new data from Quanta every day leading up to May unless Apple agreed to pay the $50 million ransom in exchange for deleting the files. As of May 10, no additional documents appearing to be related to the Apple products had been leaked on Sodin’s website. Interestingly, all images relating to the Quanta incident have been removed from Sodin’s website, as well as any mention of the Quanta breach.

One writer was quoted as saying: “Historically, Sodin isn't known for bluffing and routinely posts stolen documents if its victims don't pay up, so it's unclear why the group has failed to follow through on this occasion, and Apple has not commented on the breach thus far.”

For more information about this threat and how to protect against it go to https://www.esentire.com/get-started