REvil Harvest Festival: Agribusiness On High Alert as Syndicate Goes After the Sector
Updated: Dec 14, 2020
By Anastasia Sentsova
The agriculture sector has undergone many changes since the Agricultural Revolution, transforming from work centered around human labor to data-oriented digital agriculture. These new changes offer a lot of advantages but also pose a significant threat to the sector which is responsible for feeding millions of people. The US segment of the sector alone contributed $1.109 trillion USD to the U.S. GDP in 2019. Multi-million dollar agribusinesses powered by big data, are lucrative targets for cybercriminals and highly vulnerable to cyberattacks due to the growing digitisation of the sector.
On October 26, 2020, AdvIntel’s summary of an interview with REvil’s representative “UNKN” highlighted the agriculture sector as one of the main targets of the ransomware syndicate. According to UNKN, ransomware groups are moving towards data extraction rather than denial-of-service (DDoS) attacks as it allows them to generate higher revenues through ransom rewards.
AdvIntel has observed the list of leaks from ransomware groups. The list includes around 400 compromised entities worldwide from various sectors, including the agriculture sector companies breached by REvil. These companies which are from different regions of the world have been found to be auctioned on REvil’s Happy Blog website. Syndicate operators introduced a new feature “Auction” to process and promote these agricultural breaches.
AdvIntel assesses with high levels of confidence that REvil’s threat actors will increasingly target the agriculture sector for monetary and for the harvesting of mass amounts of data. This industry is considered to be a part of the critical infrastructure and one of the most important enterprises, agribusinesses must ensure that they are capable of resisting the constantly evolving cyber threats.
The U.S agriculture sector alone consists of foodservice and food manufacturing along with a range of related industries such as textiles, apparel products, forestry, fishing, fertilizer producers, seed companies, and other related companies contributed $1.109 trillion USD to the U.S. GDP in 2019. Cyberattacks pose a threat to the agriculture sector and related industries as well as organizations that support agriculture, like trade associations, food processors, and commodity brokers.
Agricultural entities find themselves highly vulnerable to cyberattacks due to their digital transformation. Data is a key element in modern agriculture to help so-called smart farming with critical decision-making to make operation more efficient. Data-based managed farms rely on this data to avoid misuse of resources and run operations smoothly.
Image Source: Agricultural Robotics Laboratory (ARL),
Polytechnic University of Valencia (Universidad Politécnica de Valencia)
The agricultural environment is heavily networked and consists of a lot of vulnerabilities, including the weakness of third-party such as service providers or system integrators, that might be targeted by cybercriminals. IoT (Internet of Things technology) is driven by the connectivity of objects and devices across the agricultural sector, giving cybercriminals the opportunity to exploit their systems.
During the interview with REvil’s representative under the name UNKN, it was announced that ransomware groups are moving towards data extraction rather than just DDoS attacks, as it allows them to generate higher revenue through ransom rewards. According to UNKN, 33% of their victims were willing to pay.
Indeed, AdvIntel’s DarkWeb investigation, performed with the use of our Andariel platform ransomware tacking technology identified the list of further leaks from ransomware groups aiming at the agricultural industry. The list was posted by a threat actor operating on DarkWeb forums. It includes the following groups: Maze, Corporate, Suncrypt, Dopple, Netwalker, REvil, CLOP, Ragnar Locker, Sekhmet, Avvadon, Darkside, Mount Locker, Egregor, ContiNews, and Lockbit. This list contains around 400 compromised entities worldwide from various sectors, including the agriculture sector companies. Just as UNKN predicted, these companies were later found to have their information auctioned on REvil’s "Happy Blog".
List of companies and domains organized by ransom group posted in the DarkWeb (Image Source: AdvIntel’s Andariel Platform - DarkWeb Collection)
To illustrate the state of the current threat to agriculture, AdvIntel demonstrates the four illustrative cases of agricultural companies breached by REvil from all across the globe. Due to ethical reasons, the names of the victims are obfuscated.
Victim 1: a Canadian agro retailer specializing in a diverse range of services, such as soil management, crop advisory. REvil allegedly locked down parts and tried to sell the company’s data through its new “Auction” feature on the Happy Blog website.
REvil published the victim’s documents in the DarkWeb to force the victim to pay.
Source: REvil’s Happy Blog
Victim 2: headquartered in Canada is a major American-based producer of fresh-cut fruits and vegetables with an estimated annual revenue close to 1 Billion as of 2018. REvil posted files on their Happy Blog containing the company's personal data with comments “We downloaded your files and your customers/employees data samples”, “Come to talk. If not, full dump will be available next week”.
Data posted by REvil in the DarkWeb to force the victim to pay.
Source: REvil’s Happy Blog
Victim 3: one of the leading Indonesian producers of palm oil and palm kernel with an estimated annual revenue of over 200 million USD. REvil’s operators posted samples of stolen data following with the comment
“Hello, we have downloaded your private & confidential data of your clients and employees. If you do not contact us within 72 hours we will post this data in our happy blog :) I think you are smart guys”
Samples of stolen data posted by REvil in the DarkWeb
Source: REvil’s Happy Blog
Victim 4: One of the world's largest salmon farmer based in Chile with an estimated $3 billion USD revenue. The company serves customers worldwide.
The comment: “Hello, we have downloaded your private data, info about clients and employees and we are ready to publish it in our blog if you didn’t contact us” was posted on REvil’s Happy Blog along with samples of stolen company’s data.
Samples of data posted by REvil in the DarkWeb
Source: REvil’s Happy Blog
The new tactic of putting a victim company’s data to auction is a new way of manipulation and psychological pressure on a business. Companies threatened by the disclosure of sensitive information are likely to pay millions of dollars to save their reputation and stop catastrophic interruption of their operations.
Despite the seeming differences in the size of the company, revenue, and geographic location, all of Revil’s victims have one thing in common - any disruption of operations is critical for them. This is what makes agricultural businesses a perfect target for syndicates to monetize on - desperate to bring operations back to normal, they are likely to comply. The best way to prevent an attack is to be prepared for it. In today’s reality, every single company might potentially fall victim to cybercriminals. Thus, to protect systems from criminal intruders, a company requires constant monitoring to detect infection and mitigate the risk.
Constantly improving their ability to penetrate and block victim’s systems, cybercriminals expanding evil techniques to squeeze every single penny possible. Publishing stolen data on data leak websites turns into public punishment of victims following with drastic consequences. AdvIntel Ransomware Tracker is on the mission to monitor those leaks and notify our clients about the threat.
AdvIntel's Andariel Ransomware Tracker identifying REvil-breached & extorted entities
The agriculture sector has undergone many changes since the Agricultural Revolution, transforming from work centered around human labor to data-oriented digital agriculture. These new changes offer a lot of advantages but also pose a significant threat to the sector which is responsible for feeding millions of people. The use of IoT devices allows cybercriminals to explore numerous vulnerabilities within the smart farm ecosystem and disrupt data flow from sensors and autonomous vehicles. This disruption might result in significant consequences, especially in a time of harvesting when live-monitoring is critical. Smart farming relies on this technology and data as it can be analyzed and captured for decision making. Intrusion in this process will disrupt the critical infrastructure and lead to significant financial losses.
The agriculture sector finds itself falling behind other sectors in the implementation of cybersecurity to protect from cyber threats. AdvIntel assesses with high levels of confidence REvil’s threat actors will increasingly target the agriculture sector for monetary and for the harvesting of mass amounts of data. In the case of a successful attack on critical operations, victims are more likely to pay the requested ransom in order to resume the proper functionality of their systems. This sector is considered to be a part of the critical infrastructure and one of the most important enterprises, agribusinesses must ensure that they are capable of resisting the constantly evolving cyber threats.
Advanced Intelligence is an elite threat prevention firm. We provide our customers with tailored support and access to the proprietary industry-leading “Andariel” Platform to achieve unmatched visibility into botnet breaches, underground and DarkWeb economy and mitigate any existing or emerging threats.
Anastasia Sentsova is a Threat Intelligence Analyst with Advanced Intelligence, LLC, with a specific focus on the Eurasian Region's state and non-state threat actor groups. She recently graduated from Zicklin School of Business, Baruch College with a Bachelor's Degree in Computer Information Systems and a minor in communication studies. Anastasia became interested in cybersecurity in school and currently pursuing her career in the field. With a background in journalism and strong intercultural communication skills, she is eager to contribute to the field and to the establishment of a more secure future.