U.S. Treasury puts crypto industry on notice over rising ransomware attacks

By Daphne Psaledakis

WASHINGTON (Reuters) – Suspected ransomware payments totaling $590 million were made in the first six months of this year, more than the $416 million reported for the whole of 2020, U.S. authorities said on Friday, as Washington put the cryptocurrency industry on alert about its role in combating ransomware attacks.

The U.S. Treasury Department said the average amount of reported ransomware transactions per month in 2021 was $102.3 million, with REvil/Sodinokibi, Conti, DarkSide, Avaddon, and Phobos the most prevalent ransomware strains reported.

President Joe Biden has made the government’s cybersecurity response a top priority for the most senior levels of his administration following a series of attacks this year that threatened to destabilize U.S. energy and food supplies.

Seeking to stop the use of crypto currencies in the payment of ransomware demands, Treasury told members of the crypto community they are responsible for making sure they do not “directly or indirectly” help facilitate deals prohibited by U.S. sanctions.

Its new guidance said the virtual currency industry plays an increasingly critical role in preventing those blacklisted from exploiting virtual currencies to evade sanctions.

“Treasury is helping to stop ransomware attacks by making it difficult for criminals to profit from their crimes, but we need partners in the private sector to help prevent this illicit activity,” Deputy Treasury Secretary Wally Adeyemo said in a statement.

The new guidance also advised virtual currency exchanges to use geolocation tools to block access from countries under U.S. sanctions.

Hackers use ransomware to take down systems that control everything from hospital billing to manufacturing. They stop only after receiving hefty payments, typically in cryptocurrency.

This year, gangs have hit numerous U.S. companies in large scale hacks. One such attack on pipeline operator Colonial Pipeline led to temporary fuel supply shortages on the U.S. East Coast. Hackers also targeted an Iowa-based agricultural company, sparking fears of disruptions to grain harvesting in the Midwest.

The Biden administration last month unveiled sanctions against cryptocurrency exchange Suex OTC, S.R.O. over its alleged role in enabling illegal payments from ransomware attacks, officials said, in the Treasury’s first such move against a virtual currency exchange over ransomware activity.

(Reporting by Chris Sanders, Chris Bing and Daphne Psaledakis; Editing by Chizu Nomiyama and Daniel Wallis)

Stung by pandemic and JBS cyberattack, U.S. ranchers build new beef plants

By Tom Polansek

CHICAGO (Reuters) – U.S. cattle ranchers and investors are sinking hundreds of millions of dollars into new beef plants after temporary closures of massive slaughterhouses at the start of the COVID-19 pandemic left farmers with nowhere to send animals destined to be turned into meat.

A cyberattack against the U.S. unit of Brazilian meatpacking giant JBS SA that idled nearly a quarter of America’s beef production earlier this month again highlighted vulnerabilities in the country’s meat supply chain and caused more headaches for farmers.

Ranchers, as well as the U.S. Agriculture Department (USDA), say the sector is too consolidated and therefore reliant on a handful of large processors and their industrial meatpacking plants.

Four industry behemoths – JBS USA, Tyson Foods Inc, Cargill Inc and National Beef Packing Company – slaughter 85% of grain-fattened cattle carved into steaks, ribs and roasts for consumers.

Smaller startup meat plants are aiming to provide local ranchers with more places to slaughter cattle, particularly those raised to produce higher-quality beef. They say adding plants can ensure some meat production continues if large facilities close.

When large meat plants close, meat supplies tighten while ranchers get stuck with cattle that would otherwise have been slaughtered. That means the price of cattle generally falls, while the price of meat in supermarkets rises.

Extended shutdowns of some of the biggest U.S. slaughterhouses due to COVID-19 outbreaks hobbled meat production in spring 2020, leading to limits on consumers’ purchases at grocery stores and a decline in frozen inventories that processors have yet to replenish.

Rusty Kemp saw the need for more processing capacity after a 2019 fire at a Tyson Foods plant in Holcomb, Kansas, left meat buyers scrambling for supplies and cattle producers with nowhere to sell their cattle. Then, the pandemic and ransomware attack on JBS hit.

Kemp is now planning to break ground on a $300 million beef plant in Nebraska this fall.

“We thought the Holcomb fire was an absolute train wreck and then COVID came along and Holcomb didn’t seem that bad,” he said.

Kemp’s plant, named Sustainable Beef, will kill 1,500 cattle a day and use blockchain technology so consumers can track a piece of meat all the way back to the ranch, he said.

Sustainable Beef is co-owned by cattle producers who will provide animals for slaughter to the plant, instead of to major packers, Kemp said. He hired former executives of one of the biggest processors, Cargill, as consultants because of their expertise.

But Kemp said he is not trying to pick a fight with the four major processors and that bigger plants are still needed to produce large volumes of meat.

“We absolutely need more capacity and more players,” Kemp said.

MORE ROOM TO SLAUGHTER

Nationwide, at least five new processing facilities of varying sizes have opened or are planned following supply shocks early in the pandemic. Combined with expansions at existing plants, including one owned by JBS, daily U.S. slaughter capacity is set to increase by about 5%, according to a Reuters calculation and data from industry group the North American Meat Institute.

Market conditions are favorable for new entrants. Cattle supplies are ample, while beef prices and profit margins for packers have soared due to strong exports and demand from U.S. consumers.

In Butler, Missouri, Todd Hertzog and his family opened Hertzog Meat Company this month after considering the project for five years.

Though the $3.75 million plant is only slaughtering about 20 cattle a day, it serves nearby ranchers who want to produce higher-quality beef, said Hertzog, who manages the operation.

“The pandemic opened our eyes to the needs of local producers,” he said.

Production disruptions during the pandemic pushed Cliff Welch to begin construction on a meat processing plant near Central City, Kentucky, at a price tag of more than $1.2 million. The cyberattack on JBS then reinforced Welch’s decision to build the facility, slated to open in late 2021, he said.

Welch aims to slaughter 75 cattle a week to start, with the capability to eventually kill 300 head a week. He said he will produce custom cuts of meat using “old-style butchery” and plans to sell it locally.

“I’m starting from ground zero,” Welch said. “It’s a big undertaking.”

Welch said he received a $250,000 grant from Kentucky for the project.

The U.S. Agriculture Department has pledged to support increased processing as part of a $4 billion initiative to strengthen the country’s food system.

“The hope would be that by spreading out, by creating diversity in size and diversity of ownership and diversity of operations, we create greater resilience,” USDA Secretary Tom Vilsack told reporters after the JBS attack.

Missouri last year paid about $17 million in grants to meat processors with fewer than 200 employees that wanted to expand or build new facilities, state agriculture director Chris Chinn said. The payments doubled the amount of red meat inspected by the state in a program sparked by the pandemic, she said.

“It added stability to our local communities and our rural areas,” Chinn said. “They didn’t have to depend on one local source to get their food.”

SMALLER PLANTS, SAME PROBLEMS

Small facilities are finding they face some of the same challenges as larger outfits, notably a labor shortage, without the benefit of a big corporation behind them.

After opening in March, Missouri Prime Beef Packers struggled to find workers for a plant in Pleasant Hope, Missouri, that now kills about 200 cattle a day, despite putting ads in newspapers and on radio, said Dallen Davies, director of company culture.

The facility is slaughtering cattle raised under special guidelines, such as being grass-fed or certified for humane handling, as a way to add value for ranchers and provide a better product for consumers, Davies said.

Plants need to differentiate themselves because they cannot compete with industry titans on volume or on low prices achieved with mass production lines.

Former President Donald Trump last year said he urged the Justice Department to look into allegations the meatpacking industry broke antitrust law because the price that slaughterhouses pay farmers for animals dropped even as meat prices climbed. U.S. governors and lawmakers are pushing the department to keep probing.

Those involved in slaughterhouse expansion say they still need to do something to give ranchers more options in the meantime.

“We really don’t want to wait around and see if the government is going to solve this problem,” Kemp said. “We decided to take matters into our own hands and do this.”

(Reporting by Tom Polansek in Chicago; Editing by Caroline Stauffer and Matthew Lewis)

Colonial Pipeline CEO tells Senate cyber defenses were compromised ahead of hack

By Stephanie Kelly and Jessica Resnick-Ault

NEW YORK (Reuters) -Colonial Pipeline Chief Executive Joseph Blount told a U.S. Senate committee on Tuesday that the company’s cyber defenses were in place, but were compromised ahead of an attack last month.

The hearing was convened to examine threats to critical infrastructure and the Colonial Pipeline cyber attack that shut the company’s major fuel conduits last month.

The hack, attributed by the FBI to a gang called DarkSide, caused a days-long shutdown that led to a spike in gasoline prices, panic buying and localized fuel shortages. It posed a major political headache for President Joe Biden as the U.S. economy was starting to emerge from the COVID-19 pandemic.

Senators questioned whether Colonial was sufficiently prepared for a ransomware attack and the company’s timeline for responding to the attack. Some suggested Colonial had not sufficiently consulted with the U.S. government before paying the ransom against federal guidelines.

Colonial did not specifically have a plan for a ransomware attack, but did have an emergency response plan, Blount said. The company reached out to the FBI within hours of the cyber attack, he said.

“We take cybersecurity very seriously,” Blount said. Still, he said the attack occurred using a legacy VPN (Virtual Private Network) system that did not have multifactor authentication in place.

He said the system was protected with a complex password. “It wasn’t just Colonial123,” he said.

Blount said he made the decision to pay ransom, made the decision to keep the payment as confidential as possible because of concern for security.

“It was our understanding that the decision was solely ours to make about whether to pay the ransom,” he said.

However, he said even after getting the key, the company is still continuing to recover from the attack and is currently bringing back seven finance systems that have been offline since May 7, he said.

The Justice Department on Monday said it had recovered some $2.3 million in cryptocurrency ransom paid by Colonial Pipeline.

Colonial Pipeline previously had said it paid the hackers nearly $5 million to regain access. The value of the cryptocurrency bitcoin has dropped to below $35,000 in recent weeks after hitting a high of $63,000 in April.

Bitcoin seizures are rare, but authorities have stepped up their expertise in tracking the flow of digital money as ransomware has become a growing national security threat and put a further strain on relations between the United States and Russia, where many of the gangs are based.

(Reporting By Stephanie Kelly and Jessica Resnick-AultEditing by Marguerita Choy)

Microsoft says group behind SolarWinds hack now targeting government agencies, NGOs

By Kanishka Singh and Raphael Satter

WASHINGTON (Reuters) -The group behind the SolarWinds cyber attack identified late last year is now targeting government agencies, think tanks, consultants, and non-governmental organizations, Microsoft Corp said on Thursday.

“This week we observed cyberattacks by the threat actor Nobelium targeting government agencies, think tanks, consultants, and non-governmental organizations,” Microsoft said in a blog.

Nobelium, originating from Russia, is the same actor behind the attacks on SolarWinds customers in 2020, according to Microsoft.

The comments come weeks after a May 7 ransomware attack on Colonial Pipeline shut the United States’ largest fuel pipeline network for several days, disrupting the country’s supply.

“This wave of attacks targeted approximately 3,000 email accounts at more than 150 different organizations,” Microsoft said on Thursday.

While organizations in the United States received the largest share of attacks, targeted victims came from at least 24 countries, Microsoft said.

At least a quarter of the targeted organizations were involved in international development, humanitarian issues and human rights work, Microsoft said in the blog.

Nobelium launched this week’s attacks by breaking into an email marketing account used by the United States Agency For International Development (USAID) and from there launching phishing attacks on many other organizations, Microsoft said.

In statements issued Friday, the Department of Homeland Security and USAID both said they were aware of the hacking and were investigating.

The hack of information technology company SolarWinds, which was identified in December, gave access to thousands of companies and government offices that used its products. Microsoft President Brad Smith described the attack as “the largest and most sophisticated attack the world has ever seen”.

This month, Russia’s spy chief denied responsibility for the SolarWinds cyber attack but said he was “flattered” by the accusations from the United States and Britain that Russian foreign intelligence was behind such a sophisticated hack.

The United States and Britain have blamed Russia’s Foreign Intelligence Service (SVR), successor to the foreign spying operations of the KGB, for the hack which compromised nine U.S. federal agencies and hundreds of private sector companies.

The attacks disclosed by Microsoft on Thursday appeared to be a continuation of multiple efforts to target government agencies involved in foreign policy as part of intelligence gathering efforts, Microsoft said.

The company said it was in the process of notifying all of its targeted customers and had “no reason to believe” these attacks involved any exploitation or vulnerability in Microsoft’s products or services.

(Reporting by Kanishka Singh and Sabahatjahan Contractor in Bengaluru; additional reporting by Raphael Satter in Washington; Editing by Robert Birsel and Clarence Fernandez)

U.S. to boost pipeline cyber protections in wake of Colonial hack

WASHINGTON (Reuters) -The Biden administration is working with pipeline companies to strengthen protections against cyberattacks following the Colonial Pipeline hack and will announce actions in coming days, the Department of Homeland Security (DHS) said on Tuesday.

The Transportation Security Administration (TSA), a unit of the DHS, “is coordinating with companies in the pipeline sector to ensure they are taking all necessary steps to increase their resilience to cyber threats and secure their systems,” the agency said.

TSA is collaborating with another branch of DHS, the Cybersecurity and Infrastructure Security Agency. DHS said it will release more details “in the days ahead” without providing particulars.

The Washington Post reported DHS is preparing to issue its first mandatory cybersecurity regulations on pipelines, citing senior officials.

In the past TSA has provided voluntary guidelines on cybersecurity for pipelines. The agency only had six full-time employees in its pipeline security branch through 2018, which limited the office’s reviews of cybersecurity practices, a General Accountability Office report said in 2019. The TSA said this month it has since expanded that staff to 34 positions.

The TSA would require pipeline companies to report cyber incidents to the federal government, senior DHS officials told the newspaper.

After a ransomware attack forced Colonial to shut its entire network for 11 days this month, thousands of gas stations across the U.S. Southeast ran out of fuel. Motorists fearing prolonged shortages raced to fill up their cars.

The closure of the 5,500-mile (8,900-km) system was the most disruptive cyberattack on record, preventing millions of barrels of gasoline, diesel and jet fuel from flowing to the East Coast from the Gulf Coast.

The new regulations were discussed after DHS Secretary Alejandro Mayorkas and other top officials considered how they could use existing TSA powers to bring change to the industry, the Post said.

Representative Bennie Thompson, chair of the Homeland Security Committee in the House of Representatives, called the move “a major step in the right direction towards ensuring that pipeline operators are taking cybersecurity seriously and reporting any incidents immediately.”

(Reporting by Doina Chiacu and Timothy Gardner; Editing by Howard Goller and Grant McCool)

Companies may be punished for paying ransoms to sanctioned hackers – U.S. Treasury

By Raphael Satter

WASHINGTON (Reuters) – Facilitating ransomware payments to sanctioned hackers may be illegal, the U.S. Treasury said on Thursday, signaling a crackdown on the fast-growing market for consultants who help organizations pay off cybercriminals.

In a pair of advisories, the Treasury’s Office of Foreign Assets Control and its Financial Crimes Enforcement Network warned that facilitators could be prosecuted even if they or the victims did not know that the hackers demanding the ransom were subject to U.S. sanctions.

Ransomware works by encrypting computers, holding a company’s data hostage until a payment is made. Organizations have often ponied up ransoms to liberate their data.

“It is a game changer,” said Alon Gal, chief technology officer of Hudson Rock, which works to head off ransomware attacks before they happen.

Before, companies could decide whether or not to pay cybercriminals off, he said. Now that those decisions are being brought under government oversight “we are going to see a much tougher handling of these incidents.”

The Enforcement Network’s advisory also warned that cybersecurity firms may need to register as money services businesses if they help make ransomware payments. That would impose a new reporting requirement on a previously little-regulated corner of the cybersecurity industry.

Ransomware has become an increasingly visible threat in the United States and abroad. Cybercriminals have long used the software to loot their victims. Some countries, notably North Korea, are also accused of deploying ransomware to earn cash.

(Reporting by Raphael Satter; Editing by Chizu Nomiyama and Richard Chang)

U.S. to indict North Koreans over WannaCry, Sony cyber attacks

FILE PHOTO: A screenshot shows a WannaCry ransomware demand, provided by cyber security firm Symantec, in Mountain View, California, U.S. May 15, 2017. Courtesy of Symantec/Handout via REUTERS

By Christopher Bing

WASHINGTON (Reuters) – The U.S. Justice Department is poised to charge North Korean hackers over the 2017 global WannaCry ransomware attack and the 2014 cyber attack on Sony Corp, a U.S. official told Reuters on Thursday.

The charges, part of a strategy by the U.S. government to deter future cyber attacks by naming and shaming the alleged perpetrators, will also allege that the North Korean hackers broke into the central bank of Bangladesh in 2016, according to the official.

In 2014, U.S. officials said unnamed North Korean hackers were responsible for a major cyber intrusion into Sony, which resulted in leaked internal documents and data being destroyed.

The attacks came after Pyongyang sent a letter to the United Nations, demanding that Sony not move forward with a movie comedy that portrayed the U.S.-backed assassination of a character made to look like North Korean leader Kim Jong Un.

The FBI said at the time it had recovered evidence connecting North Korea to the attack and others in South Korea.

Last year, the WannaCry ransomware attack affected thousands of businesses across the globe through a computer virus that encrypted files on affected systems, including Britain’s National Health Service, where nonfunctional computer systems forced the cancellation of thousands of appointments.

(Reporting by Christopher Bing; Additional writing by Susan Heavey; Editing by Chizu Nomiyama and Jeffrey Benkoe)

Ukraine cyber security firm warns of possible new attacks

Ukraine cyber security firm warns of possible new attacks

KIEV (Reuters) – Ukrainian cyber security firm ISSP said on Tuesday it may have detected a new computer virus distribution campaign, after security services said Ukraine could face cyber attacks similar to those which knocked out global systems in June.

The June 27 attack, dubbed NotPetya, took down many Ukrainian government agencies and businesses, before spreading rapidly through corporate networks of multinationals with operations or suppliers in eastern Europe.

ISPP said that, as with NotPetya, the new malware seemed to originate in accounting software and could be intended to take down networks when Ukraine celebrates its Independence Day on Aug. 24.

“This could be an indicator of a massive cyber attack preparation before National Holidays in Ukraine,” it said in a statement.

In a statement, the state cyber police said they also had detected new malicious software.

The incident is “in no way connected with global cyber attacks like those that took place on June 27 of this year and is now fully under control,” it said.

The state cyber police and the Security and Defence Council have said Ukraine could be targeted with a NotPetya-style attack aimed at destabilizing the country as it marks its 1991 independence from the Soviet Union.

Last Friday, the central bank said it had warned state-owned and private lenders of the appearance of new malware, spread by opening email attachments of word documents.

Ukraine – regarded by some, despite Kremlin denials, as a guinea pig for Russian state-sponsored hacks – is fighting an uphill battle in turning pockets of protection into a national strategy to keep state institutions and systemic companies safe.

(Reporting by Natalia Zinets; Additional reporting by Pavel Polityuk; Writing by Alessandra Prentice; editing by Mark Heinrich and Richard Balmforth)

Ukraine central bank warns of new cyber-attack risk

Ukraine central bank warns of new cyber-attack risk

By Natalia Zinets

KIEV (Reuters) – The Ukrainian central bank said on Friday it had warned state-owned and private lenders of the appearance of new malware as security services said Ukraine faced cyber attacks like those that knocked out global systems in June.

The June 27 attack, dubbed NotPetya, took down many Ukrainian government agencies and businesses, before spreading rapidly through corporate networks of multinationals with operations or suppliers in eastern Europe.

Kiev’s central bank has since been working with the government-backed Computer Emergency Response Team (CERT) and police to boost the defenses of the Ukrainian banking sector by quickly sharing information.

“Therefore on Aug. 11…, the central bank promptly informed banks about the appearance of new malicious code, its features, compromise indicators and the need to implement precautionary measures to prevent infection,” the central bank told Reuters in emailed comments.

According to its letter to banks, seen by Reuters, the new malware is spread by opening email attachments of word documents.

“The nature of this malicious code, its mass distribution, and the fact that at the time of its distribution it was not detected by any anti-virus software, suggest that this attack is preparation for a mass cyber-attack on the corporate networks of Ukrainian businesses,” the letter said.

Ukraine – regarded by some, despite Kremlin denials, as a guinea pig for Russian state-sponsored hacks – is fighting an uphill battle in turning pockets of protection into a national strategy to keep state institutions and systemic companies safe.

The state cyber police and Security and Defence Council have said Ukraine could be targeted on Aug. 24 with a NotPetya-style attack aimed at destabilizing the country as it celebrates its 1991 independence from the Soviet Union.

(Writing by Alessandra Prentice; editing by Mark Heinrich)

Greater China cyber insurance demand set to soar after WannaCry attack: AIG

FILE PHOTO: A map of China is seen through a magnifying glass on a computer screen showing binary digits in Singapore in this January 2, 2014 photo illustration. REUTERS/Edgar Su/File Photo

By Julie Zhu

HONG KONG (Reuters) – Demand for cyber insurance from firms in Greater China and elsewhere in Asia is poised to soar, based on enquiries received after the “WannaCry ransomware” attack earlier this year, executives at American International Group Inc said.

The American insurer saw an 87 percent jump in enquiries for cyber insurance policies in May compared to April for Greater China including Hong Kong as a direct result of the WannaCry attack, while the global increase was 38 percent, they said.

“The big increase means the organizations are aware they really need protection,” Cynthia Sze, head of an AIG business in Greater China that provides solutions to companies dealing with cyber breaches, told reporters. AIG executives declined to give details on numbers or say how many of the enquiries actually resulted in policy sales.

The self-replicating WannaCry malware in May infected over 200,000 computers in 150 countries.

A typical cyber insurance policy can protect companies against extortion like ransomware attacks. It could also cover the investigation costs and pay the ransom.

In Hong Kong, which is dominated by small and medium sized enterprises, the impact of a cyber attack could be severe as cyber threats are not a priority given the limited resources of SMEs, said Sze.

Citing Hong Kong police statistics, Sze said computer security incident reports have grown to about 6,000 last year from 1,500 in 2009. Financial losses resulting from such incidents jumped from HK$45 million ($5.76 million) to HK$2.3 billion over the same period, she said.

Hong Kong police did not immediately respond to a request for comment to confirm the numbers.

“WannaCry has really changed the dynamics. We used to tap large multinational companies that understood where the exposure was. Now we are really talking about mid-market and SMEs,” said Jason Kelly, AIG’s head of liabilities and financial lines for Greater China, Australasia and South Korea.

The global market for cyber insurance is worth $2 billion, with 30 percent of middle to large firms purchasing cyber insurance protection, according to AIG. The insurer has also seen an average annual growth rate of 20 to 25 percent in cyber insurance policies over the past three years worldwide, said Kelly.

Insurance companies have been cautiously entering the cyber insurance market as they look for growth amid stiff competition and potential exposure to cyber breaches.

According to Kelly, the annual damage from hackers to the global economy reached about $400 billion in 2015.

(Reporting by Julie Zhu; Editing by Muralikumar Anantharaman)