{
	"id": "4dd004cc-4c11-4e8a-905d-c19aaf945cba",
	"created_at": "2026-04-06T01:31:02.003687Z",
	"updated_at": "2026-04-10T03:30:33.251202Z",
	"deleted_at": null,
	"sha1_hash": "50952ffe47f11ccdbdef0262da2aa836ca53272d",
	"title": "FBI: JBS ransomware attack was carried out by REvil",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 244164,
	"plain_text": "FBI: JBS ransomware attack was carried out by REvil\r\nBy Adam Janofsky\r\nPublished: 2022-12-12 · Archived: 2026-04-06 00:58:16 UTC\r\nThe US Federal Bureau of Investigation on Wednesday confirmed reports that the well-known cybercriminal\r\ngroup REvil (also known as Sodinokibi) is behind the ongoing ransomware attack targeting JBS, the world’s\r\nlargest meatpacking company.\r\n“We have attributed the JBS attack to REvil and Sodinokibi and are working diligently to bring the threat actors to\r\njustice,” the FBI said in a statement late in the day. “We continue to focus our efforts on imposing risk and\r\nconsequences and holding the responsible cyber actors accountable.”\r\nThe group has attracted attention both inside and outside of the cybersecurity ecosystem in recent years for their\r\naudacious attacks that push the boundaries of the ransomware-as-a-service industry. Among other incidents, the\r\ngroup attempted to extort then-President Donald Trump last year, and has released or threatened to sell documents\r\nrelated to celebrities including Lady Gaga.\r\nIn an interview published by The Record in March, a representative for REvil said the group said it goes after\r\ncyberinsurance providers, calling them “one of the tastiest morsels.”\r\n“Especially to hack the insurers first—to get their customer base and work in a targeted way from there. And after\r\nyou go through the list, then hit the insurer themselves,” the representative said.\r\nDmitry Smilyanets, a cyber threat intelligence expert at Recorded Future who conducted that interview, said the\r\nlatest attack against JBS may have unintentionally crossed a line for the group. REvil has traditionally been\r\nopportunistic by nature—they have shied away from attacks against hospitals, governments and other high-profile\r\norganizations because it could potentially get in the way of making money, Smilyanets said.\r\n“They probably didn’t expect the reaction from an attack on a regular business would be so big,” he said. “But\r\nattacking a major supplier of beef on Memorial Day—you just don't play with Americans this way.”\r\nhttps://therecord.media/fbi-jbs-ransomware-attack-was-carried-out-by-revil/\r\nPage 1 of 3\n\nReferences to REvil attacks gathered from private and underground sources. Courtesy of Recorded Future.\r\nThe company employs hundreds of thousands of workers across Australia and the Americas, and slaughters more\r\nthan 20% of the US’s cattle, according to industry estimates.\r\nJBS first disclosed details about the incident on Monday, calling it “an organized cybersecurity attack” that\r\naffected some of the servers supporting its IT systems in North America and Australia.\r\nThe Brazil-based firm has said that it is recovering from the situation and has been resuming operations at\r\ndisrupted meat processing facilities. It has not commented on whether or not a ransom was paid, and a company\r\nspokesperson did not respond to a request for comment from The Record.\r\nSmilyanets said there hasn’t been any signs of public postings from REvil related to the incident—the group often\r\npressures organizations into paying a demand by exposing some information. “That can indicate that negotiations\r\nare underway,” he said.\r\nThe attack on JBS is the second major ransomware incident attributed to Russian-based cybercriminals this\r\nmonth: Suspected Russian hackers compromised Colonial Pipeline with ransomware, shutting down fuel\r\ndistribution along the U.S. East Coast for several days. The attacks will be a likely focal point of talks between US\r\nPresident Joe Biden and Russian President Vladimir Putin when they meet in Geneva later this month. \r\n“REvil probably thought they were safe, but everything can change after this meeting,” Smilyanets said. \"Putin\r\ncould handle this problem if he can get something valuable out of it.\"\r\nhttps://therecord.media/fbi-jbs-ransomware-attack-was-carried-out-by-revil/\r\nPage 2 of 3\n\nNo previous article\r\nNo new articles\r\nAdam Janofsky\r\nis the founding editor-in-chief of The Record from Recorded Future News. He previously was the cybersecurity\r\nand privacy reporter for Protocol, and prior to that covered cybersecurity, AI, and other emerging technology for\r\nThe Wall Street Journal.\r\nSource: https://therecord.media/fbi-jbs-ransomware-attack-was-carried-out-by-revil/\r\nhttps://therecord.media/fbi-jbs-ransomware-attack-was-carried-out-by-revil/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://therecord.media/fbi-jbs-ransomware-attack-was-carried-out-by-revil/"
	],
	"report_names": [
		"fbi-jbs-ransomware-attack-was-carried-out-by-revil"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775439062,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/50952ffe47f11ccdbdef0262da2aa836ca53272d.pdf",
		"text": "https://archive.orkl.eu/50952ffe47f11ccdbdef0262da2aa836ca53272d.txt",
		"img": "https://archive.orkl.eu/50952ffe47f11ccdbdef0262da2aa836ca53272d.jpg"
	}
}