A notorious ransomware gang says it’s no longer trying to avoid targets that are based in the United States, and despite the heightened focus from lawmakers, the group says it’s doubling its focus on U.S. targets.
In a short interview posted to the Russian OSINT Telegram channel that has since been deleted, an alleged representative of the REvil ransomware gang said the group was behind the attack on global food processing company JBS, but expected the damage to be contained to Brazil, since the company’s headquarters is based in São Paulo. The spokesperson said it had tried to avoid U.S. companies at large since the Colonial Pipeline ransomware incident.
“With the recent events in the fuel biz, we tried to stay away from the U.S, just like we don’t target the critical infrastructure,” the interview read. “The attack was against the company in Brazil, but it was the U.S. that got mad.”
Since the Colonial Pipeline hack, the U.S. government has been intensely focused on fighting ransomware. According to a Reuters report, the U.S. Department of Justice will start elevating investigations of ransomware attacks to a similar priority as terrorism in the wake of the Colonial Pipeline hack and mounting damage caused by cyber criminals. Additionally, U.S. President Joe Biden has said ransomware will be a topic of discussion with Russian President Vladimir Putin when the two meet on June 16.
In response to the Department of Justice action, the REvil spokesman said he plans to focus more intently on U.S. targets.
“Since there’s no point in avoiding the US targets anymore, we have lifted all the restrictions,” the alleged representative said. “From now on, every entity in this country can be targeted.”
The representative also said that they don’t believe the department’s action will stop them from conducting their attacks.
“We don’t want to play politics, but seeing as we are being dragged into it — well, alright then,” the representative said. “Even if the U.S. government passes the bill prohibiting ransom payments or puts us on the terrorist list, that’s not going to affect our operations. Quite the contrary, access to US companies will be sold for a song, and we’ll offer preferential terms to our affiliates.”
The interview comes as ransomware gangs have drawn enormous attention in the U.S. The Colonial Pipeline incident led to the shut down of one of the biggest oil pipelines in the U.S., leading to panicked drivers emptying thousands of gas stations on the East Coast.
Despite the scrutiny, the alleged representative said the attention has left the gang unfazed.
“Time will show. We are still here,” the representative said. “We are not going anywhere.”
In August 2025, two anonymous researchers released 9 GB of data from a workstation of a likely advanced persistent threat (APT) group. Here’s an analysis of the data by Intel 471’s Cyber Geopolitical Risk team.
Initial access brokers (IABs) sell access to compromised organizations on underground forums. Here's an analysis looking at whether these offers can be correlated to ransomware attacks.
In this Studio 471, Jacob Larsen discusses the effects of doxing, how sites like Doxbin take advantage of legal loopholes and how to defend against being doxed.
Stay informed with our weekly executive update, sending you the latest news and timely data on the threats, risks, and regulations affecting your organization.