JBS USA confirms $11M ransom payment to hackers

Meatpacker JBS USA on Wednesday confirmed it paid the equivalent of $11 million in ransom in response to a May cyber-attack that impacted its operations in North America and Australia.

“At the time of payment, the vast majority of the company’s facilities were operational,” JBS USA stated. Nonetheless, the company, in consultation with internal IT professionals and third-party cyber-security experts, said it decided to pay the ransom “to mitigate any unforeseen issues related to the attack and ensure no data was exfiltrated.”

“This was a very difficult decision to make for our company and for me personally,” said JBS USA CEO Andre Nogueira in a statement. “However, we felt this decision had to be made to prevent any potential risk for our customers.”

Such double-extortion ransomware attacks pack a one-two punch and are becoming increasingly common in the cyber-criminal world. The first punch comes with cyber-criminals stealing sensitive data from companies, which they then encrypt and demand a ransom to decrypt. Often, this action is followed by a second gut punch, in which the cyber-criminals threaten to leak the stolen information if an additional ransom is not paid.

According to the “Attack Landscape Update” report, conducted by global cyber-security and privacy firm F-Secure, 15 different ransomware variants used this technique in 2020. The report also found that, out of 55 new ransomware variants tracked by F-Secure last year, 21 (or 40 percent) stole data from their victims.

“Furthermore, several existing ransomware families incorporated data exfiltration to their operations,” F-Secure stated. “One out of every five ransomware families/unique variants identified since 2018 exhibited data exfiltration activity by the end of 2020.”

According to the Federal Bureau of Investigation (FBI), the ransomware attack against JBS USA was carried out by one of the most specialized and sophisticated cyber-criminal groups in the world: Russian-linked REvil.

JBS USA indicated the outcome could have been much worse.

“JBS USA’s ability to quickly resolve the issues resulting from the attack was due to its cyber-security protocols, redundant systems, and encrypted backup servers,” the company stated. “The company spends more than $200 million annually on IT and employs more than 850 IT professionals globally.”

“JBS USA has maintained constant communications with government officials throughout the incident,” the company continued. “Third-party forensic investigations are still ongoing, and no final determinations have been made. Preliminary investigation results confirm that no company, customer, or employee data was compromised.”

A small win, and a compliance lesson

Just last month, Colonial Pipeline CEO Joseph Blount acknowledged paying a $4.4 million ransom after his company experienced a cyber-attack that shut down its critical operations.

The Department of Justice on Monday announced it recovered approximately $2.3 million of that payout. The agency traced the cryptocurrency payment by reviewing the Bitcoin public ledger.

“Following the money remains one of the most basic, yet powerful tools we have,” said Deputy Attorney General Lisa Monaco in a press release. “Ransom payments are the fuel that propels the digital extortion engine,” she said, adding seizure of the bitcoins “demonstrates that the United States will use all available tools to make these attacks more costly and less profitable for criminal enterprises. We will continue to target the entire ransomware ecosystem to disrupt and deter these attacks.”

Monaco further noted the Justice Department’s actions “demonstrate the value of early notification to law enforcement.” The agency thanked Colonial Pipeline for “quickly notifying” the FBI when it learned it was targeted by the organization DarkSide.