The explanation given by meat processor JBS for paying an $11m ransomware demand was “not good enough” and “unconvincing”, the former CEO of the UK’s National Cybersecurity Centre (NCSC) has said.

The world’s largest beef supplier was targeted in May with system-locking malware operated by Russian-speaking cybercrime group REvil.

In its statement justifying the ransomware payment at the time, JBS said its systems were already operational and it did not believe any data had been stolen.

JBS said the reason it made the payment was to prevent potential future harm to customers and because there was no guarantee the hackers wouldn’t strike again.

“To me that’s not good enough,” Ciaran Martin told Verdict during a wide-ranging interview. “Let’s take the company’s explanation at face value. They were operating fine; they weren’t at risk of extortion, so they paid $11m as some sort of insurance policy.

“What did REvil do next month? They hacked the world – Swedish Co-Ops, New Zealand schools.”

Up to 1,500 businesses worldwide were affected during a cyberattack against IT vendor Kaseya – including the payment systems at Swedish Co-Ops supermarkets and the IT networks of schools in New Zealand.

The attack, launched by REvil on 2 July, weaponised software provided by Kaseya to spread ransomware.

Because many of these companies use Kaseya VSA software to provide IT services to other companies, the number of victims snowballed to include companies who were not direct customers of the Miami-based IT firm, with Martin describing it as “the perfect illustration of a supply chain attack”.

One of the reasons cybersecurity experts advise companies against paying ransom demands is because it provides the funds for criminals to carry out further attacks and so perpetuates the cycle.

“It’s not JBS’ job to set public policy but I am uncomfortable with a public policy framework that makes [JBS paying] a sensible decision,” Martin argued. “You’re not in any direct risk and your operations are fine, but you pay $11m – public policy should not allow that.”

Martin, who helped launch the NCSC in 2016 to provide cybersecurity advice and support to the UK’s private sector, led the government organisation until stepping down in the summer of 2020.

When approached for comment, Brazil-headquartered JBS told Verdict it “stands by its previous statement” and referred us to the interview its CEO gave to the Wall Street Journal.

“We didn’t think we could take this type of risk that something could go wrong in our recovery process,” JBS CEO Andre Nogueira told the US newspaper in June. “It was insurance to protect our customers.”

Martin described JBS’ statement as “very unconvincing” while Alan Melia, principal incident response consultant at cybersecurity firm F-Secure, told Verdict at the time that it contained some “inconsistencies”.

The JBS ransomware attack is one of a series of high-profile ransomware attacks resulting in multi-million-dollar payouts to criminals this year. In May, Colonial Pipeline paid a $4.4m ransom demand for a decryption tool after the cyberattack forced a five-day closure of the line carrying 45% of the East Coast’s fuel supply.

Deciding whether to pay is a difficult decision for businesses, particularly when closures lead to huge financial losses. But Martin doesn’t believe that all companies face a risk of going out of business, as is sometimes presented.

“I can understand and empathise with corporate executives in a crisis thinking there’s an existential binary choice between paying and going out of business,” he said. “But actually, in reality, it’s rarely that clear cut. Because you’ll still have massive costs for recovery, not many data leaks will put you out of business and there are other ways of recovering your system.”

Martin doesn’t believe the JBS case is a “slam dunk” case for banning ransomware payments, but it should spark a debate around blocking payments in certain situations.

“For every case made by companies of going out of business, I will point at JBS and say, ‘are you comfortable with that?’” he concluded.