Meat processing company JBS said it paid an $11m ransomware demand to cybercriminals to prevent further attack and as “insurance” to protect customers – despite there being no evidence that customer data was stolen.
The IT network of the world’s largest beef supplier was targeted with system-locking malware operated by a Russian-speaking cybercrime group in May. It forced JBS to close meat plants across the US, Australia and Canada for at least a day.
The Brazil-headquartered company said it made the ransom payment when the “vast majority” of its facilities were operational. It did not confirm what day it transferred the funds, reportedly made using the cryptocurrency of bitcoin.
JBS previously said it fully restored operations globally on 3 June after learning of the attack on 30 May. The company said it lost one day’s worth of food production to the attack, which threatened to disrupt food supply chains and lead to food price inflation in the US.
Andre Nogueira, CEO of JBS’ US division, told the Wall Street Journal that the company used encrypted backups to restore operations at its plants.
However, security consultants warned Nogueira that there was no guarantee that the attackers wouldn’t find their way back into JBS systems and so he made the payment as “insurance to protect our customers”.
“This was a very difficult decision to make for our company and for me personally,” said Nogueira in a statement. “However, we felt this decision had to be made to prevent any potential risk for our customers.”
In a statement, JBS said it made the ransomware payment to “ensure no data was exfiltrated” – despite preliminary investigations showing that “no company, customer or employee data was compromised”.
Alan Melia, principal incident response consultant at cybersecurity firm F-Secure, told Verdict it’s “impossible to be absolutely sure” that data hasn’t been stolen during a ransomware attack.
“You can’t prove a negative, which always makes things extremely hard in this case. You’re working on degrees of probability,” he said.
Melia, who advises businesses and governments who have been attacked with ransomware, strongly advises against paying ransom demands – as do the majority of cybersecurity experts. However, there are situations where it can make financial sense for companies to pay, he said.
“When you’re dealing with a large production and distribution organisation [such as JBS], if you take out their distribution controls then you take out the business,” Melia explained. “And often it could be quicker to pay the ransom – not to get data back but to get the systems back up and running.”
However, he said there are some “inconsistencies” in JBS’ statement. He added that the speed at which JBS was up and running suggests it paid the ransom “sooner rather than later”.
JBS declined to comment.
Jake Moore, cybersecurity specialist at ESET, told Verdict that “time is a luxury JBS would not have had” when deciding whether to pay.
“Although JBS says no data was taken, there may well be a hint of the unknown in this and paying can in fact reduce the possibility of a further data breach,” he said.
Ransomware groups often threaten to publish data if payment is not made. However, experts warn that there is no guarantee that the decryption key used to regain access will work, or that the data will not be leaked anyway.
JBS has worked closely with the FBI in its response to the attack and said investigations are “still ongoing”. The FBI has formally pointed the blame at cybercriminals group REvil, which sells its ransomware to affiliates and takes a commission of successful ransom payments.
JBS said it had “encrypted backup servers” and spends “more than $200m annually on IT”, employing more than 850 IT professionals globally.
The JBS ransomware attack is the latest in a string of recent high-profile attacks that have thrown ransomware into the spotlight of policymakers and law enforcement.
The White House published an advisory urging private sector organisations to “take ransomware crime seriously” and ensure “corporate cyber defences match the threat.”
The US Department of Justice is also moving to give ransomware intelligence sharing a similar structure to anti-terrorism.
This week the FBI recovered $2.3m of a $4.4m ransom payment from cybercriminals that extorted the largest fuel line in the US – a rare outcome in ransomware attacks.
Not all companies pay ransomware demands, as demonstrated by the recently attacked Fujifilm.
David Sygula, senior cybersecurity analyst at CybelAngel said: “Ransom payments are much more complicated than they look. For some companies, the cost of the ransom is lower than the cost of a recovery plan. But then, nothing prevents the attacker from attacking you again a few months later, despite the security hints they may give you after you pay the ransom.”
For more information on ransomware and what to do in the event of an attack, read our explainer here.