GREELEY, Colo. (CBS4) – Global meat supplier JBS says it’s made “significant progress” in resolving a ransomware attack that disrupted operations at more than a dozen U.S. facilities, including a beef plant in Greeley. In a statement on Tuesday night, JBS said the “vast majority” of its meatpacking plants will be operational by Wednesday.

(credit: CBS)

“JBS USA and Pilgrim’s are a critical part of the food supply chain and we recognize our responsibility to our team members, producers and consumers to resume operations as soon as possible,” said Andre Nogueira, JBS USA CEO. “Our systems are coming back online and we are not sparing any resources to fight this threat. We have cybersecurity plans in place to address these types of issues and we are successfully executing those plans.”

The company has not said how much ransom the hackers are demanding and if the company plans to pay. The cyberattack targeted servers supporting JBS’s North American and Australian IT systems. JBS says its operations in Mexico and the UK were not impacted.

Nogueira thanked federal investigators along with the Australian and Canadian governments for their help to safeguard the food supply. He reiterated the company’s claim that no customer, supplier or employee data appears to have been compromised in the cyberattack.

(credit: CBS)

Some industry experts estimate JBS may already be tens of thousands of heads short in their processing due to the cyberattack.

“The consensus was that (the cyberattack) would impact their ability to produce at several of their facilities, and that would slow down production,” said Keith Belk, head of Colorado State University’s Department of Animal Sciences. “The question is whether it will be short lived or not. And, that will determine if it has a supply chain impact.”

Keith Belk (credit: CBS)

JBS USA, the company’s North American subsidiary, is headquartered in northern Colorado. The beef plant in Greeley employs more than 3,000 people.

On Tuesday, officials say JBS USA and Pilgrim’s were able to ship product from nearly all U.S. facilities. UFCW union officials tell CBS4 that JBS beef facilities experienced shutdowns on Tuesday in at least eight states, including Colorado. JBS pork plants are still operational, according to the union.

(credit: CBS)

JBS became aware of the cyberattack on Sunday over Memorial Day weekend. The White House on Tuesday attributed the ransomware attack to a criminal organization likely based out of Russia. The FBI is leading the investigation and the Biden administration is in contact with the Russian government.

“The JBS cyberattack is an attack on those who work to provide food for our families. We must find out who is responsible and hold them criminally accountable,” tweeted Rep. Ken Buck, a Republican who represents Colorado’s 4th Congressional District. “I will continue to monitor the situation and provide assistance to JBS here in Eastern Colorado.”

Bloomberg cites a source attributing the attack to the REvil Ransomware-as-a-Service (RaaS) operation, also known as Sodinokibi. RaaS operations provide malware kits for affiliates to launch attacks in exchange for a cut of the proceeds, usually around 20-30%.

In October 2020, REvil reportedly invested $1 million in bitcoin to employ new recruits, according to Forbes. In previous operations, REvil has used spearphishing techniques to gain access to systems via malicious attachments, including Microsoft Word documents.

IBM Security X-Force reports REvil accounted for a third of its ransomware incident response investigations in 2020. IBM estimates the criminal group profited at least $81 million from extortion threats that same year. Cybersecurity experts say REvil appears to consider an organization’s annual revenue, with ransom demands ranging from $1,500 to $42 million.

UFCW International President Marc Perrone wants JBS to quickly resolve the breach and ensure workers are paid on time. The union represents more than 25,000 JBS workers in the U.S.

“UFCW is calling on JBS to work with state and federal leaders to help get JBS meatpacking workers back on the job as soon as possible so these essential workers can continue to keep our country’s food supply fully operational and secure as this pandemic continues,” Perrone said in a statement.

The cyberattack comes just weeks after a ransomware attack on Colonial Pipeline prompted gas shortages in several states. Colonial paid nearly $5 million in ransom to the Russian hacking group DarkSide. Soon after, the extortion gang claimed it was ending its operation before disappearing offline.