GREELEY, Colo. (CBS4) – Meat production giant JBS confirmed on Wednesday that the company paid cybercriminals $11 million in cryptocurrency after a ransomware attack over Memorial Day weekend halted operations at more than a dozen plants. In a statement, CEO Andre Nogueira called the ransom payment a “difficult decision.”
“We felt this decision had to be made to prevent any potential risk for our customers,” Nogueira explained.
JBS said the company consulted with cybersecurity experts and paid the ransom in an effort to protect data and “mitigate any unforeseen issues.” At the time of the payment, JBS said the “vast majority” of the company’s facilities were operational.
JBS said its encrypted backup servers were not compromised, allowing the company to resume operations in a matter of days. Officials said the loss from the cyberattack amounted to less than one day’s worth of food production.
“The criminals were never able to access our core systems, which greatly reduced potential impact,” said Nogueira. “We are fortunate that all of our facilities around the globe are operating at normal capacity.”
JBS USA, the company’s North American subsidiary, is headquartered in Greeley where it employs more than 3,000 people. Globally, the company employs more than 850 IT professionals with an annual cyber budget of $200 million.
Employees at JBS first became aware of the hack on May 30 and immediately shut down company systems to isolate the intrusion.
The Federal Bureau of Investigation attributed the attack to REvil, a Russia-linked Ransomware-as-a-Service operation. REvil, also known as Sodinokibi, provides malware kits for criminal affiliates to launch cyberattacks in exchange for a cut of the profit, usually around 20-30%.
“Like many other groups, REvil operates an affiliate model. While the people who created the ransomware are believed to be based in Russia, the people who use it to carry out the attacks – the affiliates – could be based anywhere,” stated Brett Callow, a threat analyst with the cybersecurity firm Emsisoft.
IBM Security X-Force reports REvil profited at least $81 million from extortion threats in 2020. Cybersecurity experts say the criminal group appears to consider an organization’s annual revenue, with ransom demands ranging from $1,500 to $42 million.
It’s still unclear how the criminal group gained access to servers supporting JBS’s North American and Australian IT systems. The company’s operations in Mexico and the UK were not impacted by the breach. The beef plant in Greeley was among the facilities that had to shut down operations due to the hack.
JBS said the third-party forensic investigation is still ongoing. So far, the company is not aware of company, customer or employee data being compromised. However, cybersecurity experts tell CBS4 the forensic investigation to determine what data was accessed in this kind of attack can take weeks to complete.
The FBI advises against paying ransomware attackers because it doesn’t guarantee a business will retrieve their data. Officials say ransom payments embolden cybercriminals and incentivize illegal activity. Businesses often have to weigh the pros and cons of the situation when faced with extortion threats.
“Ransomware attacks happen for one reason and one reason only: they’re profitable. And pay-offs like this mean they’re very, very profitable,” explained Callow. “The fact is that it will be extremely difficult to solve the ransomware problem while companies continue to give ransomware gangs this level of financial motivation. Put another way, companies that pay ransoms are effectively bankrolling the next series of attacks.”
The announcement of the ransom payment comes on the same day the U.S. Equal Employment Opportunity Commission announced JBS USA agreed to pay $5.5 million to settle a race and religious discrimination claim at the Greeley beef plant. The EEOC’s lawsuit, filed in 2010, accused JBS of discriminating against employees because they were Muslim, immigrants from Somalia, and Black. JBS said the company does not admit liability in the settlement and prohibits discrimination at its facilities.