Meat Supplier JBS Paid $11 Million to Resolve Ransomware Attack

JBS USA Holdings Inc. paid an $11 million ransom to cybercriminals who last week temporarily knocked out plants that process roughly one-fifth of the nation’s meat supply, the company’s chief executive said.

Source: WSJ | Published on June 10, 2021

ransomware on the rise

The ransom payment, in bitcoin, was made to shield JBS meat plants from further disruption and to limit the potential impact on restaurants, grocery stores and farmers that rely on JBS, said Andre Nogueira, chief executive of Brazilian meat company JBS SA’s U.S. division.

“It was very painful to pay the criminals, but we did the right thing for our customers,” Mr. Nogueira said Wednesday in an interview with The Wall Street Journal. He added that the payment was made after the majority of JBS plants were up and running again.

JBS is the world’s largest meat company by sales, processing beef, poultry, and pork from Australia to South America and Europe. In the U.S., the company is the biggest beef processor and a top supplier of chicken and pork. Its subsidiary Pilgrim’s Pride Corp., also hit by the attack, is the second-largest U.S. poultry processor, after Tyson Foods Inc.

The attack on JBS was part of a wave of incursions using ransomware, in which companies are hit with demands for multimillion-dollar payments to regain control of their operating systems. The operator of a pipeline bringing gasoline to parts of the East Coast in May paid about $4.4 million to regain control of its operations and restore service. The attacks show how hackers have shifted from targeting data-rich companies such as retailers, banks and insurers to essential-service providers such as hospitals, transport operators and food companies.

Mr. Nogueira said JBS learned of the attack early on Sunday, May 30, when technology staff members noticed irregularities with the functioning of some servers. Soon they found a message demanding a ransom to reclaim access to the company’s system. Mr. Nogueira, who was traveling, said he was awakened around 5 a.m. by a phone call from his chief financial officer, notifying him of the incursion.

JBS immediately alerted the Federal Bureau of Investigation, Mr. Nogueira said, and the company’s technology team began shutting down the meat supplier’s systems to slow the attack’s advance. JBS called in technology vendors that had previously worked with the company, as well as cybersecurity experts and consultants who began negotiating with the attackers.

The FBI last week attributed the JBS attack to REvil, a criminal ransomware gang. Mr. Nogueira said that JBS and outside firms are conducting forensic analyses of its information-technology systems, and that it isn’t yet clear how the attackers accessed JBS’s systems.

JBS maintains secondary backups of all its data, which are encrypted, Mr. Nogueira said. The company brought back operations at its plants using those backup systems, he said. While the company was making good progress, he added, JBS’s technology experts cautioned the company that there was no guarantee that the hackers wouldn’t find another way to strike, and JBS’s consultants continued negotiating with the attackers. Mr. Nogueira said the company is confident that no customer, supplier or employee data was compromised in the attack, based on its forensic analysis.

“We didn’t think we could take this type of risk that something could go wrong in our recovery process,” Mr. Nogueira said of the decision to pay the attackers. “It was insurance to protect our customers.”

He said that JBS’s outside advisers negotiated the payment amount with the attackers, and that the company kept federal law-enforcement officials informed throughout the process. Mr. Nogueira declined to specify when JBS made the payment, or to identify the cybersecurity experts.

The FBI officially discourages companies hit by ransomware attacks from paying hackers, arguing that doing so supports a booming criminal industry and that often the decryption tools given in exchange for a ransom don’t work.

But senior officials in the Biden administration have said in recent weeks that they recognize the decision is tough for companies and have generally avoided condemning the practice. However, on Sunday Energy Secretary Jennifer Granholm said on NBC’s “Meet the Press” that she would support legislation banning companies from paying such ransom. “I don’t know whether Congress or the president is at that point,” she added.

Some lawmakers have said they want to consider banning payments while advocating for requirements that companies at least disclose them.

Joseph Blount, CEO of Colonial Pipeline, on Wednesday defended his decision to pay a ransom to hackers during congressional testimony. He told lawmakers he was unsure whether the hack, which impacted the company’s business network, would spread to the operational network that controlled the pipeline.

“The FBI never recommended that we not pay,” Mr. Blount said, describing conversations that took place after the hack was discovered but while the pipeline was still offline. Mr. Blount said the company ultimately relied on backups to restore its systems but said that not paying could have slowed down the recovery process.

“Think about what we would look like if we didn’t bring the pipeline back on until the following week,” he said.