JBS Paid $11 Million Ransom to Russian Hackers

Published: 14 June 2021

JBS FoodsGlobal meat supplier JBS said it paid US$11 million in Bitcoin in response to the May 30 REvil cyberattack. (Photo: Mizzou CAFNR, Flickr, License)

By Emily Tian

Although the FBI is trying to discourage ransomware payments to hacking groups, global meat supplier JBS said it paid US$11 million in Bitcoin in response to the May 30 REvil cyberattack which shut down the company’s North American and Australian systems.

Neither JBS officials nor federal investigators had previously discussed the ransom. The company, which is the world’s largest meat supplier, had paused operations in its North America and Australia plants briefly before returning to full production on June 3.

“It’s the second multimillion dollar ransom that’s been in the news in the past month, and the going rate is going up,” Andrew Grotto, an International Security Fellow at Stanford and former Senior Director for Cybersecurity Policy under the Biden and Trump administrations, told OCCRP on Thursday.

Colonial Pipeline had paid a $4.4 million ransom to DarkSide, the hacker group whose malware had temporarily shut down pipeline operations, although the U.S. federal investigators were later able to recover $2.3 million of the ransom, which was paid in Bitcoin.

“The attackers have to figure out the highest price a victim is willing to pay, compared to the cost if they said no. And when health and safety are on the line, the victim’s cost exposure goes up,” Grotto said.

However, the FBI officially does not support paying a ransom in response to ransomware attacks, since that may encourage cybercriminals to target more victims in the future.

“It is our policy, it is our guidance, from the FBI, that companies should not pay the ransom for a number of reasons,” FBI Director Christopher Wray told the House Judiciary Committee during a hearing last week.

“This was a very difficult decision to make for our company and for me personally,” said Andre Nogueira, JBS USA’s CEO, in a press release last Wednesday. “However, we felt this decision had to be made to prevent any potential risk for our customers.”

Nogueria said in a previous statement that JBS’ core systems were not affected by the attack, “which greatly reduced potential impact.” According to the company, preliminary investigations confirm that no consumer or employee data has been compromised as a result of the attack.

REvil, also called Sodinokibi, is a ransomware cyber-operation believed to be based in Russia. The attack, which followed not long after the Colonial Pipeline hack led to East Coast gas shortages for days, has drawn the FBI to make a statement on cyberattacks and the White House to address the issue with the Russian government.

U.S. government officials have been coordinating investigations along with JBS throughout the cyberattack. The press release indicated that third-party forensic investigations have not yet yielded any final conclusions.

According to the JBS press release, the vast majority of the company’s facilities were operational at the time of payment. Through consulting IT professionals and cybersecurity experts, the company decided to pay the ransom in order to “mitigate any unforeseen issues related to the attack and ensure no data was exfiltrated.”