Beef supplier JBS paid ransomware hackers $11 million

JBS, the largest beef supplier in the world, paid the ransomware hackers who breached its computer networks about $11 million, the company said Wednesday.

The company was hacked in May by REvil, one of a number of Russian-speaking hacker gangs, leading meat plants across the U.S. and Australia to shut down for at least a day. News of the payment was first reported by The Wall Street Journal.

Like many other ransomware groups, REvil has made millions in recent years by hacking organizations, encrypting their files and demanding fees, often large bitcoin payments, in exchange for a decryptor program and a promise not to leak the files to the public.

In a statement, JBS indicated that while it was able to get most of its systems running without REvil’s help, it chose to pay to keep its files safe.

“At the time of payment, the vast majority of the company’s facilities were operational,” the company said in an emailed statement, adding that it “made the decision to mitigate any unforeseen issues related to the attack and ensure no data was exfiltrated.”

Charles Carmakal, the chief technology officer of the cybersecurity firm Mandiant, said that while such a price might seem high, it’s not unusual for a successful ransomware attack.

“For an organization like theirs, it feels like it’s a pretty common extortion demand,” Carmakal said.

“For bigger organizations, you’ll tend to see eight-figure extortion demands,” he said. “Sometimes, you’ll see what I believe are really large demands, going up to 40, 45, 50 million. Most people don’t want to pay that much and will try to negotiate it down as best they can.”

The U.S. government has long recommended that ransomware victims not pay their attackers, even though most ransomware gangs aren’t sanctioned entities and paying them isn’t illegal.

JBS CEO Andre Nogueira defended the decision to pay.

“This was a very difficult decision to make for our company and for me personally,” Nogueira said in the statement. “However, we felt this decision had to be made to prevent any potential risk for our customers.”

The news of JBS’ payment follows the congressional testimony of Joseph Blount, CEO of Colonial Pipeline, a major U.S. fuel pipeline that was recently hacked by a different Russian ransomware group, called DarkSide. In Senate testimony Tuesday, he said the decision to pay was “the right thing to do for the country.”

In an unusual move, the Justice Department announced Monday that it was able to recover part of the payment Colonial sent to its hackers. The FBI declined to give specifics about how, however, leaving it unclear how frequently such a tactic could be deployed.

CORRECTION (June 9, 2021, 10:35 p.m. ET): A previous version of this article misspelled the last name of Colonial Pipeline’s CEO. He is Joseph Blount, not Blout.