JBS Pays $11 Million Dollars in Cyber Ransom

The world’s largest meat processing company has paid the equivalent of $11m (£7.8m) in ransom to put an end to a major cyber-attack. Computer networks at JBS were hacked last week, temporarily shutting down some operations in Australia, Canada, and the US. The payment was reportedly made using Bitcoin after plants had come back online. JBS says it was necessary to pay to protect customers, with JBS chief executive Andre Nogueira commenting, “This was a very difficult decision to make for our company and for me personally.

Notify of
12 Expert Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Jake Moore
Jake Moore , Cybersecurity Specialist
InfoSec Expert
June 10, 2021 12:10 pm

<p style=\"font-weight: 400;\">Being hit with an attack like this is a very difficult predicament: organisations are having to make huge decisions, which should never even crop up in the first place, about whether or not to pay ransoms. This eye watering amount paid here would have been determined by the attackers – and is actually likely to have been negotiated down – but the scale of the ransom highlights the challenging and rather lonely position JBS were left in.</p> <p style=\"font-weight: 400;\"> </p> <p style=\"font-weight: 400;\">We have recently seen companies like Fujifilm refuse to pay the ransoms and restore from backups, but unfortunately most companies are not so lucky and are left stuck between a rock and a hard place, all the while against the clock. Such huge sums of money can cripple some organisations, but cybercriminals often decide how much to request in order to make it a genuine possibility that they will be paid. Not a decision to be taken lightly, and it must be noted that more work is still needed in ensuring that there is adequate proactive protection in place</p>

Last edited 1 year ago by Jake Moore
Natalie Page
Natalie Page , Cyber Threat Intelligence Analyst
InfoSec Expert
June 10, 2021 12:11 pm

<p>Once again we are seeing the CEO of a company that has been hit by ransomware publicly talking about the attack. This is hopefully the beginning of a new shift in mindset where companies are more open to talking about attacks, rather hiding them away and pretending they are not happening. The more companies talk about attacks, the more we can gain intelligence to beat cybercriminals. While paying a ransom is an outcome no CEO desires, sometimes the financial loss is an easier hit to take than the impact to services and supply. No CEO should be shamed for this, instead we should collectively pool together to understand attacker techniques so we can build better defences. It is ‘us’ against ‘them’.</p>

Last edited 1 year ago by Natalie Page
Nikos Mantas
Nikos Mantas , Incident Response Expert
InfoSec Expert
June 10, 2021 12:13 pm

<p><span lang=\"EN-US\">When a company is hit with ransomware they will carry out a calculation to understand the level of damage the attack could cause, from loss of data to regulatory fines, and compare it to the ransom demand to understand which will have the greatest impact on the company. The CEO of JBS clearly carried out this calculation and came to the conclusion that the disruption to its services would have a far greater impact than the financial loss of the ransom.</span></p> <p> </p> <p><span lang=\"EN-US\">While this would not be an easy decision to make, it does highlight that when companies are un-prepared ransomware can put them in the most difficult position. Protecting against ransomware is all about cyber resilience and carrying out tests prior to attacks to understand damages and limit them. Network segmentation is always critical, especially keeping operational technology separate from IT infrastructure, which is more likely to be attacked.</span></p>

Last edited 1 year ago by Nikos Mantas
Edgard Capdevielle
InfoSec Expert
June 10, 2021 12:14 pm

<p>While paying a ransom is never recommended,  when it comes to critical infrastructure the decision to not to pay is almost never that simple. When critical resources like oil and gas, mass transportation or in the case of JBS, a fifth of the Nation’s meat supply, are taken offline, the impact hits everyone in the wallet.   </p> <p> </p> <p>Unfortunately, now we’re seeing critical infrastructure attacks make the news every week – and we we’re painfully watching the private and public sector scrambles to catch up.  </p> <p> </p> <p><span lang=\"EN-US\">Enterprises must prepare for the inevitable – and be ready when an attacker gets in.  That\’s why in addition to strengthening cybersecurity defenses, it’s equally important to invest in business resilience in the face of an attack.</span> </p> <p>  </p> <p>Assumes your company will eventually get breached, and prepares for that situation before it happens.  This post breach mindset  establishes a strong cybersecurity culture that asks the tough questions, anticipates worst case scenarios and establishes a recovery and containment strategy aimed at maximizing your organization’s resiliency, long before an attack occurs.</p>

Last edited 1 year ago by Edgard Capdevielle
Tony Cole
Tony Cole , CTO
InfoSec Expert
June 10, 2021 12:24 pm

<p><span lang=\"EN-US\">It doesn’t matter if you’re a large pipeline operator or one of the world’s largest meatpackers, financially motivated attackers don’t really care about the impact to your company. Only about lining their pockets at your expense. This story further showcases that you cannot keep all attackers out of your network. Preventative systems are important however they will fail given either enough effort by the adversary or opportunity via a vulnerability. Instrumenting your systems to quickly detect the compromise can give you the edge to minimize impact. This is done by continuously looking for lateral movement across the enterprise, stopping privilege escalation, and protecting Active Directory. If not, the adversary has the advantage in the enterprise by living off the land (using existing tools and user accounts already in place) and will likely accomplish their goals.</span></p>

Last edited 1 year ago by Tony Cole
Jerome Becquart
InfoSec Expert
June 11, 2021 9:25 am

<p>Recent ransomware attacks like this have shown it\’s essential for businesses to invest in cybersecurity solutions that contain these threats and limit their impact on the organization. The first step businesses need to take is to re-consider how they authenticate their users and devices. Getting rid of passwords is essential, as we\’ve seen from recent password-based attacks. Organizations need to invest in multi-factor authentication to provide trust in their users and strengthen their security perimeter. They also need to consider the numerous machines and devices connected to their network that could be vulnerable to threats. Enabling technology such as PKI to authenticate these identities will provide an additional layer of security to defend against attacks.</p>

Last edited 1 year ago by Jerome Becquart
Pravin Madhani
Pravin Madhani , Co-founder and CEO
InfoSec Expert
June 11, 2021 9:27 am

<p>Ransomware is big business for cyber criminals, and this latest payment by JBS of $11 million reinforces why cyber criminals are so active in the ransomware arena.  It’s also why the federal government has stepped in recently with discussion about the banning of ransomware payments. Understandably, organizations would like to restore their business as soon as possible, even if it means paying the ransom. However, the ideal solution is for organizations to deploy the latest security controls to prevent ransomware by training employees on phishing, ensuring 3<sup>rd</sup> party vendor security, using runtime security for business applications and working with governments to stop future ransomware attacks.</p>

Last edited 1 year ago by Pravin Madhani
Matt Aldridge
Matt Aldridge , Principal Solutions Architect
InfoSec Expert
June 11, 2021 10:08 am

<p>Although JBS claims that there is no evidence that any customer, supplier or employee data has been compromised or misused, it seems very unlikely that a sophisticated ransomware gang would not have exfiltrated key data prior to exposing themselves with the demand. </p> <p> </p> <p>A ransom as large as this is likely to have been paid to stop the release of highly sensitive data that is already in the hands of the criminals. This begs the question as to why JBS would pay such a huge ransom if the data was not in the hands of the criminals. It could even be the case that the criminals had secured such a strong foothold within the JBS network that JBS knew that if they didn’t pay, much worse things could happen to them.</p> <p> </p> <p>At this point this is purely speculation and in time we will likely hear more details explaining the position that JBS found themselves in. It should however be noted once criminals have your data, no amount of money paid can guarantee that it has truly been securely deleted and that it is not in the hands of any other third parties or archived for potential later use.</p>

Last edited 1 year ago by Matt Aldridge
Sascha Fahrbach
Sascha Fahrbach , Security Evangelist
InfoSec Expert
June 11, 2021 10:12 am

<p>Ransomware attacks are on the rise. For the moment, they show the world that every sector is vulnerable to this form of attack.  It puts the spotlight on how vital cybersecurity is and how we are no longer able to ignore it. We see two curious developments; on the one hand, Colonial Pipeline admitted to paying over 4 million dollars to the criminal operators who struck a few weeks back. Yet, the DOJ has now recovered most of the bitcoin used to pay off the gang. This action by the US government is unprecedented and has the cybersecurity community abuzz with how federal agencies managed to acquire the bitcoin private key. It is undoubtedly a victory for the good guys and gives us a new demonstration of how far the US is willing to act against cybercriminals.  </p> <p> </p> <p>On the other hand, we have JBS, which just paid over 11 million dollars to end its ransomware struggles. One must remember that there is a trade-off, and often for such large companies (JBS is the world’s biggest meat processor with operations in several countries) it is ultimately a business decision. Will the impact and suspension of operations cost more than the ransom? Likely this was the logic, and therefore the decision was made to pay.  </p> <p> </p> <p>It also becomes an ethical question, as paying the ransom helps encourage cybercriminals to strike again, and paying once does not guarantee criminals will try again with the same organization. By paying the ransom, other gangs and criminals will feel emboldened to do the same and perhaps prey on smaller firms that cannot recover after such an attack.  </p> <p> </p> <p>CD Projekt Red, a Polish video game company and leader in the industry, made headlines during a ransomware attack a few months ago and publicly stated they would not pay nor deal with criminals. This was widely applauded by not only the gaming but the wider business community around the world.  </p> <p> </p> <p>Ultimately, we are in very intriguing times; the recent DOJ victory to recover crypto assets will show criminals that the US government is serious about protecting itself against attacks. What kind of international action or cooperation will we see next? Will geopolitics now also play a part as the US turns its sights on Russia in all this? Should we applaud or worry about the actions of the DOJ in acquiring the credentials for the ransom? Or does it give us cause to be concerned? Indeed, the discussion on ransomware will continue to develop and ultimately will result in stronger focus, support, and attention on more robust cybersecurity for all.”  </p>

Last edited 1 year ago by Sascha Fahrbach
Chris Vaughan
Chris Vaughan , Technical Account Manager
InfoSec Expert
June 11, 2021 10:13 am

<p>Unfortunately paying ransom to protect sensitive data, can often be the quickest way to recover.  We saw a similar response in the Colonial pipeline incident recently where they paid the $5m to get assurance that the attack would stop.  In a lot of cases recovering the ransom isn\’t possible, luckily for Colonial they\’ve managed to recover $4.4m of the ransom from a seized cryptocurrency wallet.<u></u><u></u></p> <p><u></u> <u></u></p> <p>These attacks are reminders that no industry is immune to being targeted by cybercriminals. And it’s a worrying sign of the rapidly growing ransomware market, with major attacks being reported almost weekly. It’s clear these attacks are growing in sophistication with criminal gangs becoming more targeted in their approach and increasing the huge sums of money that they are demanding.<u></u><u></u></p> <p> <u></u><u></u></p> <p>It’s critical that organisations secure their IT environments as much as possible, to defend against these costly attacks. In order to achieve this while many staff are still working remotely, organisations need to have a high level of visibility of the devices connecting to the corporate network. This will help them identify any weaknesses that could increase the likelihood of a ransomware attack being successful, such as unpatched devices or users adopting risky behaviours. Another measure that will help negate these attacks is a thorough cybersecurity training program for staff. This may seem obvious, but the majority of security breaches start with a user clicking on a malicious link – often in a phishing email.</p>

Last edited 1 year ago by Chris Vaughan
Javvad Malik
Javvad Malik , Security Awareness Advocate
InfoSec Expert
June 11, 2021 11:46 am

<p>Ransomware is an ever-growing menace to society. For many, the ransom payment itself, while significant in its own right, only represents a small percentage of the overall recovery costs and the impact of the attack. </p> <p> </p> <p>By threatening to leak stolen data, criminals have the upper hand whereby they can extort victims for large amounts, and the organisations have to take their word for the fact that they will delete the stolen information. </p> <p> </p> <p>Put in such a difficult position, organisations often have little choice – the problem is that criminals will use the proceeds to reinvest in their criminal enterprise to launch more attacks, and the cycle will continue. </p> <p> </p> <p>While we need to look at strategic ways to break this cycle, for now, one of the most important things organisations should be focusing on is how to prevent ransomware from being successful to start with. As the majority of attacks originate through phishing emails, exploiting poor credentials, the lack of MFA, or unpatched public-facing, they should be looking to prevent these avenues as a priority.</p>

Last edited 1 year ago by Javvad Malik
Rashid Ali
Rashid Ali , Enterprise Sales Manager UK & Nordics
InfoSec Expert
June 14, 2021 11:04 am

<p>The question of whether paying ransomware is ‘right’ or ‘wrong’ ultimately comes down to the organisation, the policies they have in place and the sensitive nature of the data they hold. It is a decision that must be well thought-out and there is no ‘one size fits all\’ approach. However, the truth is that the more we pay, the more we are reinforcing and encouraging this type of attack. </p> <p> </p> <p>There is also no guarantee that data will be returned or that it won’t be sold on the dark web later down the line, as all too many businesses have reported. Even if businesses have legal and security teams working <u>24/7</u>, they are dealing with criminals. And sadly, there is no way to guarantee that they will live up to their side of the bargain. But aside from paying out, organisations also need to carefully think about the wider cost and the repercussions. Many hope that this will be reimbursed through their cyber insurance. However, after the global provider AXA recently decided to stop paying out and recovering ransomware payments in France, it is only a matter of time before we see this take effect across Europe, and we are likely to see many other insurers follow suit.</p> <p> </p> <p>Whether businesses choose to pay or not, it is imperative that they analyse the attack, determine how this happened and implement a rapid strategy that will prevent this in the future. The last thing any business wants is to pay millions only to have the attackers back again a couple months or even weeks down the line. With ransomware attacks growing and no certainty around data recovery, the best thing that organisations can do is implement preventative and recovery measures.</p> <p> </p>

Last edited 1 year ago by Rashid Ali
Information Security Buzz
Would love your thoughts, please comment.x