Meat processing company JBS on Wednesday confirmed it paid extortionists $11 million in bitcoins to regain access to its systems following a destructive ransomware attack late last month.
“In consultation with internal IT professionals and third-party cybersecurity experts, the company made the decision to mitigate any unforeseen issues related to the attack and ensure no data was exfiltrated,” JBS USA said in a statement, with CEO Andre Nogueira adding the firm made the “very difficult decision” to prevent any potential risk for its customers.
Stating that third-party forensic investigations into the incident are still ongoing, the company noted that no company, customer, or employee data was compromised as a consequence of the breach. The FBI officially discourages victims from paying ransoms because doing so can establish a profitable criminal marketplace.
JBS, the world’s largest meat company by sales, on May 30 disclosed it fell prey to an “organized cybersecurity attack” targeting its IT network, temporarily knocking out its operations in Australia, Canada, and the U.S. The intrusion was attributed to REvil (aka Sodinokibi), a prolific Russia-linked cybercrime group that has emerged as one of the top-earning ransomware cartels by revenue.
Run as a ransomware-as-a-service business, REvil was also one of the early adopters of the so-called “double extortion” model that has since been emulated by other groups to exert further pressure on the victim company to meet ransom demands within the designated timeframe and maximize their chances of making a profit.
The technique involves stealing sensitive data prior to encrypting them, thus opening the door to new threats wherein refusal to engage can result in the stolen data being published on its website on the dark web.
REvil and its affiliates accounted for about 4.6% of attacks on the public and private sectors in the first quarter of 2021, according to statistics published by Emsisoft last month, making it the fifth most commonly reported ransomware strain after STOP (51.4%), Phobos (6.6%), Dharma (5.1%), and Makop (4.7%).
The syndicates are known to launder their financial proceeds through Bitcoin mixing services so as to obscure the trail, which is then sent to both legitimate and high-risk cryptocurrency exchange portals to convert the bitcoins into fiat, real-world currency.
The attack on JBS comes amid a recent spate of ransomware incursions in which companies are hit with demands for multimillion-dollar payments in exchange for a key to unlock the systems. Last month, Colonial Pipeline shelled out a ransom amount of approximately 75 bitcoins ($4.4 million as of May 8) to restore services, although the U.S. government earlier this week managed to recoup most of the money by tracking the bitcoin trails.
“Being extorted by criminals is not a position any company wants to be in,” Colonial Pipeline CEO Joseph Blount said in a hearing before the U.S. Senate Committee on June 8. “As I have stated publicly, I made the decision that Colonial Pipeline would pay the ransom to have every tool available to us to swiftly get the pipeline back up and running. It was one of the toughest decisions I have had to make in my life.”
In a similar development, U.S. insurance firm CNA is said to have allegedly paid off $40 million to the attackers to recover access to its systems in what’s believed to be one of the most expensive ransoms settled to date. In a statement shared on May 12, the company said it had “no evidence to indicate that external customers were potentially at risk of infection due to the incident.”
The incessant attacks on critical infrastructure and their impact to supply chains have prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to publish a fact sheet detailing the rising threat of ransomware to operational technology assets and control systems and help organizations build effective resilience.