JBS Paid $11M to REvil Gang Even After Restoring Operations

The decision to pay the ransom demanded by the cybercriminal group was to avoid any further issues or potential problems for its customers, according to the company’s CEO.

JBS Foods paid the equivalent of $11 million in ransom after a cyber-attack that forced the company to shut down some operations in the United States and Australia over the Memorial Day weekend.

The company made the payment to cybercriminals to ensure the protection of its data and mitigate any further damage to its customers, as it was paid even after the world’s largest meat distributor had managed to return most of the facilities affected back to full operational capacity, a company official said.

“This was a very difficult decision to make for our company and for me personally,” said Andre Nogueira, CEO of JBS USA. “However, we felt this decision had to be made to prevent any potential risk for our customers.”
A group believed to be the REvil cyber gang hit several servers supporting North American and Australian IT systems of JBS Foods–a global provider of beef, chicken and pork with 245,000 employees operating on several continents–on the Sunday of Memorial Day weekend. The group later claimed in an interview on Telegram, however, that its original target was a Brazilian entity.

No company or customer data appears to have been exfiltrated during the attack, which the company largely resolved using redundant systems and encrypted backup servers, according to the statement. As of Tuesday, JBS said it had been able to resume shipping food from nearly all of its U.S. facilities and making progress in resuming plant operations in the U.S. and Australia.

The company’s decision to pay despite having the situation nearly under control came after consultation with internal IT professionals and third-party cybersecurity experts, according to the statement. Indeed, experts said that the attack could have had a ripple effect on could have a downstream effect on the food supply chain not only in Australia but also globally had it not been resolved quickly.

Ransomware Gangs Rake It In

The JBS payment is yet another in a series of high-profile extortion payments to ransomware groups that have recently been putting the squeeze on major corporations and government agencies and causing major disruption across numerous industries. The activity has spurred the U.S. government to get involved in a major way to crack down on these groups.

The REvil ransomware group, which also goes by the name Sodinokibi, is one of the more audacious of the bunch, infamous for its attacks against some of the world’s largest organizations and exorbitant ransom demands. Indeed, the FBI called the group who attacked JBS “one of the most specialized and sophisticated cybercriminal groups in the world,” according to the company.

In April, REvil demanded a $50 million extortion fee from Apple just hours before the tech giant was to kick off a new product launch event. The ransom stemmed from an attack on Quanta, a Taiwanese-based company contracted to assemble Apple products, including Apple Watch, Apple Macbook Air and Pro, and ThinkPad, from an Apple-provided set of design schematics that REvil claimed to have gotten its hands on.

The DarkSide ransomware group also has pwned high-profile targets in recent months, including the now-infamous attack on Colonial Pipeline that caused widespread disruption of the fuel supply and which is still under investigation by U.S. authorities. Colonial Pipeline ended up paying about $4.4 million in Bitcoin to DarkSide.

Rise of Ransomware Gangs

If it seems that ransomware groups are getting bolder about reaping substantial benefits from their nefarious activity, they are, security experts said.

In recent months the U.S. federal government’s involvement in fighting ransomware groups and attacks has been growing. On Monday, the FBI and DOJ announced in a press conference it used blockchain technology to track down the contents of DarkSide’s cryptocurrency wallet and recover approximately $2.3 million of the ransom Colonial Pipeline paid to extortionists last month.

One reason for the rise of this type of cybercriminal is because ransomware groups “face no real consequences” and can reap “high ransoms because the costs of [networks] just being down far exceed the cost of paying the ransoms,” John Bambenek, threat intelligence advisor at Netenrich, said in an email to Threatpost.

“Naive statements like ‘never pay the ransom’ simply ignore the reality of the situation and do not have any chance in actually changing anything,” he said.

Download our exclusive FREE Threatpost Insider eBook, 2021: The Evolution of Ransomware,” to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what’s next for ransomware and the related emerging risks. Get the whole story and DOWNLOAD the eBook now – on us!

Suggested articles