JBS Foods suffered a major ransomware attack targeting several of its meat processing facilities in the last week of May, forcing the company to cancel an entire day’s beef and lamb kills in Australia. Meat processing operations in the United States, the UK, Canada, and South America were also severely disrupted.
On June 3, the company issued its first official statement, announcing that all of its global facilities were fully operational following the ransomware attack that targeted its facilities on May 30. The company said that swift response, robust IT systems and encrypted backup servers ensured that the losses were limited less than one days’ worth of production.
“Thanks to the dedication of our IT professionals, our operational teams, cybersecurity consultants and the investments we have made in our systems, JBS USA and Pilgrim’s were able to quickly recover from this attack against our business, our team members and the food supply chain,” said Andre Nogueira, JBS USA CEO.
“The criminals were never able to access our core systems, which greatly reduced potential impact. Today, we are fortunate that all of our facilities around the globe are operating at normal capacity, and we are focused on fulfilling our responsibility to produce safe, high-quality food.”
On the same day, the FBI also issued a statement, announcing that it had identified the REvil ransomware gang as the group responsible for the ransomware attack on JBS Foods. “We have attributed the JBS attack to REvil and Sodinokibi and are working diligently to bring the threat actors to justice,” it said.
“We continue to focus our efforts on imposing risk and consequences and holding the responsible cyber actors accountable. Our private sector partnerships are essential to responding quickly when a cyber intrusion occurs and providing support to victims affected by our cyber adversaries. A cyber attack on one is an attack on us all. We encourage any entity that is the victim of a cyber attack to immediately notify the FBI through one of our 56 field offices,” the agency added.
On June 9, JBS Foods issued another statement with reference to the ransomware attack, revealing that it paid the equivalent of $11 million (£7.7 million) in ransom to hackers after consulting internal IT professionals and third-party cybersecurity experts.
“This was a very difficult decision to make for our company and for me personally. However, we felt this decision had to be made to prevent any potential risk for our customers” said Nogueira. The company said a vast majority of its facilities were operational at the time of payment.
“JBS USA’s ability to quickly resolve the issues resulting from the attack was due to its cybersecurity protocols, redundant systems and encrypted backup servers. The company spends more than $200 million annually on IT and employs more than 850 IT professionals globally.
“JBS USA has maintained constant communications with government officials throughout the incident. Third-party forensic investigations are still ongoing, and no final determinations have been made. Preliminary investigation results confirm that no company, customer or employee data was compromised,” the company added.
Nikos Mantas, Incident Response Expert at Obrela Security Industries, says the CEO of JBS clearly carried out a calculation to understand the level of damage the attack could cause, from loss of data to regulatory fines, and compared it to the ransom demand to understand which will have the greatest impact on the company. The CEO came to the conclusion that the disruption to its services would have a far greater impact than the financial loss of the ransom.
“While this would not be an easy decision to make, it does highlight that when companies are unprepared, ransomware can put them in the most difficult position. Protecting against ransomware is all about cyber resilience and carrying out tests prior to attacks to understand damages and limit them. Network segmentation is always critical, especially keeping operational technology separate from IT infrastructure, which is more likely to be attacked,” he adds.
“From a business and technical viewpoint, paying a ransom might be a sound decision when it’s the fastest and less expensive option to restore business operations. The victims should, however, bear in mind that payment does not preclude cybercriminals from later re-selling the stolen data even if they have promised otherwise,” says Ilia Kolochenko, Founder of ImmuniWeb.
“All incidents where unencrypted regulated data has been compromised must be meticulously analyzed with internal counsel or an external law firm without delay to determine disclosure duties owed to the victims and regulators. The newly announced DoJ and FBI strategy to suppress ransomware gangs will likely bear fruit soon, but will require coherent implementation and strong interagency collaboration. Given that ransom is commonly paid in Bitcoins, regulators will likely consider regulating or even banning this cryptocurrency in the near future.”