JBS USA. the huge meat and food producer that was the victim of a ransomware attack in late May, said it has paid $11 million in ransom, even though most of its systems had been restored from backups and were already back up and running at the time of the payment.
The attack hit JBS on May 30 and just four days later the company announced that it had fully restored the affected systems and that its global production operations were back to normal. The company did not say at that time that it had paid any ransom, but simply stated that it had used its encrypted backup servers to restore its production systems. The FBI attributed the attack to REvil, one of many ransomware-as-a-service offerings available to attackers. REvil actors are known for huge ransom demands and also for stealing sensitive data before encrypting compromised systems.
“Thanks to the dedication of our IT professionals, our operational teams, cybersecurity consultants and the investments we have made in our systems, JBS USA and Pilgrim’s were able to quickly recover from this attack against our business, our team members and the food supply chain,” said CEO Andre Nogueira on June 3. “The criminals were never able to access our core systems, which greatly reduced potential impact.”
"We felt this decision had to be made to prevent any potential risk for our customers.”
But on Wednesday, Nogueira said that JBS had in fact paid a ransom, and a significant one at that. The $11 million payment is one of the larger known ransomware payments in recent memory, and it’s even more unusual for the fact that the company had already recovered most of its affected systems. But, it fits with the way that attacks by REvil ransomware actors often go. REvil actors often demand a ransom for the decryption of encrypted systems, and then an additional payment not to release data publicly that was stolen during the intrusion. This double extortion tactic has become more and more popular in the last few months, as actors have looked for new ways to extract as much money as possible from their victims.
“This was a very difficult decision to make for our company and for me personally,” said Nogueira. “However, we felt this decision had to be made to prevent any potential risk for our customers.”
Nogueira did not say whether the REvil actors had actually demanded a payment not to release data, but in the statement released Wednesday, the company said the payment was made “to mitigate any unforeseen issues related to the attack and ensure no data was exfiltrated.”
The disclosure of JBS’s ransom payment comes just two days after the Department of Justice announced that it had seized $2.3 million of the $4.4 million ransom that Colonial Pipeline Co. had paid to DarkSide ransomware actors last month.