JBS pays $11 million to notorious cybercrime group, REvil

Meat supplier, JBS has now paid ransomware hackers $11 million after breaching their computer networks last week. It was revealed that the company was hacked by REvil, a Russian-speaking hacker gang that has made millions in recent years by attacking organisations, encrypting their files and demanding a fee or a bitcoin payment in exchange for a decryption program and a promise not to leak those files to the public.

JBS indicated that while it was able to get most of its systems operational without REvil’s help, it chose to pay to keep its files safe. The company said in an emailed statement, “At the time of payment, the vast majority of the company’s facilities were operational. In the end, we made the decision to mitigate any unforeseen issues related to the attack and ensure no data was exfiltrated.”

Commenting on this update, Javvad Malik, security awareness advocate at KnowBe4 says: “Ransomware is an ever-growing menace to society. For many, the ransom payment itself, while significant in its own right, only represents a small percentage of the overall recovery costs and the impact of the attack. By threatening to leak stolen data, criminals have the upper hand whereby they can extort victims for large amounts, and the organisations have to take their word for the fact that they will delete the stolen information.”

The US government has long recommended ransomware victims not pay their attackers, though most ransomware gangs are not sanctioned entities and paying them is not illegal. JBS CEO Andre Nogueira defended the decision to pay, stating: “This was a very difficult decision to make for our company and for me personally. However, we felt this decision had to be made to prevent any potential risk for our customers.”

Malik continues: “Put in such a difficult position, organisations often have little choice – the problem is that criminals will use the proceeds to reinvest in their criminal enterprise to launch more attacks, and the cycle will continue. 

“While we need to look at strategic ways to break this cycle, for now, one of the most important things organisations should be focusing on is how to prevent ransomware from being successful to start with. As the majority of attacks originate through phishing emails, exploiting poor credentials, the lack of MFA, or unpatched public-facing, they should be looking to prevent these avenues as a priority.”

The news of JBS’ payment comes on the heels of congressional testimony from Joseph Blout, CEO of Colonial Pipeline that was recently hacked by a different Russian ransomware group, called DarkSide. In Senate testimony Tuesday, he stated that the decision to pay was “the right thing to do for the country.” In addition, the Justice Department announced Monday that it was able to recover part of the payment that Colonial sent to its hackers, however, the FBI declined to give specifics on how, leaving it unclear how frequently such a tactic could be deployed.