JBS Paid $11 Million In Ransom After Hackers Shut Down Meat Plants

An anonymous reader quotes a report from The Washington Post: JBS, the world's largest meat supplier, confirmed Wednesday that it paid the equivalent of $11 million in ransom to hackers who targeted and temporarily crippled its business. The company confirmed making the payment in a statement Wednesday, saying it did so after most of its plants started operating again last week. The company consulted with its own tech workers and external cybersecurity experts, it said, and decided to pay to make sure no data was stolen. "This was a very difficult decision to make for our company and for me personally," JBS USA CEO Andre Nogueira said in a statement.

JBS was hit by a ransomware attack last week that temporarily halted operations at its nine beef processing plants in the United States and caused disruptions at other facilities. The FBI attributed the attack to a Russian-linked ransomware group known as both REvil and Sodinokibi. The payment was first reported by the Wall Street Journal. JBS got many of its plants operating again by the end of last week, but Nogueira said it decided to make the payment to "prevent any potential risk" for customers. JBS said Wednesday that it spends more than $200 million annually on information technology and employs more than 850 IT workers worldwide. The company said experts are still investigating the hack, but preliminary findings indicate that no employee or customer data was compromised.

Re:

[olsmeister]

Why? It was a business decision. Not defending their unpreparedness... just saying that you need to cut your losses and move forward. Hopefully they have learned a hard lesson and will operate more intelligently wrt cyber security moving forward.

Re:And...

[Wycliffe]

Not recalling a defective car that kills people because it is cheaper not to is also a business decision. It doesn't mean it should be legal. It should be illegal to pay ransom of any kind and even more illegal to announce that you paid a ransom.

If that's too hard on a business then the government should offer ransomware insurance which pays businesses not to pay ransomware. I'm not sure what the actually damages were and I'm sure the beancounters decided $11M was less than the actual damages but even if the actual damages were 10 times that they still shouldn't pay ransomware as it's kindof like the movie "The Ring" where paying the ransom just punts the damages to the next victim.

Re:

[bobbo666]

Getting the Gov'mt legally involved almost always makes any situation worse. They move slower than any free-market based system, they are usually hampered by less than cutting edge tech, and they are run by organizers and procedure freaks -- bureaucrats; not people who are first and foremost interested in getting something done. Gov'mt writes laws in the posturing and pandering phase and then does not enforce them. So, next election cycle some TWOT gets into office on the platform of writing more laws -

Re:

[Wycliffe]

But this is one of the few situations where the government is the only solution. It's a classic "tragedy of the commons". Whether the company has malware insurance or not, it's always better for the individual company (or their insurance company) to pay the ransom if the cost of the ransom is less than the cost of repairing the damage. On the other hand, it's usually worse for society as it perpetuates the cycle. Making it illegal to pay ransom is similar to making it illegal to feed wildlife, pollute

Re:

[DarkOx]

that's too hard on a business then the government should offer ransomware insurance which pays businesses not to pay ransomware.

Wait you potentially exercise gross negligence securing your assets and *I am* supposed to pay the protection money to get the criminals to give your stuff back?

I wrestle bit with it there should be legal barriers to paying a ransom. On the one hand, its your money; you should be able to dispose it as you wish. On the other hand there is argument by paying you are now as you suggest someone complicit in the overall criminal enterprise.

At the end of the day though this isnt really a solvable problem at the

Re:

[jellomizer]

1. The company already had a Poor IT Security plan, they probably had been not listening and cheeping out on what the experts have been telling them all along.
2. Paying for ransomware is a gamble anyways. It is just as likely that these people didn't have the key, and will take the money and run. So other than having to fix your infrastructure, you also had just lost 11 million dollars.
3. They have became a target for a future attack. I have hear threw the rumor mills of Global Financial institutions tha

Re:And...

[fropenn]

There's something a bit scary, and maybe a bit exciting too, about working for a company that would hire assassins on your behalf. Unfortunately, where I work I think it would take them several months to notice I was missing and once they did notice, they would probably just assume I took a new job somewhere else and shrug and move on.

Re:

[Dayze!Confused]

For point 2) it's in the ransomware gangs best interest to release the data. If word gets out that paying the ransom doesn't get the data back then future companies won't pay it as there is no point. It gains the hackers nothing to not live up to their part of the ransom, and potentially costs them any future profits making it simply an act of terror.

Re: And...

[Anonymouse 2]

"For point 2) it's in the ransomware gangs best interest to release the data. If word gets out that paying the ransom doesn't get the data back then future companies won't pay it as there is no point." If I were a ransomware gang, I could easily claim any data leak must have come from another group that hacked the victim at a separate time regardless of that being true or not. Gangs rarely care about the sustainability of their business model. It's all about getting the millions today.

Re:

[Dayze!Confused]

It's not about the data leak, that's some BS the company has come up with, I doubt they even bother to copy the data off the network, an event that any semi-competent IT should be able to detect, my comment was strictly about the decrypting of the data. If paying $11 million didn't get them the decryption keys then it ruins their business model. The selling of the data is a secondary business, and as far as I know isn't part of the business model to begin with. They aren't ransoming in "pay us or we leak yo

Re: And...

[LesFerg]

So let's imagine that a big blob of your private data is the same as, say, a million dollars. I have stolen your million dollars, but if you pay me $100, I will burn your million dollars instead of spending it. Hmm... Sounds legit.

Re:

[Dayze!Confused]

Not even sure what point you are trying to make. I haven't seen anywhere in these ransomware attacks where they state that the hackers copied the data off the network, simply that they encrypted the data so the company can't have access to it. To go with your analogy it's more like they took your millions of dollars and placed it in a safe and tell you for $100 they'll give you the combination. In my assessment it would be bad practice for them to take your $100 and then say, "well, too bad, ain't gonna giv

Re: And...

[Anonymouse 2]

"Why? It was a business decision. Not defending their unpreparedness... just saying that you need to cut your losses and move forward." Except they gave the money almost after the fact "just in case" they had taken any information. Only an idiot would trust someone black mailing them. If the ransomware stole any information, they only payment you can give that will prevent the unwanted sharing of that information is a bullet to all of their heads.

Re:

[Tough Love]

Did they learn to ban Windows inside their firewall?

Where's the beef?

[Ostracus]

At least now we know where's the beef [youtu.be]? Apparently the Russians have it.

Re:

[yababom]

Russian hacker: "Meats back on the menu, boys!"

I guess we'll find out in a few days

[Inglix the Mad]

I guess we'll find out in a few days if JBS paid because a government told them to pay, so they could track the money... then take it back.

That's before the US (or some other government) decides to ignore their rules and help these people fall through a plate glass window several stories up, onto some bullet, into the path of a car, after having a mysterious argument with a wrench, then eating some food laced with a common poison.

Re:I guess we'll find out in a few days

[Canberra1]

Some numbers: 200 Million/ 850 workers = 235K per worker per year. Assume hardware , premises and licenses is 60% so 90K per worker is more like it. 14 Million (not including shutdown losses and reputational damage and insurance hikes/limits) is about 155 employees. Assume the risk plan says 1 major event every 5 years is expected. So 2.8 mill PA, is about 31 workers. So that is 3.64% savings. Now assume IT says it will cost 10% more to secure things properly. So the executives conclude paying a ransom IS cost effective, by a large margin. However their insurance company should refuse, because paying an insider upto 800K to plant a trojan is a profitable outcome on an incompetent mark. The next certainty is their insurer should decline that company for any insurance going forward. Of course there is no evidence, but you can bet they know which of the 850 employees have lesser skills for the next time.

Re:

[ayesnymous]

Yeah Colonial got their $4 milloin back.

"to make sure no data was stolen"

[Dr. Tom]

closing the barn door after the horses have escaped

Re:

[Ostracus]

JBS made the horses into dogfood, and some Russian is siting in bed with a horse head.

financials

[algaeman]

Just in case anybody else wants perspective on the $200M/850 employees, JBS has gross revenues of >$27 billion and over 78000 employees worldwide. I would assume they are including the guys who repair a refrigerator temp probe in their IT staff.

Re:financials

[Zontar_Thing_From_Ve]

Just in case anybody else wants perspective on the $200M/850 employees, JBS has gross revenues of >$27 billion and over 78000 employees worldwide. I would assume they are including the guys who repair a refrigerator temp probe in their IT staff.

I think you are essentially correct in pointing out that almost certainly they are doing damage control and providing misleading numbers, but there are ways that they could be sort of telling the truth in a misleading way without having to go as far as count a refrigerator repairman as "IT".

A big portion of that $200 million may be on hardware and associated costs. I recently worked for a Fortune 500 company who leased everything they could in terms of computers. I don't know if they really saved money, but there was probably some tax reason for this, plus it did enable them to be able to force the vendor to upgrade hardware every few years, which had some real value.

They are likely also not telling us that their IT staff is almost all outsourced and they have few American IT employees. They also are probably using Windoze on everything and I'm guessing this is yet another case of a seriously unpaid and overworked foreign based IT department setting things up as easily as possible because they don't have time to do security right

Re: financials

[zlives]

The real it pros switched sides once they were outsourced.
News at 7 (11 is way past my bed time)

Paying ransom needs to be illegal

[bradley13]

Paying just encourages more of the same. Everyone knows this. Announcing that you paid millions in ransom is just brain-dead stupid.

Listen, if a company is brought to its knees by ransomware, it's their own fault. The C-level execs need to fall on their swords, for incompetence.

I know one organization that takes IT reliability really seriously. About once a year, the CEO (or representative) has power cut - no notice - to the main IT infrastructure. I don't know exactly how this goes, but he has their systems taken down, hard. The backup systems are expected to come up within minutes, to preserve essential business functions, while IT scurries around getting the main systems back online. That's the kind of thinking required, to have a robust infrastructure.

If a company doesn't want to pay the kind of money required? Well, some people also drive without insurance, ride motorcycles without helmets, etc.. When sh!t happens, the C-levels need to be held responsible.

Re:

[OrangeTide]

Why not let consumers vote with their dollars and the invisible hand of the free market decide if paying ransom to hackers is what the market wants. Let the chips fall where they may.

Or, alternatively there could be government regulation on computer security standards for businesses. Different levels of protection for data of higher sensitivity. Law enforcement efforts and international treaties to break up organized crime. A proactive approach coming from multiple angles. But that is probably quite disrupt

Re:

[bradley13]

Why not let consumers vote with their dollars and the invisible hand of the free market decide if paying ransom to hackers is what the market wants. Let the chips fall where they may.

Or, alternatively there could be government regulation on computer security standards for businesses. Different levels of protection for data of higher sensitivity. Law enforcement efforts and international treaties to break up organized crime. A proactive approach coming from multiple angles. But that is probably quite disruptive and expensive in the short term.

I think those are both valid options.

Government-enforced security standards sound good. Sort of an "OSHA" for IT systems. But: the government is notorious for being behind the technology curve, so the regulations would be unlikely to be relevant. Add to that the massive bureaucracy this would call into existence, and the cure might well be worse than the disease.

What's missing from the "let consumers vote" options is that companies like this one don't actually deal with consumers. And they are large eno

Re: Paying ransom needs to be illegal

[Anonymouse 2]

"Why not let consumers vote with their dollars and the invisible hand of the free market decide if paying ransom to hackers is what the market wants. Let the chips fall where they may." Would you also let a gang hold you hostage in your own home and think "Gee, if they're holding me for ransom, this must be what the market wants. Can't argue with the market. Police need not be involved. This is simply market forces at play. Here mister gang member. Let me be your supply for your demand for money for no a

Re:

[OrangeTide]

Would you also let a gang hold you hostage in your own home and think "Gee, if they're holding me for ransom, this must be what the market wants.

I'd have to offer the crooks more than what the free markets believes my life is worth. If I don't have it, I guess I should have worked hard and earned it. Maybe I only have enough to save 1 out of 4 family members. But like a good libertarian we should form a contract to seal the agreement and give it force. Something something the court magically enforces our contracts without having to pay taxes or government.

Re:

[The Evil Atheist]

Why not let consumers vote with their dollars and the invisible hand of the free market decide if paying ransom to hackers is what the market wants. Let the chips fall where they may.

They have. JBS's customers have paid for the products they received. JBS is free to use that money on whatever it wants.

Turns out customers only care about what they receive and at what price. They don't care what else the company does.

Re:

[DarkOx]

That's great and if you have a situations where your cost or loss revenue will be impacted even by a short outage to justify that sort of thing - wonderful and you are doing the right thing testing it

BUT its naive to think even this 'solves' the problem of ransomware.

1) The ransom guys have in many instances moved past cipher your stuff sell you the key. Its not exfil your trade secrets, your employees private info, etc if you don't pay in many cases. - No backup will unleak your info.

2) That kind of rapi

Re:

[gweihir]

Indeed. Personal, _criminal_ liability for the fuckups responsible or nothing will change.

Re:

[eepok]

Listen, if a company is brought to its knees by ransomware, it's their own fault.

Strong words from someone who doesn't manufacture his own hardware and code every single program he uses. The reality is that our internet world is intrinsically interdependent. You could have some routing hardware that is 100% secure to everyone's knowledge and then someone finds an exploit, sells it off, and suddenly you've got a hacking crew siphoning off all your private information and holding it for ransom. That's the fun of the "zero-day".

The fault is with the criminals. The liability is with the tho

JBS Paid $11 Million In Ransom

[oldgraybeard]

"saying it did so after most of its plants started operating again last week" " decided to pay to make sure no data was stole" How stupid are these people, paying the ransom so no data was stolen? After the fact.

Re:

[quenda]

"saying it did so after most of its plants started operating again last week" " decided to pay to make sure no data was stole" How stupid are these people, paying the ransom so no data was stolen? After the fact.

More likely, the stupid is in the chain of inaccurate reporting.

As a resident of Nebraska, I'm pissed.

[Coius]

After even our own University of Nebraska, Medical Center, CHI Hospitals, etc.. all suffered from this, these people should be strung up by their toes.

Look, cripple our infrastructure, make meat prices raise. And don't get the "The poor will suffer." Screw you, I'm poor with a broken back and live in a trailer, and even *I* won't allow this crap to go without notice! Make us mad! It's the only thing that will bring change and weed responsible companies out when they fall hard and bankruptcy and a more comp

New Taxonomy Required

[ytene]

I'm reasonably confident that most slashdot readers have come across principles relating to problem statements. Things like, "We can't set about fixing the problem until we all agree on the definition of what is broken" and perhaps, "If you can't solve the problem as it is currently described, first try re-defining or re-stating the problem until you can."

In a similar spirit to that outlook, then, I would suggest that we stop thinking about this general classification of problems as "hacking" and start using the term "cyber warfare". As has been noted by Brian Krebs [krebsonsecurity.com], there is growing circumstantial evidence that Ransomware Gangs are operating in Russia, either directly sponsored by the Russian Government, or with the Russian Government's tacit "blessing", on the condition that those gangs do not attack Russia or her allies. Put simply, these are cyber warfare attacks on the United States and her allies.

If we keep on describing this as "criminal gang" activity, we are not going to face up to the measures needed to stop it from happening again.

Yes, we need to significantly and rapidly educate western industry in terms of cyber defence. We need to ensure that all western companies and individuals have patched, securely-configured and securely-operated technology, with robust passwords.

But more than that. We need to take the fight to the perpetrators, chase them down, smoke them out. We need to make sure that any cryptocurrency exchange that launders their proceeds has all the managers of the exchange arrested and charged with money laundering. We need to adopt a zero-tolerance attitude towards the problem. Get a few InterPol Red Notices out there and see how they like that. And if it turns out that all the perpetrators are hiding inside Russian borders, then demand they be handed over for trial - and if not, impose more sanctions.

What we saw with the Colonial Pipeline attack was that the US Government was able to move swiftly and effectively and claw back a significant chunk of the ransom. Good, but not enough.

These gangs [and their "sponsor"] are going to keep doing this until they get a bloody nose.

So it's long past time they got one.

When it is cheaper.

[gillbates]

When paying off ransomware gangs is cheaper than restoring from backup, you know you have an IT problem.

What about other countries

[kmahan]

Are these attacks hitting businesses in Russia and China? How are things handled in those countries?

Re:

[Areyoukiddingme]

Are these attacks hitting businesses in Russia and China? How are things handled in those countries?

In Russia if you attack the interests of the oligarchs, you end up with polonium in your Cheerios.

In China, they just shoot you and harvest your organs for being an enemy of the state.

Re:

[ytene]

No.

See here [krebsonsecurity.com] for more details and an explanation of how to use that information to your advantage.

Quotes

[WaffleMonster]

"decided to pay to make sure no data was stolen"

"The company said experts are still investigating the hack, but preliminary findings indicate that no employee or customer data was compromised."

The prior article by the same Washington Post reads "The ransom payment, in bitcoin, was made to shield JBS meat plants from further disruption and to limit the potential impact on restaurants, grocery stores and farmers that rely on JBS"

Followed by "It was very painful to pay the criminals, but we did the right thing for our customers".

The statement from JBS itself literally violates causality: "At the time of payment, the vast majority of the companyâ(TM)s facilities were operational. In consultation with internal IT professionals and third-party cybersecurity experts, the company made the decision to mitigate any unforeseen issues related to the attack and ensure no data was exfiltrated."

It's interesting they claim to lack evidence data was compromised, apparently payments are not to restore service and recover data that would otherwise not be recoverable yet nonetheless it was "very painful to pay the criminals".

All 11 million dollars paid appear if statements are taken at face value (bad idea) to be nothing more than a resounding vote of no confidence in JBS's ability to operate. They could have at least given the 11 million to security goons who presumably would have at least done something (anything at all?) to meaningfully improve security.

I would like to see Andre Nogueira fired (not for getting hacked) and laws unambiguously crafted (or enforced) to ensure people who knowingly cut such checks to criminal enterprises hauled off to jail.

Re:Quotes

[discovercomics]

So really this is becoming, a racketeering item, where companies are paying protection money to the gangs to prevent future disruption?

Tax their payment.

[Fly Swatter]

Ad a tax on ransom payments, owed by the payee. Set the rate at 1,000,000% thereby making the 'business decision' a no-brainer.

Did heads roll?

[140Mandak262Jamuna]

Unless the CEO CIO and other suits lose their bonuses, pay, and job, fired for cause, lose their golden parachute nothing will change. The board too must face consequences for hiring incompetent executives.

As long as they pay ransom using shareholders money and their personal fortunes are not affected, nothing will change.

The C in CEO seems to be for Criminal not chief, and the C in other suites means Crony and/or Criminal.

Re:

[ytene]

It's easy to armchair quarterback a story like this, especially with little public information about the details.

What if the vulnerability that was exploited was a zero-day, known by your software vendor, but not disclosed? Do you still want to jail your C-Suite?

Or what if the company was just a small business, maybe with one or two full-time "technical support" staff, who spend all their time fixing paper jams in the invoice printers?

Or maybe the company out-sources all their cyber security servic

Re:

[140Mandak262Jamuna]

I did not say they should go to jail. They should lose all their pay, bonuses, and the golden parachute. No. Matter. What. Its their job to make sure this does not happen. No excuses.

Only such an action will make them take security seriously. Else they will just build loop holes, escape clauses and find excuses why its not their fault. Do we look this seriously and declare, nah, this good thing happened, not because of your brilliance, reasons are different, no bonus to you...".

As for going to jail, it

Comment removed

[account_deleted]

Comment removed based on user account deletion

This is the really odd part of the story

[Applehu Akbar]

JBS got many of its plants operating again by the end of last week, but Nogueira said it decided to make the payment to "prevent any potential risk" for customers.

If JBS was able to restore from backups, why did it feel compelled to pay a ransom anyway?

"..decided to pay to make sure no data was stolen"

[Rick Schumann]

You IDIOTS! What makes you think that criminals and thieves are going to keep their word!?

One more asshole funding crime

[gweihir]

And with every such asshole, the criminal organizations behind this get better funded and more motivated. Time to make paying such a ransom a felony for those making the decision (i.e. personal prison time) and stop it permanently.

When is this war?

[AndyKron]

Not at war yet? People are getting hurt

Microsoft windows strikes again ..

[takionya]

Microsoft windows strikes again ..

A new virus?

[The Evil Atheist]

The could call it the Bolognavirus.