Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security The Almighty Buck

JBS Paid $11 Million In Ransom After Hackers Shut Down Meat Plants (washingtonpost.com) 61

An anonymous reader quotes a report from The Washington Post: JBS, the world's largest meat supplier, confirmed Wednesday that it paid the equivalent of $11 million in ransom to hackers who targeted and temporarily crippled its business. The company confirmed making the payment in a statement Wednesday, saying it did so after most of its plants started operating again last week. The company consulted with its own tech workers and external cybersecurity experts, it said, and decided to pay to make sure no data was stolen. "This was a very difficult decision to make for our company and for me personally," JBS USA CEO Andre Nogueira said in a statement.

JBS was hit by a ransomware attack last week that temporarily halted operations at its nine beef processing plants in the United States and caused disruptions at other facilities. The FBI attributed the attack to a Russian-linked ransomware group known as both REvil and Sodinokibi. The payment was first reported by the Wall Street Journal. JBS got many of its plants operating again by the end of last week, but Nogueira said it decided to make the payment to "prevent any potential risk" for customers. JBS said Wednesday that it spends more than $200 million annually on information technology and employs more than 850 IT workers worldwide. The company said experts are still investigating the hack, but preliminary findings indicate that no employee or customer data was compromised.

This discussion has been archived. No new comments can be posted.

JBS Paid $11 Million In Ransom After Hackers Shut Down Meat Plants

Comments Filter:
  • At least now we know where's the beef [youtu.be]? Apparently the Russians have it.

  • by Inglix the Mad ( 576601 ) on Thursday June 10, 2021 @08:16AM (#61473148)
    I guess we'll find out in a few days if JBS paid because a government told them to pay, so they could track the money... then take it back.

    That's before the US (or some other government) decides to ignore their rules and help these people fall through a plate glass window several stories up, onto some bullet, into the path of a car, after having a mysterious argument with a wrench, then eating some food laced with a common poison.
    • by Canberra1 ( 3475749 ) on Thursday June 10, 2021 @08:57AM (#61473316)
      Some numbers: 200 Million/ 850 workers = 235K per worker per year. Assume hardware , premises and licenses is 60% so 90K per worker is more like it. 14 Million (not including shutdown losses and reputational damage and insurance hikes/limits) is about 155 employees. Assume the risk plan says 1 major event every 5 years is expected. So 2.8 mill PA, is about 31 workers. So that is 3.64% savings. Now assume IT says it will cost 10% more to secure things properly. So the executives conclude paying a ransom IS cost effective, by a large margin. However their insurance company should refuse, because paying an insider upto 800K to plant a trojan is a profitable outcome on an incompetent mark. The next certainty is their insurer should decline that company for any insurance going forward. Of course there is no evidence, but you can bet they know which of the 850 employees have lesser skills for the next time.
    • Yeah Colonial got their $4 milloin back.
  • closing the barn door after the horses have escaped
  • financials (Score:4, Informative)

    by algaeman ( 600564 ) on Thursday June 10, 2021 @08:35AM (#61473224)
    Just in case anybody else wants perspective on the $200M/850 employees, JBS has gross revenues of >$27 billion and over 78000 employees worldwide. I would assume they are including the guys who repair a refrigerator temp probe in their IT staff.
    • Re:financials (Score:4, Interesting)

      by Zontar_Thing_From_Ve ( 949321 ) on Thursday June 10, 2021 @09:27AM (#61473422)

      Just in case anybody else wants perspective on the $200M/850 employees, JBS has gross revenues of >$27 billion and over 78000 employees worldwide. I would assume they are including the guys who repair a refrigerator temp probe in their IT staff.

      I think you are essentially correct in pointing out that almost certainly they are doing damage control and providing misleading numbers, but there are ways that they could be sort of telling the truth in a misleading way without having to go as far as count a refrigerator repairman as "IT".

      A big portion of that $200 million may be on hardware and associated costs. I recently worked for a Fortune 500 company who leased everything they could in terms of computers. I don't know if they really saved money, but there was probably some tax reason for this, plus it did enable them to be able to force the vendor to upgrade hardware every few years, which had some real value.

      They are likely also not telling us that their IT staff is almost all outsourced and they have few American IT employees. They also are probably using Windoze on everything and I'm guessing this is yet another case of a seriously unpaid and overworked foreign based IT department setting things up as easily as possible because they don't have time to do security right

  • by bradley13 ( 1118935 ) on Thursday June 10, 2021 @08:49AM (#61473270) Homepage

    Paying just encourages more of the same. Everyone knows this. Announcing that you paid millions in ransom is just brain-dead stupid.

    Listen, if a company is brought to its knees by ransomware, it's their own fault. The C-level execs need to fall on their swords, for incompetence.

    I know one organization that takes IT reliability really seriously. About once a year, the CEO (or representative) has power cut - no notice - to the main IT infrastructure. I don't know exactly how this goes, but he has their systems taken down, hard. The backup systems are expected to come up within minutes, to preserve essential business functions, while IT scurries around getting the main systems back online. That's the kind of thinking required, to have a robust infrastructure.

    If a company doesn't want to pay the kind of money required? Well, some people also drive without insurance, ride motorcycles without helmets, etc.. When sh!t happens, the C-levels need to be held responsible.

    • Why not let consumers vote with their dollars and the invisible hand of the free market decide if paying ransom to hackers is what the market wants. Let the chips fall where they may.

      Or, alternatively there could be government regulation on computer security standards for businesses. Different levels of protection for data of higher sensitivity. Law enforcement efforts and international treaties to break up organized crime. A proactive approach coming from multiple angles. But that is probably quite disrupt

      • Why not let consumers vote with their dollars and the invisible hand of the free market decide if paying ransom to hackers is what the market wants. Let the chips fall where they may.

        Or, alternatively there could be government regulation on computer security standards for businesses. Different levels of protection for data of higher sensitivity. Law enforcement efforts and international treaties to break up organized crime. A proactive approach coming from multiple angles. But that is probably quite disruptive and expensive in the short term.

        I think those are both valid options.

        Government-enforced security standards sound good. Sort of an "OSHA" for IT systems. But: the government is notorious for being behind the technology curve, so the regulations would be unlikely to be relevant. Add to that the massive bureaucracy this would call into existence, and the cure might well be worse than the disease.

        What's missing from the "let consumers vote" options is that companies like this one don't actually deal with consumers. And they are large eno

      • "Why not let consumers vote with their dollars and the invisible hand of the free market decide if paying ransom to hackers is what the market wants. Let the chips fall where they may." Would you also let a gang hold you hostage in your own home and think "Gee, if they're holding me for ransom, this must be what the market wants. Can't argue with the market. Police need not be involved. This is simply market forces at play. Here mister gang member. Let me be your supply for your demand for money for no a
        • Would you also let a gang hold you hostage in your own home and think "Gee, if they're holding me for ransom, this must be what the market wants.

          I'd have to offer the crooks more than what the free markets believes my life is worth. If I don't have it, I guess I should have worked hard and earned it. Maybe I only have enough to save 1 out of 4 family members. But like a good libertarian we should form a contract to seal the agreement and give it force. Something something the court magically enforces our contracts without having to pay taxes or government.

      • Why not let consumers vote with their dollars and the invisible hand of the free market decide if paying ransom to hackers is what the market wants. Let the chips fall where they may.

        They have. JBS's customers have paid for the products they received. JBS is free to use that money on whatever it wants.

        Turns out customers only care about what they receive and at what price. They don't care what else the company does.

    • Re: (Score:2, Insightful)

      by DarkOx ( 621550 )

      That's great and if you have a situations where your cost or loss revenue will be impacted even by a short outage to justify that sort of thing - wonderful and you are doing the right thing testing it

      BUT its naive to think even this 'solves' the problem of ransomware.

      1) The ransom guys have in many instances moved past cipher your stuff sell you the key. Its not exfil your trade secrets, your employees private info, etc if you don't pay in many cases. - No backup will unleak your info.

      2) That kind of rapi

    • by gweihir ( 88907 )

      Indeed. Personal, _criminal_ liability for the fuckups responsible or nothing will change.

    • by eepok ( 545733 )

      Listen, if a company is brought to its knees by ransomware, it's their own fault.

      Strong words from someone who doesn't manufacture his own hardware and code every single program he uses. The reality is that our internet world is intrinsically interdependent. You could have some routing hardware that is 100% secure to everyone's knowledge and then someone finds an exploit, sells it off, and suddenly you've got a hacking crew siphoning off all your private information and holding it for ransom. That's the fun of the "zero-day".

      The fault is with the criminals. The liability is with the tho

  • "saying it did so after most of its plants started operating again last week" " decided to pay to make sure no data was stole" How stupid are these people, paying the ransom so no data was stolen? After the fact.
    • by quenda ( 644621 )

      "saying it did so after most of its plants started operating again last week" " decided to pay to make sure no data was stole" How stupid are these people, paying the ransom so no data was stolen? After the fact.

      More likely, the stupid is in the chain of inaccurate reporting.

  • After even our own University of Nebraska, Medical Center, CHI Hospitals, etc.. all suffered from this, these people should be strung up by their toes.

    Look, cripple our infrastructure, make meat prices raise. And don't get the "The poor will suffer." Screw you, I'm poor with a broken back and live in a trailer, and even *I* won't allow this crap to go without notice! Make us mad! It's the only thing that will bring change and weed responsible companies out when they fall hard and bankruptcy and a more comp

  • by ytene ( 4376651 ) on Thursday June 10, 2021 @09:12AM (#61473366)
    I'm reasonably confident that most slashdot readers have come across principles relating to problem statements. Things like, "We can't set about fixing the problem until we all agree on the definition of what is broken" and perhaps, "If you can't solve the problem as it is currently described, first try re-defining or re-stating the problem until you can."

    In a similar spirit to that outlook, then, I would suggest that we stop thinking about this general classification of problems as "hacking" and start using the term "cyber warfare". As has been noted by Brian Krebs [krebsonsecurity.com], there is growing circumstantial evidence that Ransomware Gangs are operating in Russia, either directly sponsored by the Russian Government, or with the Russian Government's tacit "blessing", on the condition that those gangs do not attack Russia or her allies. Put simply, these are cyber warfare attacks on the United States and her allies.

    If we keep on describing this as "criminal gang" activity, we are not going to face up to the measures needed to stop it from happening again.

    Yes, we need to significantly and rapidly educate western industry in terms of cyber defence. We need to ensure that all western companies and individuals have patched, securely-configured and securely-operated technology, with robust passwords.

    But more than that. We need to take the fight to the perpetrators, chase them down, smoke them out. We need to make sure that any cryptocurrency exchange that launders their proceeds has all the managers of the exchange arrested and charged with money laundering. We need to adopt a zero-tolerance attitude towards the problem. Get a few InterPol Red Notices out there and see how they like that. And if it turns out that all the perpetrators are hiding inside Russian borders, then demand they be handed over for trial - and if not, impose more sanctions.

    What we saw with the Colonial Pipeline attack was that the US Government was able to move swiftly and effectively and claw back a significant chunk of the ransom. Good, but not enough.

    These gangs [and their "sponsor"] are going to keep doing this until they get a bloody nose.

    So it's long past time they got one.
  • by gillbates ( 106458 ) on Thursday June 10, 2021 @09:23AM (#61473408) Homepage Journal

    When paying off ransomware gangs is cheaper than restoring from backup, you know you have an IT problem.

  • Are these attacks hitting businesses in Russia and China? How are things handled in those countries?

    • Are these attacks hitting businesses in Russia and China? How are things handled in those countries?

      In Russia if you attack the interests of the oligarchs, you end up with polonium in your Cheerios.

      In China, they just shoot you and harvest your organs for being an enemy of the state.

    • by ytene ( 4376651 )
      No.

      See here [krebsonsecurity.com] for more details and an explanation of how to use that information to your advantage.
  • by WaffleMonster ( 969671 ) on Thursday June 10, 2021 @09:34AM (#61473458)

    "decided to pay to make sure no data was stolen"

    "The company said experts are still investigating the hack, but preliminary findings indicate that no employee or customer data was compromised."

    The prior article by the same Washington Post reads "The ransom payment, in bitcoin, was made to shield JBS meat plants from further disruption and to limit the potential impact on restaurants, grocery stores and farmers that rely on JBS"

    Followed by "It was very painful to pay the criminals, but we did the right thing for our customers".

    The statement from JBS itself literally violates causality: "At the time of payment, the vast majority of the companyâ(TM)s facilities were operational. In consultation with internal IT professionals and third-party cybersecurity experts, the company made the decision to mitigate any unforeseen issues related to the attack and ensure no data was exfiltrated."

    It's interesting they claim to lack evidence data was compromised, apparently payments are not to restore service and recover data that would otherwise not be recoverable yet nonetheless it was "very painful to pay the criminals".

    All 11 million dollars paid appear if statements are taken at face value (bad idea) to be nothing more than a resounding vote of no confidence in JBS's ability to operate. They could have at least given the 11 million to security goons who presumably would have at least done something (anything at all?) to meaningfully improve security.

    I would like to see Andre Nogueira fired (not for getting hacked) and laws unambiguously crafted (or enforced) to ensure people who knowingly cut such checks to criminal enterprises hauled off to jail.

  • by Fly Swatter ( 30498 ) on Thursday June 10, 2021 @09:50AM (#61473492) Homepage
    Ad a tax on ransom payments, owed by the payee. Set the rate at 1,000,000% thereby making the 'business decision' a no-brainer.
  • Did heads roll? (Score:5, Insightful)

    by 140Mandak262Jamuna ( 970587 ) on Thursday June 10, 2021 @09:50AM (#61473496) Journal
    Unless the CEO CIO and other suits lose their bonuses, pay, and job, fired for cause, lose their golden parachute nothing will change. The board too must face consequences for hiring incompetent executives.

    As long as they pay ransom using shareholders money and their personal fortunes are not affected, nothing will change.

    The C in CEO seems to be for Criminal not chief, and the C in other suites means Crony and/or Criminal.

    • by ytene ( 4376651 )
      It's easy to armchair quarterback a story like this, especially with little public information about the details.

      What if the vulnerability that was exploited was a zero-day, known by your software vendor, but not disclosed? Do you still want to jail your C-Suite?

      Or what if the company was just a small business, maybe with one or two full-time "technical support" staff, who spend all their time fixing paper jams in the invoice printers?

      Or maybe the company out-sources all their cyber security servic
      • I did not say they should go to jail. They should lose all their pay, bonuses, and the golden parachute. No. Matter. What. Its their job to make sure this does not happen. No excuses.

        Only such an action will make them take security seriously. Else they will just build loop holes, escape clauses and find excuses why its not their fault. Do we look this seriously and declare, nah, this good thing happened, not because of your brilliance, reasons are different, no bonus to you...".

        As for going to jail, it

  • by account_deleted ( 4530225 ) on Thursday June 10, 2021 @09:55AM (#61473520)
    Comment removed based on user account deletion
  • JBS got many of its plants operating again by the end of last week, but Nogueira said it decided to make the payment to "prevent any potential risk" for customers.

    If JBS was able to restore from backups, why did it feel compelled to pay a ransom anyway?

  • You IDIOTS! What makes you think that criminals and thieves are going to keep their word!?
  • And with every such asshole, the criminal organizations behind this get better funded and more motivated. Time to make paying such a ransom a felony for those making the decision (i.e. personal prison time) and stop it permanently.

  • Not at war yet? People are getting hurt
  • Microsoft windows strikes again ..
  • The could call it the Bolognavirus.

The truth of a proposition has nothing to do with its credibility. And vice versa.

Working...