Nearly one week after JBS USA announced it had recovered from a ransomware attack thanks to proper backups and incident response practices, the company has now confirmed it paid an $11 million ransom.
JBS USA, a subsidiary of the world's largest beef producers, was struck by REvil ransomware on May 30, forcing the company to shut down operations. On June 3, the company announced the resolution of the ransomware attack, citing the company's "swift response, robust IT systems and encrypted backup servers" for the "rapid recovery."
However, in a press release Wednesday, JBS USA confirmed it paid a hefty ransom to REvil threat actors. The global beef manufacturer said it made the decision to pay in order to mitigate "any unforeseen issues related to the attack, and ensure no data was exfiltrated." In response to the attack against its operations, JBS USA said it paid the equivalent of $11 million in ransom -- even though the company admitted the "vast majority" of its facilities were operational at that time.
"This was a very difficult decision to make for our company and for me personally," Andre Nogueira, CEO of JBS USA, said in the statement. "However, we felt this decision had to be made to prevent any potential risk for our customers."
It is still unclear when systems were fully restored -- before or after paying the ransom -- and when the payment was made. The June 3 press release said, "all of its global facilities are fully operational after resolution of the criminal cyberattack." In Wednesday's statement, JBS USA said that "at the time of payment, the vast majority of the company's facilities were operational."
SearchSecurity contacted JBS USA for comment, but the company did not respond at press time.
The initial attack only affected some of the servers supporting JBS' North American and Australian IT systems. It did not impact the company's backup servers or core production systems.
The FBI later attributed the attack to the REvil ransomware group. The group is behind one of the highest demands ever made, $50 million, against Taiwan-based PC manufacturer Acer Inc. just last month. REvil is known to use data exfiltration with threats to leak the stolen data if victims do not pay. JBS said one reason it paid was to ensure no data was exfiltrated.
JBS USA is the second company to give in to a multi-million-dollar ransom demand recently. Colonial Pipeline Co. confirmed it paid a $4.4 million ransom to DarkSide ransomware actors last month, though the FBI seized the majority of the payment. While the attackers differed, in both cases the ransomware only affected IT systems and not core production systems. Yet, in both cases, the ransomware groups made off with millions.
JBS USA said it has maintained constant communications with government officials throughout the incident, and that third-party forensic investigations are still ongoing, but no final determinations have been made about how the threat actors gained access to its network. According to the statement Wednesday, preliminary investigation results show no evidence that any company, customer or employee data was compromised.