Dive Brief:
- JBS USA CEO Andre Nogueira paid the company's attackers $11 million in bitcoin after its recent ransomware attack, he told The Wall Street Journal. The company made the payment after a majority of JBS plants resumed operations using backups, though Nogueira did not specify when the payment was made.
- Upon learning of the attack on May 30, JBS took portions of their systems offline to quarantine the infection, notified the FBI and began working with consultants on ransom negotiations. JBS confirmed the ransom payment in a statement Thursday.
- Even though the company was regaining production, IT experts in JBS told Nogueira there was no guarantee the REvil attackers would use different tactics to target JBS again. "We didn't think we could take this type of risk that something could go wrong in our recovery process," he said. Investigations of the attackers' point of entry are still underway.
Dive Insight:
The FBI attributed JBS' ransomware attack to REvil, a Russia-based cybercriminal gang under the Evil Corp. umbrella. As of October, the REvil ransomware group claimed to have made at least $100 million in profit in a year, Bleeping Computer reported.
Law enforcement remained aware of the decisions JBS was making, Nogueira said, as the company kept them informed. CNA Financial also paid its Phoenix attackers — who are also tied to Evil Corp. — $40 million in May.
Last year, the Department of Treasury's Office of Foreign Assets Control (OFAC) issued an alert for companies paying ransoms to sanctioned malicious cyber actors. Under the International Emergency Economic Powers Act (IEEPA), "U.S. persons are generally prohibited from engaging in transactions, directly or indirectly, with individuals or entities" on the Specially Designated Nationals and Blocked Persons List, such as Evil Corp., according to the Treasury Department's advisory.
JBS paid the ransom for a similar reason as Colonial Pipeline — to prevent the malware from spreading or returning. Even if a company pays, there is no binding agreement that a hacker group won't target them again, though high-profile gangs like REvil uphold "customer service" principles.
On Monday, the Justice Department and FBI said they recovered about half of Colonial's $4.4 million ransom payment in cryptocurrency. "This is not the first time that the government has ever seized cryptocurrency in connection with ransomware attacks," said U.S. Deputy Attorney General Lisa Monaco, during the press briefing. It was, however, the first seizure of its kind for the Ransomware Task Force.
While it's unknown what kind of example the partial cryptocurrency recovery sets for future ransomware victims, Monaco said companies should work with the government from the beginning of an intrusion. "We may be able to take the type of action that we took today … [but] we may not be able to do this in every instance," she said.
As companies discuss how to prepare for a ransomware attack, some may decide to set aside cryptocurrency to pay attackers. But "that puts you in a position where you're more inclined to pay than otherwise and I think that money can be better invested in preparatory stops, like doing the basics," said James Shank, senior security evangelist and chief architect of community services at Team Cymru and member of the Ransomware Task Force, during a SANS webcast June 3.
Because cryptocurrency is so volatile, the money would be better spent invested elsewhere in other cybersecurity measures.
What setting aside cryptocurrency funds says about a company is that it is making assumptions — "we are going to get compromised at some point," said Matthew Toussain, founder of Open Security, while speaking on the SANS webcast.
"I think most organizations are going to have a bit of negative value from investing in cryptocurrency ahead of time," said Toussain.
Editor's note: This story has been updated to include a statement from JBS.
