JBS USA confirmed this week that it paid the equivalent of $11 million in ransom in response to what it calls a “criminal hack” against its operations. When it paid out the massive ransom, the company says the majority of its facilities were operational. JBS says that it consulted with internal IT professionals and third-party cybersecurity experts and chose to pay the ransom to mitigate any unforeseen issues related to the attack and ensure none of its data was exfiltrated.
JBS USA CEO Andre Nogueira said it was a very difficult decision for the company and him personally to make. However, he says the company felt the decision had to be made to prevent any potential risk for customers. The company says the FBI has stated that the group that attacked it is one of the world’s most specialized and sophisticated cybercriminal groups.
JBS says that its ability to respond quickly to the situation was due to its cybersecurity protocols, redundant systems, and encrypted backup servers. The company says it spends more than $200 million annually on IT and employs more than 850 IT professionals globally. It’s unclear how the hack was perpetrated or how despite spending $200 million annually on IT and employing such a large pool of professionals, the company’s systems were still vulnerable to attack.
JBS USA says that it has maintained constant communications with government officials throughout the incident and third-party forensic investigations are ongoing. The company says no final determinations have been made at this time, and its preliminary investigation confirms no company, customer, or employee data was compromised in the attack.
This attack is the second high-profile ransomware attack in recent weeks. Previously, a major US pipeline was attacked, resulting in fuel hoarding and shortages in some parts of the US. In that instance, the company chose to pay the hackers a ransom as well. At some point, it would seem prudent for American companies to adopt a stance similar to how the US deals with terrorists in that we don’t negotiate.