JBS Paid $11M Ransom to Prevent Attackers from Leaking Stolen Data
Meat processing company JBS USA acknowledged that it paid $11 million to ransomware operators following an attack late last month. In a media statement, JBS says that most of its facilities were up and running when they paid the ransom, and that the decision to pay was made “to mitigate any unforeseen issues related to the attack and ensure no data was exfiltrated.” According to Security Scorecard, the JBS attack began with reconnaissance in February 2021. The attackers exfiltrated data from March 1-May 29 and encrypted the JBS environment on June 1.
Some common threads between JBS USA and the Colonial Pipeline failures, beyond the initial lack of essential security hygiene and the decision to pay ransom: (1) Failure to detect large volumes of data exfiltration over long periods of active exploitation; and (2) lack of a tested process and plan for how to deal with an incident to minimize service interruptions. For JBS, this happened despite their stated IT spending and IT employee count being significantly higher than industry averages. All of this indicates a lack of investment in both IT processes to minimize vulnerabilities and security skills, planning, and processes to mitigate and respond.
Make sure that your detection capabilities are where they need to be. Are all your locations protected at the same levels? Attackers were not only in the JBS Network for three months, but also exfiltrated 5 TB of data. Are you continuously watching for compromised passwords and taking steps to change them promptly when discovered? Are you looking for unexpected connections or unusual volumes of traffic? Verify your boundary protection and access devices are updated and secured. Ensure MFA is comprehensively enabled for all internet facing services. Augment your internal processes with periodic third-party assessments of your security posture.
Wow, this is a big check. Profits like this will only fuel more aggressive attacks. However, to keep things in perspective, the FBI reported over $1.8 billion in losses due to BEC/CEO Fraud for 2020. We just don’t hear about these attacks because a while successful BEC attack does not shut down infrastructure, ransomware does.
One must have a capability to detect breaches in hours to days. Extortion demands as the first indication of a breach is unacceptable.
William Hugh Murray
Read more in
ZDNet: Ransomware: Meat firm JBS says it paid out $11m after attack
Bleeping Computer: JBS paid $11 million to REvil ransomware, $22.5M first demanded