A meat processing giant recently hit by ransomware has confirmed it paid its extorters $11 million, reigniting the debate over the ethics of doing so.
A statement published by Sao Paolo-headquartered JBS, whose US and Australia businesses were hit in the incident last week, claimed that at the time of payment, the “vast majority” of its facilities were operational.
“In consultation with internal IT professionals and third-party cybersecurity experts, the company made the decision to mitigate any unforeseen issues related to the attack and ensure no data was exfiltrated,” it added.
Usually, the attackers have already exfiltrated sensitive data in such attacks, and payment is made to prevent them from publishing it.
However, there’s no guarantee that the attackers will not try to monetize the data anyway.
Last November, a Coveware report claimed that data exfiltration is now a tactic in over half of ransomware attacks.
It warned that groups such as REvil (Sodinokibi), which was blamed for the JBS attack, sometimes still publish data after payment, and, in some cases, demand a second payment.
It’s unclear whether JBS paid the ransom with the expectation its insurance provider would cover it. The issue is increasingly controversial, with AXA recently stating that it would stop reimbursing clients in France for ransom payments.
“This was a very difficult decision to make for our company and for me personally,” said Andre Nogueira, CEO of JBS USA. “However, we felt this decision had to be made to prevent any potential risk for our customers.”
The firm’s statement goes on to boast a $200 million annual IT budget and state that its ability to bounce back quickly from the attack was due to “its cybersecurity protocols, redundant systems and encrypted backup servers.”
Edgard Capdevielle, CEO of Nozomi Networks, argued that enterprises must now be prepared for the inevitable ransomware attack.
“That's why in addition to strengthening cybersecurity defenses, it’s equally important to invest in business resilience in the face of an attack,” he added.
“This post-breach mindset establishes a strong cybersecurity culture that asks the tough questions, anticipates worst-case scenarios and establishes a recovery and containment strategy aimed at maximizing your organization’s resiliency, long before an attack occurs.”
It’s generally advised that victims do not pay ransomware groups as it simply encourages more of the same malicious activity. However, when critical supply chains are involved, it’s not quite so simple.
“Naive statements like ‘never pay the ransom’ simply ignore the reality of the situation and do not have any chance in actually changing anything,” argued John Bambenek, Threat Intelligence Advisor at Netenrich.
“President Biden’s meeting with Vladimir Putin next week is critical in attempting to change the trajectory of this threat to bring the rogue state responsible for harboring this threat to heel.”