Site navigation

JBS Cyber Attack: Firm Forks out $11m Ransom, But Was it Right to Pay?

Ross Kelly


JBS Cyber Attack
JBS paid the ransom to prevent further catastrophe, but does this incident set a bad example for companies in the future?

Meat processing giant JBS revealed it has paid an $11 million (£7.8m) ransom to recover data stolen in a cyber attack.

JBS systems were compromised in a major ransomware attack last week which saw operations in Australia, Canada and the United States brought to a halt.

The ransom was reportedly paid using Bitcoin, despite operations having since been restored.

JBS, which is headquartered in Brazil, said the payment was made to ensure that customer data was protected and not exposed.

“This was a very difficult decision to make for our company and for me personally,” said JBS Chief Executive, Andre Nogueira.

“However, we felt this decision had to be made to prevent any potential risk for our customers.”

The ransomware attack on JBS forced the firm to shut down operations temporarily, which led to some food supply disruption. JBS currently supplies more than one-fifth of all beef products in the United States.

According to reports from The Guardian, JBS spends more than $200 million dollars annually on its IT capabilities, employing hundreds of specialists.

Despite this, the attack temporarily crippled the meat processing giant, with the FBI describing it as one of the “most specialised and sophisticated” attacks it had encountered.

US lawmakers suggested that the hacker network behind the JBS cyber attack was “likely based in Russia”.

The JBS cyber attack is the second high-profile ransomware incident within the space of a month. In May, the Colonial Pipeline ransomware attack crippled IT systems at the firm and caused fuel shortages in the US.

The Colonial Pipeline attack also resulted in the firm paying a $4.4m ransom to the cybercriminals responsible. However, following the payment, the funds were recovered by a ransomware taskforce established by the US Government.

Ransomware | To pay or not to pay?

Both incidents have once again raised questions over the long-term implications of paying cybercriminals to stop a ransomware attack.

In the UK, paying ransoms isn’t illegal. However, law enforcement agencies are keen to emphasise that organisations should not pay cybercriminal gangs in the event of an attack.

Calls have been made to ban payments, but some critics argue the decision may further entrench both sides of the divide and lead to greater problems.

By paying ransoms, organisations merely end up feeding the criminal economy and encouraging criminals to attack again, according to Jon Niccolls, EMEA Lead, Incident Response at Check Point Software.

Similary, Niccolls added that once a payment is made, cybercriminals could still choose expose data stolen and renage on any dubious agreement.

“Even when ransom demands are met, there is still no guarantee that the attackers will honour their promise to release the files and keep stolen data out of the public domain,” he said.

“This is one of the main reasons why at Check Point, we don’t recommend paying ransoms, either from company funds or via cyber-insurance policies.”

A stiff upper lip

An often underacknowledged element of ransomware attacks is the overall cost and impact upon an organisation.

The attacks, speculation surrounding the culprits and the subsequent ransom payments tend to grab headlines while tireless efforts are made behind closed doors at affected firms.

Javvad Malik, Security Awareness Advocate at KnowBe4 said the ransom itself only represents a small portion of the monetary impact of an attack.

This presents organisations with a moral conundrum – keep that stiff upper lip, or pay up and limit the overall damage.

“For many, the ransom payment itself, while significant in their own right, only represents a small percentage of the overall recovery costs and the impact of the attack,” he explained.

“Put in such a difficult position, organisations often have little choice – the problem is that criminals will use the proceeds to reinvest in their criminal enterprise to launch more attacks, and the cycle will continue.”

Ben Carr, Chief Information Security Officer at Qualys, echoed Malik’s comments, noting that US organisations account for the position of the government and FBI, which is that ransoms should not be paid in any circumstances.

“Companies may be tempted to pay when they know the risk to their business amounts to $100m, and the ransomware demand in comparison is only a few million dollars,” he said.

“In business terms, it’s an acceptable cost of continuing to operate, but companies need to be aware of the Office of Foreign Assets Control guidance on the matter. OFAC has released guidance to clamp down on ransom payouts and the use of ransomware insurance,” he added.


Organisations, in particular those based in the United States, also must consider whether they are engaging with and paying state-linked criminal groups, which could lead to serious repercussions.

“US organizations must remember that they are prohibited and civilly liable if they engage in transactions, even indirectly, with individuals or entities that are either on the Specially Designated Nationals and Blocked Persons List (SDN List), or from countries covered by country or region embargoes, such as Iran and North Korea,” Carr explained.

Jude McCorry, Chief Executive of the Scottish Business Resilience Centre, said “the more we pay cybercriminals, the more attacks we’ll see” moving forward.

As such, industry must foster closer relationships with law enforcement and authorities to tackle the issue in a similar manner to other criminal activities.

“It’s important to remember paying the ransom doesn’t make the crime disappear; instead, companies should be open about it and share information and governments must also be prepared to work with industry to share intelligence at a high level too,” she said.

“If the business community works together, we can raise awareness of cyber attacks and help reduce the threat in the long term. Until we do that, the best way forward is for companies to upgrade their own security and proactively build up their defences to deter criminals as best they can,” McCorry added.

Ross Kelly

Staff Writer

Latest News

Data Protection Editor's Picks
Digital Transformation Events
Cybersecurity Editor's Picks
%d bloggers like this: