JBS, the largest meat supplier in the world, paid the ransomware hackers who breached its computer networks about $11 million, the company said Wednesday.
The company was hacked in May by REvil, one of a number of Russian-speaking hacker gangs, leading to meat plants across the U.S. and Australia shutting down for at least a day. News of the payment was first reported by The Wall Street Journal.
Like many ransomware groups, REvil has made millions in recent years by hacking organizations, encrypting their files and demanding a fee, often a large bitcoin payment, in exchange for a decryptor program and a promise not to leak those files to the public.
In a statement, JBS indicated that while it was able to get most of its systems operational without REvil’s help, it chose to pay to keep its files safe.
“At the time of payment, the vast majority of the company’s facilities were operational,” the company said in an emailed statement, adding that it “made the decision to mitigate any unforeseen issues related to the attack and ensure no data was exfiltrated.”
Charles Carmakal, the CTO of the cybersecurity firm Mandiant, said that while such a price might seem high, it’s not unusual for a successful ransomware attack.
“For an organization like theirs, it feels like it’s a pretty common extortion demand,” Carmakal said.
“For bigger organizations, you’ll tend to see eight-figure extortion demands,” he said. “Sometimes, you’ll see what I believe are really large demands, going up to 40, 45, 50 million. Most people don’t want to pay that much and will try to negotiate it down as best they can.”
The U.S. government has long recommended ransomware victims not pay their attackers, though most ransomware gangs are not sanctioned entities and paying them is not illegal.
JBS CEO Andre Nogueira defended the decision to pay.
“This was a very difficult decision to make for our company and for me personally,” Nogueira said in the statement. “However, we felt this decision had to be made to prevent any potential risk for our customers.”
The news of JBS’ payment comes on the heels of congressional testimony from Joseph Blout, CEO of Colonial Pipeline, a major U.S. fuel pipeline that was recently hacked by a different Russian ransomware group, called DarkSide. In Senate testimony Tuesday, he called the decision to pay “the right thing to do for the country.”
In an unusual move, the Justice Department announced Monday that it was able to recover part of the payment that Colonial sent to its hackers. The FBI declined to give specifics on how, however, leaving it unclear how frequently such a tactic could be deployed.