WASHINGTON – The House of Representatives Committee on Oversight and Reform recently held a hearing with top US cybersecurity experts on the recent ransomware attacks that affected several US companies, including meat producer JBS USA.
Before the hearing started, Representative Carolyn Maloney (D-NY), chairwoman of the committee, released a staff memo that detailed the ransomware attacks suffered by CAN Financial, Colonial Pipeline and JBS USA during 2021. The memo explained how these attacks occurred and how legislation and policies could counter future ransomware attacks.
“We found that these attacks often stemmed from minor security lapses, even at companies with seemingly robust cybersecurity,” Maloney said in her opening statement. “Our report also highlights the importance of clearly established federal points of contact for companies to avoid wasting precious time when an attack is underway. Finally, we found that companies faced substantial pressure to pay these ransoms quickly, making it harder to stop these attacks.”
The Oversight Committee said that the attackers gained access to JBS systems because an old network administrator account had not been deactivated and was protected by a weak password. Some JBS plants were temporarily shut down.
“After the cybercriminal group REvil deployed its ransomware on JBS’s system, they sent JBS a message demanding a payment of $22.5 million,” the memo said. “The ransom message warned that the price would double if payment was not made in a certain period. The attackers also warned, ‘We have all your network data,’ and, ‘if you do not reply to us within 3 days, it will be posted on our news-site.”
During the attack, REvil mentioned the potential damage to the JBS stock price and promised a “good discount in case of quick payment.” The group also added that it could unblock JBS’ data and keep everything secret if the ransom was paid, according to the memo.
After company servers in North America and Australia faced the attack in May, JBS decided to pay the $11 million ransom to REvil.
Following the attack, JBS told the committee that the reason they paid the ransom included, the cost of rebuilding its systems from backups if it did not pay, plus obligations to customers and employees. Additionally, the company mentioned the cost of processing meat carcasses in its facilities, which could be tens of millions per day.
JBS added: “at the time of payment, the vast majority of the company’s facilities were operational,” and explained that it paid the ransom to “mitigate any unforeseen issues related to the attack and ensure no data was exfiltrated.”
The memo also shared that REvil did not provide JBS with proof that it destroyed all copies of the data stolen from the company as it promised following the ransom payment.
The FBI’s general policy is to discourage payments to ransomware attackers. Earlier in November, several law enforcement agencies arrested five suspects allegedly involved with REvil and various other ransomware attacks around the world.