JBS USA today confirmed it paid the equivalent of $11 million in ransom in response to the criminal hack against its operations. At the time of payment, the vast majority of the company’s facilities were operational. In consultation with internal IT professionals and third-party cybersecurity experts, the company made the decision to mitigate any unforeseen issues related to the attack and ensure no data was exfiltrated.
“This was a very difficult decision to make for our company and for me personally,” said Andre Nogueira, CEO, JBS USA. “However, we felt this decision had to be made to prevent any potential risk for our customers.”
I agree that for any company hit by a ransomware attack it’s a tricky dilemma. Do you pay millions of dollars to those who attacked you? That may possibly prevent your assailants from releasing any stolen data, and provide you with a decryption key to help you recover your systems… but it also encourages others to engage in ransomware attacks in future, against not just your own business but other organisations around the world.
Your decision might be viewed as pragmatic, and help your company get back up on its feet, and be reassuring to your commercial partners and staff, but they aren’t the only ones who are watching with interest.
Because it appears that members of the US Congress have raised an eyebrow about how JBS responded to its attack, especially in the wake of other high profile ransomware incidents that have made headlines around the world.
Carolyn Maloney, chair of the House Oversight and Reform Committee has written to JBS CEO Andre Nogueira, concerned that dangerous precedents are being set that may increase the risk of future ransomware attacks.
In her letter to Nogueira, Maloney asks for a copy of all documents related to the discovery of the attack, discussions and communications related to the ransom, and any communications related to the performance of any decryption tool provided by the attackers.
Bad enough to have your systems probed by a ransomware gang like REvil. Worse still, I suspect, to also have your response probed by the US Congress.