JBS, the Brazilian meat industry giant hit by ransomware in May has admitted to paying the equivalent of $11 million to cybercriminals — despite claiming it was able to “quickly resolve the issues resulting from the attack was due to its cybersecurity protocols, redundant systems and encrypted backup servers.”
“At the time of payment, the vast majority of the company’s facilities were operational” JBS said, adding that despite this claimed resilience and own ability to resolve the incident it made the “very difficult decision” to pay the ransom to “mitigate any unforeseen issues related to the attack and ensure no data was exfiltrated.”
The figure represents ~0.02% of its annual revenues.
The £37 billion by annual revenue meat provider (estimated to slaughter 13 million animals every single day) denied claims by previous IT employees that cybersecurity was seen as a “back burner” issue at JBS and that it opted not to invest in specialist security tools after a 2017 to 2018 cybersecurity audit raised concerns.
The company said in its June 9 statement that it spends more than $200 million annually on IT and employs more than 850 IT professionals globally. It did not break out a cybersecurity spending figure.
The ongoing effectiveness of well-crafted phishing campaigns, the widespread lack of multi-factor authentication and IT asset management failures continue to represent a pleasant smogasbord for cybercriminals.
That’s before taking into account the security issues posed by vulnerable, unpatched software. Of the more than 4,400 vulnerabilities disclosed between January and March 2021, 72% had no patches available. Of the critical vulnerabilities discovered, exploits were publicly available for 29%, a recent NCC security report found. There were six 0day vulnerabilities under active attack patched in this week’s Microsoft Patch Tuesday alone.
Companies and boards aghast at the seeming ease with which cybercriminals are gaining access to organisations, and overwhelmed by the seeming scale of the effort needed to shore up their security, can refer to the National Cyber Security Centre (NCSC)’s comprehensive “10 steps to cybersecurity” guide as a useful starting point.