JBS Ransomware Attack Threatens US Meat Supply

On May 30, 2021, JBS, which is based in Brazil and has meat processing plants in the US, notified the US Government that it had suffered a ransomware attack. JBS is the second-largest meat producer in the US with shutdowns likely to have a major impact on US meat supply, just in time for when the country enjoys grilling meat on an open flame in the summer months. In an article published by the Associated Press, it was estimated that if plants were forced to shut down for just a day the US would lose a quarter of its beef-processing capacity. This is the equivalent of 20,000 cows not being processed for delivery to the consumer market, which would cause prices to increase as demand would not be met.

The following day JBS issued a press statement saying,

“On Sunday, May 30, JBS USA determined that it was the target of an organized cybersecurity attack, affecting some of the servers supporting its North American and Australian IT systems. The company took immediate action, suspending all affected systems, notifying authorities, and activating the company's global network of IT professionals and third-party experts to resolve the situation. The company’s backup servers were not affected, and it is actively working with an Incident Response firm to restore its systems as soon as possible…The company is not aware of any evidence at this time that any customer, supplier or employee data has been compromised or misused as a result of the situation. Resolution of the incident will take time, which may delay certain transactions with customers and suppliers.”

This was followed by a statement made by Principal Deputy Press Secretary Karina Jean-Pierre on June 2.

jbs ransomware threatens USA meat supply

While the statement dealt with President Biden’s trip to commemorate the Tulsa Race Massacre, of which an estimated 300 Black Americans were killed, and a further 10,000 were left destitute following an attack by a mob of white supremacists, the JBS situation was also addressed. The Principal Press Secretary stated,

“Meat producer JBS notified us on Sunday that they are the victims of a ransomware attack. The White House has offered assistance to JBS, and our team and the Department of Agriculture have spoken to their leadership several times in the last day. JBS notified the administration that the ransom demand came from a criminal organization likely based in Russia…The White House is engaging directly with the Russian government on this matter and delivering the message that responsible states do not harbor ransomware criminals. The FBI is investigating the incident and CISA is coordinating with the FBI to offer technical support to the company in recovering from the ransomware attack…USDA has reached out to several major meat processors in the United States to ensure they are aware of the situation. We’re assessing any impacts on supply, and the President has directed the administration to determine what we can do to mitigate any impacts as they may become necessary.”

The statement also wished to reiterate the current administration’s priority of combating ransomware following the Colonial Pipeline incident.

Impact on Supply

The White House statement also noted that the current administration was working with the Department of Agriculture, the FBI, and CISA on helping JBS while also coordinating with meat suppliers across the country in case supply is affected by the attack. Given JBS’s size, it is not only the US that could have meat supply impacted. The Government of Australia was also working to find who was responsible for the attack and help restore services as soon as possible.

It is too early to say what the exact impact of the attack will be at this stage but an article published by Bloomberg noted that some pork products increased 3.6%, this increase is believed to be a result of previous pandemic disruptions, meaning that further impacts on the supply chain will result in an increase in price for consumers.

Following the attack reports centered around supply and demand, as well as costs had not been released typically released by the US Department of Agriculture with “packer submission issues” being cited as the reason as to why the report has been delayed. However, one report showed that there had been a drop in the number of cattle slaughtered of 27,000 compared to a similar timeframe the previous week.

It was also confirmed by several other sources that some JBS plants were not operating. The U.S. Cattlemen's Association took to Twitter to provide updates, explaining that there were reports of “livestock haulers in line, at plants, waiting to unload and being redirected to nearby yards.”

JBS has also turned to social media to inform the public about the current situation and said via several Facebook posts that plants in Iowa, Utah, Colorado, Minnesota, Texas, and Nebraska had been shut down but still no fixed number about the number of plants shut down at the time of writing. Given that food always can spoil if not kept in specific conditions, the loss to the food industry may be significantly greater in the coming days than originally estimated.

It is estimated that production should return to normal by Wednesday 2 June, but the impact of the attack may take weeks to figure out. Further, at the time of writing while it has been confirmed by the White House that JBS suffered a ransomware attack, as to what strain was deployed or which group was responsible nothing has been mentioned to the press.

Food Supply Chain Threat

Speaking to ZDNet BitSight CTO Stephen Boyer said in an email that 40% of food production companies face an increased risk of a ransomware incident due to poor patching practices. Food companies are also reportedly taking longer to patch vulnerabilities than the recommended industry standard, leaving them at higher risk, Boyer wrote.

Over 70% of food production companies are at an increased risk of ransomware due to their overall security performance, according to BitSight's analysis. Last year the Campari Group announced that it was hit with a ransomware attack while Molson Coors also announced that it was attacked in March.  

Yevgeny Dibrov noted at the time of the Molson Coors attack that IT/OT convergence was a contributing factor as to why manufacturers of all sorts were increasingly becoming victims of ransomware. Dibrov stated,

“Manufacturing processes around the globe have increasingly been relying on IT and OT technology. But the real game-changer is that previously isolated manufacturing networks slowly integrated with IT networks, exposing OT assets and Industrial Control Systems (ICS) to a wider range of threats. Cybercriminals now have an IT and OT backdoor onto the company network.”

This sentiment has been shared by other cybersecurity experts including FireEye, who recently analyzed the increase in OT attacks and how despite lacking sophistication can open the door to ransomware attackers. While the previous two attacks impacted alcohol manufacturers, a product less important to continued survival when compared to food, all the attacks illustrate the impact ransomware can have on the consumer's daily life.

For all those who believe ransomware is a victimless crime as insurance companies will cover the loss to the company, they often forget the impact such events have on supply and demand, which can hurt the consumer's wallet in the medium to short term. With global supply chains already stretched thin, cyber-attacks such as the ones mentioned above certainly have an impact on the broader society as a whole.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal