JBS Foods — REvil ransomware

What happened

On 30 May 2021, ransomware encrypted IT systems at JBS Foods, forcing the company to shut down beef and pork processing facilities across the United States, Canada, and Australia. JBS is the world’s largest meat processor by revenue, handling roughly 20–25% of US beef and 20% of US pork processing capacity. The sudden removal of that volume from the supply chain triggered immediate concerns about meat shortages and drove short-term price increases at wholesale and retail.

In the US, JBS’s five largest beef plants — with a combined daily slaughter capacity of over 22,000 head of cattle — halted operations. Canadian beef processing stopped. Nine Australian facilities suspended operations. The company’s pork processing in the US was also affected. An estimated 7,000 workers across North America were temporarily stood down.

JBS contained the immediate incident within days, with US beef plants resuming operations on 3 June and most facilities back online by 4 June. The company confirmed on 9 June that it had paid an $11 million ransom in Bitcoin. JBS’s CEO André Nogueira explained the decision publicly: the company had been able to restore from backups, but paid to prevent the publication of data the attackers had exfiltrated, and to ensure there were no residual backdoors in the rebuilt environment that the attackers had confirmed were gone in exchange for payment. The FBI publicly attributed the attack to REvil/Sodinokibi within two weeks of the incident — an unusually rapid and specific public attribution from the bureau.

The JBS attack was the second in a sequence of three high-profile ransomware events that defined the summer of 2021: Colonial Pipeline (7 May), JBS (30 May), and Kaseya (2 July). The sequence drove the Biden administration’s ransomware policy package, including a summit with President Putin in Geneva at which Biden provided a list of critical infrastructure sectors the US considered off-limits for ransomware, and the subsequent designation of cryptocurrency exchange SUEX for laundering REvil ransom payments.

How it worked

REvil, also known as Sodinokibi, operated as a ransomware-as-a-service platform. The group provided affiliates with the encryption malware, infrastructure for victim communication and negotiation, and a data-leak site where exfiltrated data could be published as additional extortion leverage. Affiliates conducted the actual intrusions and received a share of any ransom paid, typically around 70–80%.

The specific entry vector for the JBS attack was not fully disclosed publicly by JBS or by law enforcement. JBS confirmed that the attack targeted its North American and Australian IT systems and that no food safety or production systems — including systems controlling physical food-safety monitoring equipment — were directly compromised; the impact was to the IT infrastructure that scheduled, coordinated, and invoiced production rather than to operational technology systems controlling the production process itself. The shutdown was a result of JBS’s own decision to take plants offline in response to the IT system failure, a precautionary measure to ensure food safety was not compromised by operating without full system visibility.

REvil’s standard operating procedure at this time involved initial access via remote desktop protocol (RDP) brute-force, phishing, or purchased initial-access credentials, followed by a dwell period for reconnaissance and credential harvesting, culminating in mass encryption and immediate extortion. The group maintained a dark-web data leak site — “Happy Blog” — on which exfiltrated data from non-paying victims was published. JBS’s decision to pay was substantially driven by preventing publication of exfiltrated data rather than by an inability to recover from backups.

REvil was disrupted in part as a direct consequence of US pressure following the Colonial Pipeline and JBS events. In July 2021, REvil’s infrastructure went offline — believed to be in response to a US government offensive cyber operation or law enforcement action. It briefly re-emerged before being definitively disrupted in a coordinated international action in late 2021. A Ukrainian national, Yaroslav Vasinskyi, was arrested in Poland in October 2021 in connection with the Kaseya attack and was subsequently extradited to the US.

Timeline

• 30 May 2021 — REvil ransomware deployed against JBS IT systems. Beef and pork plants in the US, Canada, and Australia halt operations.
• 30–31 May 2021 — JBS notifies US and Australian governments of the attack. White House confirms awareness.
• 1 June 2021 — JBS confirms attack publicly. Australian facilities partially restored.
• 3 June 2021 — US beef plants resume operations. Most JBS facilities operational by 4 June.
• 9 June 2021 — JBS CEO confirms $11 million ransom paid in Bitcoin. FBI attributes attack to REvil.
• 16 June 2021 — Biden-Putin summit in Geneva. Biden provides list of critical infrastructure sectors the US considers off-limits for ransomware attack.
• 2 July 2021 — REvil attacks Kaseya VSA, five weeks after the JBS attack, using the same criminal infrastructure.
• September 2021 — US Treasury designates cryptocurrency exchange SUEX for laundering ransomware payments including REvil’s.
• October 2021 — Yaroslav Vasinskyi arrested in Poland in connection with the Kaseya and JBS attacks.

What defenders should learn

Food manufacturing became critical infrastructure in the public understanding overnight in June 2021. Prior to the Colonial Pipeline and JBS attacks, the framing of critical infrastructure in cybersecurity policy was dominated by energy, finance, and government systems. JBS demonstrated that the disruption of food processing at scale — even for 72 hours — has cascading effects on supply chains and consumer prices significant enough to reach presidential attention. For food manufacturing and agriculture organisations, the JBS incident should be treated as the moment the sector’s threat model was permanently recalibrated.

The backup-plus-payment outcome at JBS illustrates a nuance often missed in the “don’t pay” debate. JBS recovered from backups — the payment was not for a decryptor but to prevent data publication and obtain assurances about residual access. Double extortion (encrypt and exfiltrate) means that even organisations with excellent backup posture face a distinct extortion threat related to their data. The defensive response to this is threefold: DLP controls that limit what data can be staged for exfiltration, network monitoring that detects large-volume outbound data transfers, and data classification that ensures the most sensitive data is the most tightly controlled. If exfiltration cannot be prevented, legal and communications preparation for the possibility of data publication should be part of incident response planning.

The 72-hour containment and recovery at JBS is a data point worth noting alongside the months-long recoveries at Norsk Hydro and the HSE. JBS’s IT team restored operations from backups in days. The factors that enabled this — apparently including well-maintained and isolated backup infrastructure, clear incident response protocols, and a contained blast radius — are exactly the capabilities that multi-month recovery organisations lacked. JBS’s ransom payment should not obscure the underlying technical competence of its recovery operation.