Skip to content
CBCyber Breaches
Search
RansomwareRansom paid

JBS Foods REvil ransomware

REvil affiliates encrypted the world's largest meat processor, shutting down beef and pork plants across the U.S., Canada, and Australia. JBS paid an $11 million ransom — one of the largest publicly-confirmed ransomware payments at the time.

Victim
JBS S.A. / JBS USA
Loss
$100.0M
SectorManufacturingRetail
CountryBrazilUnited StatesAustraliaCanada
Threat actorREvilSodinokibi
Named attackersYaroslav Vasinskyi

On 30 May 2021, the REvil ransomware operation simultaneously encrypted infrastructure at JBS S.A. — the world's largest meat processor by revenue — across its U.S., Canadian, and Australian subsidiaries. Beef and pork plants representing roughly a fifth of U.S. meat processing capacity halted operations. JBS USA's CEO subsequently confirmed an $11 million ransom payment in bitcoin, then one of the largest publicly-confirmed ransomware payments on record.

What happened

The intrusion began months before encryption. REvil-affiliated operators established reconnaissance access on JBS USA networks in February 2021 and dwelled for approximately three months, mapping the environment and staging the payload. The vector for initial access was not publicly disclosed.

On 30 May 2021 — the Sunday of Memorial Day weekend in the United States — the operators detonated ransomware across:

  • JBS USA — beef and pork processing across multiple states
  • JBS Canada — beef processing operations in Brooks, Alberta
  • JBS Australia — pork and lamb processing

By Monday morning, operations at JBS plants representing roughly 20% of U.S. beef and pork processing capacity were paused. The U.S. meat-supply impact was rapid — wholesale beef prices began rising within 48 hours of the attack — and visible enough that the White House publicly engaged, with Press Secretary Jen Psaki confirming on 1 June that the administration had:

  • Communicated directly with JBS leadership.
  • Engaged the Russian government to press for action against actors operating from Russian territory.
  • Activated U.S. Department of Agriculture coordination on alternative supply.

The payment

On 2 June 2021, JBS paid $11 million in bitcoin to REvil. CEO Andre Nogueira publicly confirmed the payment on 9 June, framing it as a "difficult decision" intended to prevent further disruption and to ensure data was not subsequently leaked.

The payment was politically controversial. At the time:

  • The Colonial Pipeline ransom payment ($4.4M) had been made only three weeks earlier and was still public-policy fresh.
  • The U.S. government's stated position was that ransom payment was discouraged but not prohibited.
  • REvil's principals had not yet been OFAC-designated (designation followed in 2023 with the Yaroslav Vasinskyi indictment era).

JBS's payment did successfully unlock the decryptor; plants resumed operations within hours of payment. The full disruption was confined to approximately 48–96 hours of meaningful downtime.

Impact

  • 20% of U.S. beef and pork processing capacity offline for ~48–96 hours.
  • Wholesale beef prices rose ~1% within days; lasting market impact was modest because of the rapid restoration.
  • $11 million ransom paid by JBS USA.
  • JBS direct costs beyond ransom: ~$9M in IR, forensics, and additional infrastructure rebuild.
  • Total business impact estimated by JBS at ~$100M+, including the export-customer concessions and accelerated security investments that followed.

Attribution

The U.S. FBI publicly attributed the attack to REvil on 2 June 2021. Specific named affiliate attribution emerged later through:

  • The DOJ's November 2021 indictment of Yaroslav Vasinskyi for the Kaseya VSA attack and related REvil operations.
  • The $6.1 million seizure from Yevgeniy Polyanin announced the same day; Polyanin was publicly named as a REvil affiliate connected to multiple attacks including the JBS operation. Polyanin remains in Russia and has not been arrested.

Vasinskyi's 2024 conviction and 13y7m sentence for the broader REvil operation makes the indicted-affiliate accountability for JBS-era REvil indirectly enforced — even though no individual has been specifically prosecuted for JBS.

Why it matters

JBS is the canonical case for ransomware against food-supply critical infrastructure and the highest-profile early-2021 demonstration that paying the ransom can restore operations quickly — at the cost of all the downstream effects (criminal funding, normalization of payment, sanctions risk).

It established:

  • That meat processing represents critical food-supply infrastructure vulnerable to ransomware, with rapid market impact on consumer prices.
  • That multi-country simultaneous deployment is operationally achievable for sophisticated ransomware operators — REvil's coordination across U.S., Canada, and Australia in a single Sunday-night detonation was unusual at the time.
  • That direct White House engagement with private-sector ransomware victims is now a default response for critical-infrastructure events. The JBS, Colonial Pipeline, and Kaseya engagements within a 6-week window established the pattern.
  • That food-supply sector cybersecurity was, prior to JBS, materially under-invested. Subsequent U.S. CISA guidance and food-sector ISAC formation trace partly to the JBS incident.

Financial impact

Reported costs in USD

Total reported loss
100.0M
USD · $100,000,000
Ransom demanded
$22.5M
Ransom paid
$11.0M
  • Ransom paid$11.0M
  • Business loss$80.0M
  • Remediation$9.0M

Timeline

  1. Initial reconnaissance against JBS USA networks by REvil-affiliated operators.

  2. REvil ransomware detonated across JBS USA, JBS Canada, and JBS Australia infrastructure simultaneously. Beef and pork processing plants halt operations.

  3. JBS publicly confirms a 'cybersecurity attack' has affected operations in North America and Australia. Some plants attempt to operate with manual processes.

  4. White House confirms it has been in contact with JBS and the Russian government, citing the attack's impact on U.S. food supply.

  5. JBS pays $11 million in bitcoin ransom (per public statements from JBS USA CEO Andre Nogueira). Operations begin restoring within hours.

  6. JBS publicly confirms payment, describing it as a 'difficult decision' necessary to prevent further disruption.

  7. REvil infrastructure goes offline shortly after the Kaseya VSA attack. The operation reportedly reorganises under continued operator pressure.

  8. U.S. DOJ unseals indictment against Yaroslav Vasinskyi (a REvil affiliate) for Kaseya and related operations; the DOJ also announces seizure of $6.1M from Yevgeniy Polyanin, another REvil affiliate accused of attacks including JBS.

  9. Vasinskyi sentenced to 13y7m + $16M restitution for Kaseya and related REvil operations.

Sources

  1. jbsfoods.comhttps://www.jbsfoods.com/items/our-statement-on-cyberattack
  2. justice.govhttps://www.justice.gov/opa/pr/department-justice-announces-arrest-and-charges-prolific-ransomware-criminals
  3. cbsnews.comhttps://www.cbsnews.com/news/jbs-cyberattack-ransom-paid-meat-supply/

Related incidents

RansomwareContained

Asahi Group Holdings Qilin ransomware (2025)

Qilin ransomware operators encrypted servers across Asahi's Japanese data centres, halting ordering, shipment, and production at 30 factories, leaking 27 GB of internal data, and exposing personal information of approximately 1.5 million customers, employees, and contacts.

Victim
Asahi Group Holdings
Loss
$31.4M
Records
1.5M