JBS SA and Colonial Pipeline, both critical units of the U.S. infrastructure, forked over multimillion-dollar ransom payments last month after cybercriminals threatened their computer systems.
The silver lining, if any? Those payments may in fact be tax-deductible.
The hit on JBS, the largest food manufacturer yet to be hit by ransomware, was the second attack in a month on a critical industry. After a gang of hackers targeted servers supporting JBS’ operations in North America and Australia, production was disrupted for several days.
Right before that, hackers believed to operate with impunity in Russia and allied states shut down operation of the Colonial Pipeline, the largest U.S. fuel pipeline, for nearly a week.
In both cases, officials who feared larger consequences paid the ransom. JBS confirmed that it paid the equivalent of $11 million to hackers who broke into its computer system. Officials at Colonial paid a ransom of 75 bitcoin — roughly $4.4 million — to get back online after a separate gang of cybercriminals using the DarkSide ransomware variant broke into the company’s computer system.
Although paying these criminals goes against FBI guidance, the U.S. government offers a little-noticed incentive for those who do pay.
Deductions for ransomware payments are usually allowed under law and established guidance, according to multiple tax experts interviewed by The Associated Press. However, the IRS offers no formal guidance on ransomware payments.
Some officials fear, however, that the deduction is a potentially problematic incentive that could entice businesses to pay ransoms against the advice of law enforcement. At a minimum, they say, the deductibility sends a discordant message to businesses under duress.
"It seems a little incongruous to me," said New York Rep. John Katko, the top Republican on the House Committee on Homeland Security.
Deductibility is a piece of a bigger quandary stemming from the rise in ransomware attacks, in which cybercriminals scramble computer data and demand payment for unlocking the files. The government doesn't want payments that fund criminal gangs and could encourage more attacks. But failing to pay can have devastating consequences for businesses and potentially for the economy overall.
For instance, the nearly weeklong closure of the Colonial Pipeline, which transports about 45% of fuel consumed on the East Coast, sparked long lines and panic buying at gas stations across the Southeast.
The attack on JBS SA, the world’s largest meat processing company, threatened to disrupt food supplies.
"This was a very difficult decision to make for our company and for me personally," said Andre Nogueira, the CEO of JBS USA. "However, we felt this decision had to be made to prevent any potential risk for our customers."
JBS said the vast majority of its facilities were operational at the time it made the payment, but it decided to pay in order to avoid any unforeseen issues and ensure no data was exfiltrated.
Colonial Pipeline CEO Joseph Blount also disclosed that he felt immense pressure to pay in order to protect a critical part of the U.S. infrastructure.
"I will admit that I wasn't comfortable seeing money go out the door to people like this," Blount told the Wall Street Journal. "But it was the right thing to do for the country."
The Associated Press contributed to this report.