Iowa-based grain cooperative NEW Cooperative Inc. was struck by BlackMatter ransomware recently and has shut down its computer systems as it tries to mitigate the attack. BlackMatter is demanding a $5.9 million ransom.
NEW Cooperative confirmed that they had been attacked and said they had contacted law enforcement and worked with data security experts to investigate and remediate the situation.
According to screenshots shared online by threat intelligence analysts, the farming cooperative has said the attack could significantly impact the public supply of grain, pork, and chicken if it cannot bring its systems back online. “Your website says you do not attack critical infrastructure. We are critical infrastructure... intertwined with the food supply chain in the U.S. If we are not able to recover very shortly, there is going to be [a] public disruption to the grain, pork, and chicken supply chain,” a NEW Cooperative representative appears to tell BlackMatter during a private negotiation chat.
The threat group disagreed with the organization falling within the “critical infrastructure” category.
“I am [not] threatening you. This is pretty much out of our hands. We can’t control what the regulators and U.S. government [do]. The impact of this attack will likely be much worse than the pipeline attack for context, and we have no way to control that given the disruption this has already caused,” a NEW Cooperative representative told the threat actors.
Ars Technica noticed the cooperative's SOILMAP project is currently unavailable. SOILMAP is a software agronomic solution providing soil testing, mapping, and streamlined accounting features to help suppliers bring greater efficiency to their food production process.
For companies working in the agricultural sector, any delays caused by a ransomware attack could result in a significant loss of productivity and, in turn, lead to vast amounts of crops being wasted, says Chris Morgan, Senior Cyber Threat Intelligence Analyst at Digital Shadows, a San Francisco-based provider of digital risk protection solutions. “The attack also comes at a time where COVID has resulted in a global shortage of truck drivers, which is impacting food supply chains. The risk posed by ransomware groups targeting food & beverage and agricultural sectors was highlighted by the FBI in early September, who stated that the systems used by agriculture — including industrial control systems and smart technologies — were being actively targeted by ransomware groups.”
In addition, Morgan points out that the attack against the cooperative shows a willingness from ransomware groups to continue target critical national infrastructure (CNI). In July 2021, U.S. President Joe Biden provided Russian Premier Vladimir Putin a list of 16 critical infrastructure sectors that are “off limits” for ransomware attacks, including telecommunications, healthcare, energy, and those involved with food production. Morgan says, “While Putin likely does not have a direct influence on the operations conducted by ransomware groups, the dialogue between the two leaders was aimed at pressuring Russia to take a more active role in tackling ransomware activity. This, predictably, appears to have fallen on deaf ears, with BlackMatter since claiming that they did not believe NEW Cooperative constituted CNI.”
BlackMatter emerged back in July, claiming to combine the best features of the now-defunct Darkside and REvil ransomware groups. The threat actor group claims not to conduct attacks against organizations in several industries, including healthcare, critical infrastructure, oil and gas, defense, non-profit and government. However, several security researchers quickly questioned if BlackMatter had connections to either DarkSide or REvil, which suddenly went dark after the cyberattacks on JBS, Kaseya and Colonial Pipeline.
Jake Williams, Co-Founder and CTO at BreachQuest, an Augusta, Georgia-based leader in incident response, says, “BlackMatter appears to be a spinoff of the REvil group and has been actively recruiting for initial accesses into victim networks in recent months. Although the group says it will not target “critical infrastructure facilities,” the definition the group uses in its blog is different from the U.S. government’s definition of critical infrastructure, which would include NEW Cooperative. Given that the Biden administration is already telegraphing more oversight and regulation around paying ransoms, impacting yet another critical infrastructure target certainly won’t help the situation for threat actors. The threat actors may view NEW Cooperative as an I.T. company, possibly owing that distinction to the SoilMap software product. Ironically, this distinction would be meaningless to the administration since the information technology sector is also considered critical infrastructure under the designations from DHS and CISA.”
Hank Schless, Senior Manager, Security Solutions at Lookout, a San Francisco, Calif.-based endpoint-to-cloud security company, believes BlackMatter may be associated with DarkSide. “Even though DarkSide seemingly disbanded after the Colonial Pipeline attack, it’s clear that either some members regrouped or someone was able to get their hands on DarkSide’s ransomware. Interestingly, this comes after President Biden’s public statements regarding Russia-based threat actors targeting critical United States infrastructure. DarkMatter claimed that NEW Cooperative doesn’t reach the threshold that the President laid out. Threat actors already operate outside the bounds of the law, so why would they suddenly comply with statements like this? If this is the attitude Russia-based threat actors have towards the President’s warnings, then this could be indicative of similar attacks to come.”
Schless adds, “This should serve as a wake-up call to every organization that they need to take action to protect themselves. The President’s statements on these types of attacks have done a fantastic job of conveying the importance of cybersecurity, but it’s on organizations to put those words into actions and shore up their defenses.”