Critical infrastructure was targeted in a massive ransomware attack allegedly conducted by the BlackMatter group, a reincarnation of the infamous DarkSide cybergang. Researchers leaked conversations between New Cooperative negotiators and BlackMatter operators.
A new ransomware group is being held responsible for taking out a farmers’ cooperative online network, with extortionists demanding a jaw-dropping $5.9 million ransom.
The cybercriminal group allegedly attacked an Iowa collective of farmers called NEW Cooperative. The incident took place over the weekend, encrypting files and denying access to all computer systems. Those responsible are now demanding $5.9 million in exchange for a decryptor, which will leap to $11.9 million if the cooperative fails to pay within five days.
The Iowa-based feed and grain cooperative operates in 50 locations. It offers a wide range of digital and software services to its farmers. Following the attack, it had to shut down its operations and also faces the threat of attackers exposing stolen data if it does not pay the ransom, according to reports.
According to a published report, NEW Cooperative took its systems offline as part of a mitigation strategy, a representative told BleepingComputer.
“NEW Cooperative recently identified a cybersecurity incident that is impacting some of our company’s devices and systems,” the representative told BleepingComputer, according to the report. “Out of an abundance of caution, we have proactively taken our systems offline to contain the threat, and we can confirm it has been successfully contained.”
According to the report, the organization is working with law enforcement and cybersecurity experts to investigate and resolve the unfortunate situation.
BlackMatter Is Testing Biden’s Warning
According to experts, the group operates as ransomware-as-a-service and is picking up where DarkSide left off. The former ransomware gang, which went off the radar months ago, is thought to be behind various successful attacks.
The DarkSide group is blamed for the attack that targeted Colonial Pipeline back in May and caused major disruptions in the fuel sector. Among other similar attacks, it urged U.S. President Joe Biden to identify 16 sectors of critical national infrastructure, including agriculture, and declare them off-limits to ransomware operators.
“What’s more, if BlackMatter truly is DarkSide 2.0, then this is evidence that the President’s talks and warnings have had little impact. Based on the details currently available, there are striking parallels between this attack and the recent campaigns against Colonial Pipeline and JBS,” said Marcus Fowler, director of strategic threat at cybersecurity firm Darktrace.
The attack on the farmers’ cooperative defies Biden’s warnings and indicates that the attempt to defend critical infrastructures needs more than words to be successful.
Experts explained that ransomware groups were ignoring the warnings because of how profitable and expensive ransomware attacks are on organizations in the agriculture industry.
“Companies working in the agricultural sector are particularly susceptible to ransomware activity as the harvest and fertilization of crops is highly sensitive to external factors; this typically involves weather changes and time of the year, however any delays caused by a ransomware attack could result in a significant loss of productivity and in turn lead to huge amounts of crops being wasted,” said said Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows.
“The attack also comes at a time where COVID has resulted in a global shortages of truck drivers, which is impacting food supply chains.”
Curtis Simpson, CISO at Armis, added that the food and agriculture industry is heavily reliant upon connected machinery to power key aspects of the business.
“Much of the food and agriculture supply chain is also enabled by small operations. Some of these operations were already strained by the pandemic and any such attack could simply knock them out of business for good. Once again, as this happens, downstream operations ranging from foodservice providers to restaurants to hospitals and consumers will all have issues sourcing products,” Simpson said.
FBI Focused On The Incident
It remains unclear whether NEW Cooperative will pay up or is in the position to recover the stolen data and get its systems back up and running.
Negotiations between representatives of the organization and BlackMatter extortionists leaked by security researchers on Twitter indicate that NEW Cooperative believes that the attack falls under the government’s critical infrastructure protection because of the potential disruption to the food supply chain.
“If we are not able to recover very shortly, there is going to be very very [SIC] public disruption to the grain, pork and chicken supply chain,” the cooperative told BlackMatter, adding that 40% of grain production runs on its software and the feed schedules of 11 million animals rely on the company.
NEW Cooperative warned its attackers that, although BlackMatter believes the attack was not against critical infrastructure, the ransomware gang will ultimately have to answer to the federal government. The cooperative said it will be working with the Cybersecurity Infrastructure Security Agency (CISA) as it continues to investigate and remediate the incident.
“CISA is going to be demanding answers from us within 12 hours or so and we are going to have to tell them exactly what has happened and why the food supply chain is disrupted,” according to the leaked conversation.