Iowa-based agricultural services provider NEW Cooperative Inc. has been hit by a ransomware attack, forcing it to take its systems offline. The BlackMatter group behind the attack has demanded a ransom of $5.9 million. The farmers’ cooperative says the attack could have a significant impact on public supplies of grain, pork and chicken if it can’t get its systems back online.
BlackMatter says it won’t hit “critical infrastructure”
Ransomware group BlackMatter has hit NEW Cooperative, demanding $5.9 million to provide a decryptor, according to screenshots shared online by threat intelligence analysts.
“Your website says you are not attacking critical infrastructure. We are critical infrastructure… intertwined with the food supply chain in the US. If we cannot recover in the short term, there will be a very public disruption to the grain, pork and chicken supply chain “, a representative of the NEW Cooperative seems to tell BlackMatter during a private negotiation call.
The agricultural organization says its software powers about 40 percent of the grain production and feeding schedules of 11 million farm animals. And as such, U.S. federal government regulators like CISA may soon step in if the cooperative’s systems don’t come back online soon.
Black Matter #Ransomware group just ransomed another food-critical infrastructure in the US. The ransom demand is currently $5,900,000
The victim plays by the rules: “@CISAgov will demand answers from us within the next 12 hours”#BlackMatter pic.twitter.com/Iciet8lhwQ
— DarkFeed (@ido_cohen2) September 20, 2021
BlackMatter replied that it disagreed with the agricultural organization falling into the “critical infrastructure” category.
A note Ars saw on BlackMatter’s Tor leak site states that the group does not attack hospitals, oil and gas companies, non-profit and government organizations, and those in the defense sector. Should the group accidentally encrypt computers belonging to one of these organizations, victims can request a free decryptor. But the list of “critical infrastructures” is limited to power plants and water treatment plants, according to BlackMatter’s criteria.
Victims working with law enforcement and security experts
NEW Cooperative says it has notified law enforcement and engaged data security experts to investigate and remedy the situation.
Meanwhile, systems were shut down to contain the impact of the attack. “NEW Cooperative recently identified a cybersecurity incident affecting some of our company’s devices and systems. As a precaution, we have proactively taken our systems offline to contain the threat, and we can confirm that it has been successfully contained,” a NEW Cooperative spokesperson told BleepingComputer.
Ars also noted that the cooperative’s SOILMAP project is currently unavailable. SOILMAP is an agronomic software solution that provides soil surveying, mapping and streamlined accounting features to help suppliers make their food production process more efficient.
Further Conversations Shared by Cybersecurity Intel Expert Dmitry Smiyanets between BlackMatter and the victim organization show the group’s reluctance to come to a solution with NEW Cooperative.
“I’m not [sic] threaten you. This is almost out of our hands. We have no control over what the regulators and the US government do. The impact of this attack will likely be much worse than the pipeline attack for context, and we have no way to control that given the disruption this has already caused,” said a representative of the NEW Threat Actors Cooperative.
This incident has echoes of the cyberattack on the world’s largest meat processor, JBS, which forced the company to pay an $11 million ransom to REvil threat actors.
BlackMatter has previously been associated with the DarkSide ransomware group that attacked Colonial Pipeline and then disappeared.
“What is remarkable about the attack is that the company insists it is critical infrastructure and should therefore be spared as per BlackMatter’s own policy. However, the operators behind BlackMatter disagree with this assessment and continue to pursue victim payment,” John Shier, senior security adviser at Sophos, told Ars. “This attack will be the first to test the new US government policy for reporting critical infrastructure attacks to CISA and the Biden administration’s response to such an attack.”