$ 5.9 million ransomware attack on farmer cooperative could lead to food shortage

Iowa-based agricultural service provider NEW Cooperative Inc. has been hit by a ransomware attack, forcing it to take its systems offline. The BlackMatter group behind the attack demanded a ransom of $ 5.9 million. The agricultural cooperative says the attack could have a significant impact on the public supply of grain, pork and chicken if it cannot bring its systems back online.

BlackMatter says it doesn’t hit “critical infrastructure”

Ransomware group BlackMatter has hit NEW Cooperative and is asking $ 5.9 million to provide a decryptor, according to screenshots shared online by threat intelligence analysts.

“Your website says you’re not attacking critical infrastructure. We are critical infrastructure… closely linked to the food supply chain in the United States. If we are not able to recover very quickly, there will be a very, very public disruption of the grain, the pork and chicken supply chain, “a representative of the NEW Co-op seems to tell BlackMatter in a statement. private negotiation discussion.

The farm organization says its software powers about 40 percent of grain production and feeding programs for 11 million farm animals. And, as such, US federal government regulators like CISA may soon step in if the cooperative’s systems don’t come back online soon.

BlackMatter #Ransomware group just ransomed another critical food infrastructure in the United States, the ransom demand is $ 5,900,000 at the moment 🚨

The victim respects the rules: “@CISAgov will ask us for answers in the next 12 hours “🧐#BlackMatter pic.twitter.com/Iciet8lhwQ

– DarkFeed (@ ido_cohen2) September 20, 2021

BlackMatter responded that she disagreed with the farm organization falling under the “critical infrastructure” category.

A note seen by Ars on the BlackMatter leak site Tor says the group is not attacking hospitals, oil and gas companies, nonprofits and government organizations, and those in the defense industry. If the group accidentally encrypts computers belonging to one of these organizations, victims can request a free decryptor. But, the list of “critical infrastructure facilities” is limited to power plants and water treatment facilities, by BlackMatter’s criteria.

Victim working with law enforcement and security experts

NEW Cooperative says it has informed law enforcement and hired data security experts to investigate and remedy the situation.

In the meantime, the systems have been shut down to contain the impact of the attack. “NEW Cooperative recently identified a cybersecurity incident impacting some of our business devices and systems. The cooperative’s new spokesperson told BleepingComputer.

Ars also noticed that the cooperative’s SOILMAP project is currently unavailable. SOILMAP is an agronomic software solution providing soil analysis, mapping and simplified accounting functionality to help suppliers improve the efficiency of their food production process.

Other conversations shared by a cybersecurity intelligence expert Dmitry smilyanets between BlackMatter and the victim organization show the group’s reluctance to find a solution with NEW Cooperative.

“I’m not [sic] threatens you. It’s pretty much out of our hands. We cannot control what the regulators and the US government are doing. The impact of this attack will likely be much worse than the pipeline attack for the context, and we have no way of controlling this given the disruption this has already caused, ”a NEW Cooperative representative told actors. of the threat.

This incident echoes the cyberattack on the world’s largest meat processor, JBS, which forced the company to pay an $ 11 million ransom to threat actors REvil.

BlackMatter has previously been linked to the DarkSide ransomware group that attacked Colonial Pipeline and subsequently disappeared.

“What is remarkable about the attack is the company’s insistence that it is critical infrastructure and therefore must be spared in accordance with the company’s own policy. BlackMatter. However, the operators behind BlackMatter do not agree with this assessment and continue to demand payment from the victim, ”John Shier, senior security advisor at Sophos, told Ars. “This attack will be the first to test the US government’s new policy on reporting attacks on critical infrastructure to the CISA and the Biden administration’s response to such an attack.”