Iowa-based provider of agriculture services NEW Cooperative Inc. has been hit by a ransomware attack, forcing it to take its systems offline. The BlackMatter group that is behind the attack has put forth a $5.9 million ransom demand. The farming cooperative is seen stating the attack could significantly impact the public supply of grain, pork, and chicken if it cannot bring its systems back online.
BlackMatter says it doesn’t hit “critical infrastructure”
Ransomware group BlackMatter has hit NEW Cooperative and is demanding $5.9 million to provide a decryptor, according to screenshots shared online by threat intel analysts.
“Your website says you do not attack critical infrastructure. We are critical infrastructure… intertwined with the food supply chain in the US. If we are not able to recover very shortly, there is going to be very very public disruption to the grain, pork, and chicken supply chain,” a NEW Cooperative representative appears to be telling BlackMatter during a private negotiation chat.
The farming organization says its software powers about 40 percent of grain production and feed schedules of 11 million farm animals. And, as such, US federal government regulators like CISA may soon step in should the cooperative’s systems not come back online soon.
🌐 BlackMatter #Ransomware group just ransomed another food critical infrastructure in the US, The ransom demand is 5,900,000$ for now 🚨
— DarkFeed (@ido_cohen2) September 20, 2021
BlackMatter responded that it disagreed with the farming organization falling within the “critical infrastructure” category.
A note seen by Ars on BlackMatter’s Tor leak site states the group does not attack hospitals, oil and gas companies, non-profit and government organizations, and those in the defense sector. Should the group accidentally encrypt computers belonging to one of these organizations, victims can ask for a free decryptor. But, the list of “critical infrastructure facilities” is limited to power generation plants and water treatment facilities, according to BlackMatter’s criteria.
Victim working with law enforcement and security experts
NEW Cooperative states it has informed law enforcement and engaged data security experts to investigate and remediate the situation.
In the meantime, systems were shut down to contain the impact of the attack. “NEW Cooperative recently identified a cybersecurity incident that is impacting some of our company’s devices and systems. Out of an abundance of caution, we have proactively taken our systems offline to contain the threat, and we can confirm it has been successfully contained,” a NEW Cooperative spokesperson told BleepingComputer.
Ars also noticed the cooperative’s SOILMAP project is currently unavailable. SOILMAP is a software agronomic solution providing soil testing, mapping, and streamlined accounting features to help suppliers bring greater efficiency to their food production process.
Further conversations shared by cybersecurity intel expert Dmitry Smilyanets between BlackMatter and the victim organization show the group’s reluctance to work out a solution with NEW Cooperative.
“I am no [sic] threatening you. This is pretty much out of our hands. We can’t control what the regulators and US government does. The impact of this attack will likely be much worse than the pipeline attack for context, and we have no way to control that given the disruption this has already caused,” a NEW Cooperative representative is seen telling threat actors.
This incident has echoes of the cyberattack on the world’s largest meat processor, JBS, that forced the company to pay an $11 million ransom amount to REvil threat actors.
BlackMatter has previously been linked to the DarkSide ransomware group that attacked Colonial Pipeline and disappeared afterward.
“What’s notable about the attack is the company’s insistence that they are critical infrastructure and should therefore be spared as per BlackMatter’s own policy. However, the operators behind BlackMatter disagree with this assessment and are continuing to pursue payment from the victim,” John Shier, senior security adviser at Sophos, told Ars. “This attack will be the first to test the new US government policy on reporting attacks against critical infrastructure to CISA and the Biden administration’s response to such an attack.”