Iowa-based agricultural service provider NEW Cooperative Inc. has been hit by a ransomware attack, forcing it to take its systems offline. The BlackMatter group behind the attack has filed a ransom demand for $ 5.9 million. The agricultural cooperative is seen to claim that the attack could significantly affect the public supply of grains, pork and chicken if it cannot bring its systems back online.
BlackMatter Says It Doesn’t Affect “Critical Infrastructure”
Ransomware group BlackMatter has reached the NEW Cooperative and is demanding $ 5.9 million to provide a decryptor, according to screenshots shared online by threat intelligence analysts.
“Your website says it doesn’t attack critical infrastructure. We are critical infrastructure … intertwined with the food supply chain in the US. If we can’t recover very soon, there will be a very, very public disruption to the grain. , pork and chicken supply chain, “a representative of the NEW Cooperative appears to be telling BlackMatter during a private negotiation talk.
The farm organization says its software powers about 40 percent of the grain production and feeding programs of 11 million farm animals. And as such, US federal government regulators like CISA could intervene soon in case the cooperative’s systems are not back online anytime soon.
🌐 BlackMatter #Data hijacking group just rescued another critical food infrastructure in the US, rescue demand is $ 5,900,000 for now 🚨
– DarkFeed (@ ido_cohen2) September 20, 2021
BlackMatter responded that it disagreed with the farm organization that falls under the category of “critical infrastructure.”
A note seen by Ars on BlackMatter’s Tor leak site states that the group does not target hospitals, oil and gas companies, government and non-profit organizations, and the defense sector. If the group accidentally encrypts computers belonging to one of these organizations, victims can request a free decryptor. But, the list of “critical infrastructure facilities” is limited to power generation plants and water treatment facilities, per BlackMatter criteria.
Victim working with security and law enforcement experts
NEW Cooperative claims that it has informed law enforcement and hired data security experts to investigate and remedy the situation.
Meanwhile, systems were shut down to contain the impact of the attack. “NEW Cooperative recently identified a cybersecurity incident that is affecting some of our company’s devices and systems. As a precaution, we have proactively shut down our systems to contain the threat and we can confirm that it has been successfully contained,” a spokesperson. of the NEW Cooperative said BleepingComputer.
Ars also noted that the cooperative’s SOILMAP project is currently unavailable. SOILMAP is an agronomic software solution that provides optimized soil analysis, mapping, and accounting functions to help suppliers bring greater efficiency to their food production process.
More conversations shared by an Intel cybersecurity expert Dmitry Smilyanets between BlackMatter and the victim organization show the group’s reluctance to find a solution with NEW Cooperative.
“I am not [sic] threatening you. This is practically out of our hands. We cannot control what the US government and regulators do. The impact of this attack will likely be much worse than the pipeline attack for context, and we have no way of controlling that given the disruption this has already caused, “a representative from the NEW Cooperative is seen telling actors from threats.
This incident has echoes of the cyber attack on the world’s largest meat processor, JBS, which forced the company to pay a ransom of $ 11 million they are equivalent to the actors of the REvil threat.
BlackMatter has previously been linked to the DarkSide ransomware group that attacked Colonial Pipeline and then disappeared.
“What is notable about the attack is the company’s insistence that they are critical infrastructure and therefore should be avoided per BlackMatter’s own policy. However, the operators behind BlackMatter do not agree with this assessment and continue to request the victim’s payment, “said John Shier. senior security advisor at Sophos, told Ars. “This attack will be the first to test the new US government policy on reporting attacks against critical infrastructure to CISA and the Biden administration’s response to such attack. “