No chicken, grain, pork for you —

$5.9 million ransomware attack on farming co-op may cause food shortage

Attack on US farming provider NEW Cooperative may disrupt the food supply chain.

$5.9 million ransomware attack on farming co-op may cause food shortage

Iowa-based provider of agriculture services NEW Cooperative Inc. has been hit by a ransomware attack, forcing it to take its systems offline. The BlackMatter group that is behind the attack has put forth a $5.9 million ransom demand. The farming cooperative is seen stating the attack could significantly impact the public supply of grain, pork, and chicken if it cannot bring its systems back online.

BlackMatter says it doesn’t hit “critical infrastructure”

Ransomware group BlackMatter has hit NEW Cooperative and is demanding $5.9 million to provide a decryptor, according to screenshots shared online by threat intel analysts.

"Your website says you do not attack critical infrastructure. We are critical infrastructure... intertwined with the food supply chain in the US. If we are not able to recover very shortly, there is going to be very very public disruption to the grain, pork, and chicken supply chain," a NEW Cooperative representative appears to be telling BlackMatter during a private negotiation chat.

The farming organization says its software powers about 40 percent of grain production and feed schedules of 11 million farm animals. And, as such, US federal government regulators like CISA may soon step in should the cooperative's systems not come back online soon.

BlackMatter responded that it disagreed with the farming organization falling within the "critical infrastructure" category.

A note seen by Ars on BlackMatter's Tor leak site states the group does not attack hospitals, oil and gas companies, non-profit and government organizations, and those in the defense sector. Should the group accidentally encrypt computers belonging to one of these organizations, victims can ask for a free decryptor. But, the list of "critical infrastructure facilities" is limited to power generation plants and water treatment facilities, according to BlackMatter's criteria.

BlackMatter claims it doesn't attack critical infrastructure.
Enlarge / BlackMatter claims it doesn't attack critical infrastructure.
Ax Sharma

Victim working with law enforcement and security experts

NEW Cooperative states it has informed law enforcement and engaged data security experts to investigate and remediate the situation.

In the meantime, systems were shut down to contain the impact of the attack. "NEW Cooperative recently identified a cybersecurity incident that is impacting some of our company’s devices and systems. Out of an abundance of caution, we have proactively taken our systems offline to contain the threat, and we can confirm it has been successfully contained," a NEW Cooperative spokesperson told BleepingComputer.

Ars also noticed the cooperative's SOILMAP project is currently unavailable. SOILMAP is an agronomic software solution providing soil testing, mapping, and streamlined accounting features to help suppliers bring greater efficiency to their food production process.

Further conversations shared by cybersecurity intel expert Dmitry Smilyanets between BlackMatter and the victim organization show the group's reluctance to work out a solution with NEW Cooperative.

"I am no [sic] threatening you. This is pretty much out of our hands. We can't control what the regulators and US government does. The impact of this attack will likely be much worse than the pipeline attack for context, and we have no way to control that given the disruption this has already caused," a NEW Cooperative representative is seen telling threat actors.

Negotiation chat between NEW Cooperative and BlackMatter ransomware operation.
Enlarge / Negotiation chat between NEW Cooperative and BlackMatter ransomware operation.

This incident has echoes of the cyberattack on the world's largest meat processor, JBS, that forced the company to pay an $11 million ransom amount to REvil threat actors.

BlackMatter has previously been linked to the DarkSide ransomware group that attacked Colonial Pipeline and disappeared afterward.

"What's notable about the attack is the company's insistence that they are critical infrastructure and should therefore be spared as per BlackMatter's own policy. However, the operators behind BlackMatter disagree with this assessment and are continuing to pursue payment from the victim," John Shier, senior security adviser at Sophos, told Ars. "This attack will be the first to test the new US government policy on reporting attacks against critical infrastructure to CISA and the Biden administration's response to such an attack."

Channel Ars Technica