Iowa farm services provider hit with BlackMatter ransomware and $5.9 million ransom

Security researchers leaked conversations between New Cooperative negotiators and BlackMatter operators.
Written by Jonathan Greig, Contributor

New Cooperative -- an Iowa-based farm service provider -- has been hit with a ransomware attack, continuing a streak of incidents affecting agricultural companies this year. 

The company did not respond to requests for comment but confirmed to Bloomberg News that it was suffering from a "cybersecurity incident" that impacted some of its devices and systems. It told Bloomberg reporters that it took systems offline to "contain the threat."

Ransomware expert Allan Liska shared screenshots of the BlackMatter ransomware leak page with ZDNet, showing the group had troves of financial documents, network information for multiple companies involved with New Cooperative, the social security numbers and personal information for employees, R&D files and the source code for a farmer technology platform called Soil Map. 

The ransomware group claims to have 1,000GB of data and has set a timer that they say expires at noon on September 25.

Liska confirmed that other documents show BlackMatter is demanding a $5.9 million ransom.

On social media, multiple security researchers leaked chats between negotiators for New Cooperative and BlackMatter operators. Representatives for New Cooperative repeatedly say they are part of the much-discussed "16 critical sectors" that US President Joe Biden said was off-limits to ransomware actors in conversations with Russian President Vladimir Putin.

In addition to saying it was part of the country's critical infrastructure, the company noted that there would be "public disruption" to the grain, pork and chicken supply chain if it is not back up and running soon. 

The BlackMatter threat actors refuse to back down, saying only financial losses will be incurred from the attack. The chats also show that New Cooperative said it would have no choice but to contact CISA if it is not back up and running within the next 12 hours.

CISA did not respond to requests for comment, but the company told multiple outlets that law enforcement had already been contacted. 

Reuters reported that the cooperative is involved in a variety of aspects of the grain business, including running grain storage elevators, selling fertilizer, buying from farmers and providing technology to farmers. 

Don Roose, president of US Commodities in West Des Moines, Iowa, told the outlet that this was an especially important week for farmers because this is when harvests begin to ramp up, particularly for crops like soybeans. According to Bloomberg, New Cooperative said it is working with its customers to get grain to animals while it tries to restore its systems. 

Despite the warnings from the White House, ransomware groups have not stopped their attacks on the agriculture industry. Earlier this month, the FBI released a notice warning companies in the food and agriculture sector to watch out for ransomware attacks aiming to disrupt supply chains.

"Food and agriculture businesses victimized by ransomware suffer significant financial loss resulting from ransom payments, loss of productivity, and remediation costs. Companies may also experience the loss of proprietary information and personally identifiable information and may suffer reputational damage resulting from a ransomware attack," the FBI said. 

The notice goes on to list multiple attacks on the food and agriculture sector since November, including a Sodinokibi/REvil ransomware attack on a US bakery company, the attack on global meat processor JBS in May, a March 2021 attack on a US beverage company and a January attack on a US farm that caused losses of approximately $9 million. 

JBS ended up paying an $11 million ransom to the REvil ransomware group after the attack caused meat shortages across the US, Australia and other countries. In November, the FBI also cited an attack on a US-based international food and agriculture business that was hit with a $40 million ransom demand from the OnePercent Group. The company was able to recover from backups and did not pay the ransom.

Former CIA cyber official Marcus Fowler told ZDNet that the attack on New Cooperative is the fourth crippling and high-profile attack on US critical infrastructure in recent months.

Fowler noted that while the Biden Administration can aspire for certain sectors to be off-limits from hackers, significant parts of the US' infrastructure and businesses are interconnected, making it nearly impossible to separate critical from non-critical industries. 

"What's more, if BlackMatter truly is DarkSide 2.0, then this is evidence that the President's talks and warnings have had little impact. Based on the details currently available, there are striking parallels between this attack and the recent campaigns against Colonial Pipeline and JBS," said Fowler, who is now director of strategic threat at cyber firm Darktrace.

"Just like in these instances, New Cooperative took their operational technology (OT) systems offline as a precautionary measure to an IT side attack. We still need to get better at securing OT."

Jake Williams CTO at BreachQuest, noted that BlackMatter appears to be a spinoff of the REvil group and has been actively recruiting for initial accesses into victim networks in recent months. But others, like Lookout senior manager Hank Schless, said BlackMatter appears to be associated with DarkSide, the group behind the attack on Colonial Pipeline.

Other experts said ransomware groups were ignoring the warnings of law enforcement because of how lucrative and costly ransomware attacks are on companies in the agriculture industry. 

"Companies working in the agricultural sector are particularly susceptible to ransomware activity as the harvest and fertilization of crops is highly sensitive to external factors; this typically involves weather changes and time of the year, however any delays caused by a ransomware attack could result in a significant loss of productivity and in turn lead to huge amounts of crops being wasted," said said Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows.

"The attack also comes at a time where COVID has resulted in a global shortages of truck drivers, which is impacting food supply chains."

Curtis Simpson, CISO at Armis, added that the food and agriculture industry is heavily reliant upon connected machinery to power key aspects of the business. 

These connected machines are growing targets for bad actors due to most companies' limited visibility into risks and threats impacting these assets, their overall level of exposure to attacks (including through the exploitation of connected machines), and the high likelihood of being paid a ransom if the attack even approaches, let alone impacts, machine-driven operations. 

"Much of the food and agriculture supply chain is also enabled by small operations. Some of these operations were already strained by the pandemic and any such attack could simply knock them out of business for good. Once again, as this happens, downstream operations ranging from foodservice providers to restaurants to hospitals and consumers will all have issues sourcing products," Simpson said. 

Editorial standards