US agricultural co-op hit by ransomware, expects food supply chain disruption

New Cooperative Inc., an agricultural cooperative owned by Iowa corn and soy farmers, has been hit by the BlackMatter ransomware group. The attackers are asking the co-op to pay $5,900,000 for the decryption key and not to release the stolen data.

What we know about the ransomware attack on New Cooperative?

New Cooperative is one of the largest farm cooperatives in the US. They confirmed the attack on Monday and said that the “cybersecurity incident” affected some of the company’s devices and systems.

“Out of an abundance of caution, we have proactively taken our systems offline to contain the threat, and we can confirm it has been successfully contained,” the company spokesperson said to The Hill. “We also quickly notified law enforcement and are working closely with data security experts to investigate and remediate the situation.”

According to Bloomberg, the co-op is trying manual workarounds to make sure the impact to its customers is minimized.

The ransomware gang claims to have compromised the co-op’s finance and HR information, network information and passwords, R&D results, and source code of its Soilmap software (currently unavailable).

Apparently, the co-op has been talking to the gang, trying to reason with them and convince them that despite their promises that they would not attack critical infrastructure, they did just that, and that the consequences could be a disruption to the food supply chain.

BlackMatter #Ransomware group just ransomed another food critical infrastructure in the US, The ransom demand is 5,900,000$ for now

The victim is playing by the rules: "@CISAgov is going to be demanding answers from us within the next 12 hours" #BlackMatter pic.twitter.com/Iciet8lhwQ

— DarkFeed (@ido_cohen2) September 20, 2021

#BlackMatter #ransomware making wrong choices again pic.twitter.com/xZq7himn1o

— (@ddd1ms) September 20, 2021

But BlackMatter, which is believed to be linked to the DarkSide group that hit Colonial Pipeline earlier this year, is having none of it.

Advice for companies in critical industries

Grant Geyer, CISO and Chief Product Officer at industrial cybersecurity company Claroty, says that it’s impossible to tell whether the co-op’s OT systems have also been compromised.

“When an organization gets hit with ransomware, they recognize that they can’t demonstrate positive control over their IT environment. It’s therefore a natural reaction to shut down operations, as you don’t know how deeply or broadly the hackers have infiltrated,” he commented.

“This attack demonstrates just how deeply and broadly the US economy and supply chain is interconnected. Ransomware gangs feed on the psychological impact of putting businesses integral to the supply chain between a rock and a hard place, in order to make the choice to pay the ransom the easiest path forward.”

Quentin Rhoads-Herrera, Director of Professional Services at MDR services provider Critical Start, noted that, in terms of negotiations, if NEW Cooperative is going to look at paying for recovery, they need to make sure that the group can actually recover their data before issuing any payments.

“While unlikely, they should also see if the group will disclose items such as how they got the access initially and how they got the data off the network. Finally, the should make sure they have some form of evidence that the data taken off the network is destroyed. If it is possible to recover and remove the attackers from the infrastructure, that would be ideal. Working with the FBI, CISA, and other government agencies can help guide such decisions in these situations.”

In the meantime, since the co-op knows the KeePass data has been stolen, they need to move on locking out accounts and creating new ones with complex passwords and multi factor authentication, he says.

“They also need to work with a firm to conduct incident response activities such as triage to remove any remnants of the attackers while also looking for ‘patient 0’. Understanding the full scope of potential damage that could happen if the data were to be leaked is top priority to start proactively looking at ways to mitigate. Looking forward, critical infrastructure such as backups, source code repositories, and other ‘crown jewels’ need to be heavily monitored and protected from now on to make sure they can recover data if need be and prevent this type of attack from happening in the future if possible.”

Geyer advises companies involved in the food supply chain to make sure they have complete visibility into all of their systems and processes and to continuously monitor for any threats that could result from a targeted or opportunistic attack.

“An accurate asset inventory is the first step toward proper vulnerability management to ensure critical systems are up to current patching levels and compensating controls are in place when appropriate,” he explained.

They should also make sure to segment their network to impede attackers’ lateral network movement, and regularly test incident response plans and conduct tabletop exercises to put those plans into motion without impacting production environments.

“The economic consequences to individual companies are so potentially devastating that the financial calculus will always be tipped towards paying the ransom. For example, in 2019 the city of Baltimore suffered $18 million in losses by deciding not to pay the ransom, which would have only cost only $76,000 at the time. That’s exactly why the US government is taking executive and legislative action to create a system of incentives and disincentives to drive mandatory breach notification,” he concluded.

UPDATE (September 23, 2021, 04:44 a.m. PT)::

Crystal Valley – another US farming cooperative – has been hit by ransomware this week.