NEW Cooperative, a farmer cooperative with 60 locations operating in Iowa, has shut down its operations after a ransomware attack over the weekend. The organization said it proactively took systems offline to contain the attack, echoing a similar strategy employed by Colonial Pipeline and JBS Foods after disruptive ransomware attacks earlier this year.
BlackMatter is allegedly behind the attack, according to researchers and a report by news site Bleeping Computer. BlackMatter is an offshoot of DarkSide, a Russian-speaking ransomware-as-a-service operation responsible for the Colonial Pipeline attack. BlackMatter has reportedly demanded a $5.9 million ransom that will double if not paid within five days, Bleeping Computer said. BlackMatter has also allegedly stolen 1,000 GB of data from NEW Cooperative, and threatens to leak it as well.
Earlier this month, the FBI published a Private Industry Notification (PIN) warning of a rise in the number of ransomware attacks targeting the food and agriculture critical infrastructure sector, and that disruptive attacks could impact the food supply chain.
In a chat session obtained by DarkFeed, a deep web intelligence Twitter feed, NEW Cooperative argues with the attackers about the potential disruption to grain, pork, and chicken supply chains; BlackMatter’s website claims that its ransomware service does not target critical infrastructure. The Biden administration, meanwhile, earlier this year had warned Russian president Vladimir Putin about ransomware attacks targeting U.S. critical infrastructure, and pledged to respond should they continue.
NEW Cooperative, meanwhile, said in its chat with BlackMatter that 40% of grain production runs on its software and 11 million animals’ feed schedules rely on the cooperative. “This will break the supply chain very shortly,” NEW Cooperative’s negotiator said in the chat. BlackMatter countered that NEW Cooperative is not critical infrastructure. “You do not follow under the rules, everyone will only incur losses,” they said. “Everything is tied to the commerce, the critical ones mean the vital needs of a person, and you earn money.”
Some ransomware services no longer just encrypt data and demand a ransom in exchange for a decryptor. Instead, they’ve added tactics and techniques such as data exfiltration and extortion-style threats to leak stolen data if demands are not met. Companies that are likely to pay large ransoms are also preferred targets.
Previously, DarkSide—and now BlackMatter—made similar claims about not targeting critical infrastructure, but criminal operations are profit motivated, and are not to be trusted. Critical infrastructure is a lucrative target, and any player central to a critical supply chain must shore up its defenses or face not only loss of productivity and financial impact, but also extensive remediation costs.
To protect themselves, any company involved in the food supply chain should ensure that they have complete visibility into all of their systems and processes and make sure to continuously monitor for any threats that could result from a targeted or opportunistic attack. An accurate asset inventory is the first step toward proper vulnerability management to ensure critical systems are up to current patching levels and compensating controls are in place when appropriate.
Network segmentation is also a critical strategy to impede attackers’ lateral network movement. Most operational technology (OT) networks are no longer air-gapped, and network segmentation compensates for this by preventing attackers from using stolen credentials or compromising Active Directory and other identity infrastructure in order to move from system to system stealing data and-or dropping malware or exploits.
Strategically, organizations should regularly test incident response plans, and conduct tabletop exercises to put those plans into motion without impacting production environments. Training and testing improves response, and ensures business continuity.