BlackMatter Strikes Iowa Farmers Cooperative, Demands $5.9M Ransom

Critical infrastructure appears to be targeted in latest ransomware attack, diminishing the hopes of governments to curb such attacks.

A ransomware group believed to be the latest incarnation of the infamous DarkSide cybergang is being blamed for taking out a farmers’ cooperative online network, with extortionists demanding $5.9 million in ransom.

The group BlackMatter is credited for the attack on an Iowa collective of farmers called NEW Cooperative. The incident occurred over the weekend, locking up computer systems. Threat actors behind the attack are demanding a $5.9 million ransom to provide a decryptor, which will increase to $11.9 million if not paid in five days, according to reports.

The Iowa-based organization is a feed and grain cooperative, with 50 locations. It provides a variety of digital and software services to its network of farmers. As a result of the attack, it had to shut down its operations and also faces the threat of BlackMatter leaking stolen data if it does not pay the ransom, according to reports. This method of double extortion is now common and a hallmark of the former DarkSide group, whose members are believed to now be running the show at BlackMatter.
Infosec Insiders NewsletterNew Cooperative took its systems offline as a mitigation tactic, a representative told BleepingComputer, according to a published report.

“NEW Cooperative recently identified a cybersecurity incident that is impacting some of our company’s devices and systems,” the representative told BleepingComputer, according to the report. “Out of an abundance of caution, we have proactively taken our systems offline to contain the threat, and we can confirm it has been successfully contained.”

The cooperative is working with law enforcement and data security experts to investigate and remediate the situation, according to the report.

Testing Biden’s Warning

The attack comes on the heels of another major attack attributed to BlackMatter on Japanese tech giant Olympus, which occurred Sept. 8. The group—which operates as ransomware-as-a-service operation—is picking up where DarkSide left off, according to security experts. The former ransomware group, which ceased activity months ago, is believed behind a number of successful attacks and even inspired copycat activity.

DarkSide is blamed for the attack on Colonial Pipeline in May, which caused significant disruption in the oil and gas industry. That attack, among others, spurred President Joe Biden to identify 16 sectors of critical national infrastructure and declared them off limits to ransomware attacks—agriculture among them. His comments were aimed at world leaders to cooperate and better police their homeland against ransomware activity against U.S. targets.

The attack on NEW Cooperative shows that the attempt to protect critical infrastructures will take more than words, according to one security professional.

Alleged BlackMatter members defended the attack online in a statement that the coop doesn’t count as critical infrastructure because “the volumes of their production do not correspond to the volume to call them critical,” according to a published report by Bloomberg.

Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows, said the attack suggests a lack of respect for Biden’s directive. “This, predictably, appears to have fallen on deaf ears, with BlackMatter since claiming that they did not believe NEW Cooperative constituted (critical infrastructure),” he said.

Jake Williams, co-founder and CTO at incident-response firm BreachQuest, noted criminals are hard pressed to honor anything.

Federal Eyes on the Incident

It’s unclear if NEW Cooperative will pay the ransom or is in the position to recover its data and get systems back up and running in another way.

However, conversations between representatives of the cooperative and BlackMatter leaked by security researchers on Twitter show that NEW Cooperative considers the attack as one that falls under the government’s critical-infrastructure umbrella because of the potential disruption to the food supply chain.

“If we are not able to recover very shortly, there is going to be very very [SIC] public disruption to the grain, pork and chicken supply chain,” the cooperative told BlackMatter, adding that 40 percent of grain production runs on its software and the feed schedules of 11 million animals rely on the organization.

Despite its opinion that the attack was not against critical infrastructure, BlackMatter ultimately will have to answer to the federal government, NEW Cooperative told the group. The cooperative said it will be working with the Cybersecurity Infrastructure Security Agency (CISA) as it continues to investigate and resolve the incident.

“CISA is going to be demanding answers from us within 12 hours or so and we are going to have to tell them exactly what has happened and why the food supply chain is disrupted,” according to the leaked conversation.

Rule #1 of Linux Security: No cybersecurity solution is viable if you don’t have the basics down. JOIN Threatpost and Linux security pros at Uptycs for a LIVE roundtable on the 4 Golden Rules of Linux Security. Your top takeaway will be a Linux roadmap to getting the basics right! REGISTER NOW and join the LIVE event on Sept. 29 at Noon EST. Joining Threatpost is Uptycs’ Ben Montour and Rishi Kant who will spell out Linux security best practices and take your most pressing questions in real time.

Suggested articles