Crystal Valley Farm Coop Hit with Ransomware

It’s the second agricultural business to be seized this week and portends a bitter harvest with yet another nasty jab at critical infrastructure.

Crystal Valley, a Minnesota-based farm supply and grain marketing cooperative, has become the second U.S. agriculture business to be hit with a ransomware attack this week.

The company released a statement about the attack on its website on Tuesday afternoon, but as of Wednesday afternoon, the site had been knocked offline and was still down.

Crystal Valley confirmed in a Facebook post that it had been alerted to the attack on Sunday afternoon, Sept. 19.

Infosec Insiders Newsletter

“Crystal Valley has been targeted in a ransomware attack. The attack has infected our … computer systems and interrupted the daily operations of our company,” according to the Facebook post.

Payment Systems Down

The cooperative said that the attack has shut down its payment systems. It can’t presently accept Visa, Mastercard, and Discover cards at its cardtrols “until further notice,” although “local cards do work.” Cardtrols are devices that give authorized holders access to a fuel dealer’s unattended pumps or other dispensers for gasoline or special fuels.

As of Wednesday, there was no news of which ransomware strain infected the coop, nor of how much extortion was being demanded. Threatpost reached out to Crystal Valley to find out and will update this article once we hear back.

A Bitter Harvest

The Crystal Valley attack followed fast on the heels of another ransomware hit on a U.S. food business over the weekend. In the first attack to be reported this week, the ransomware gang BlackMatter was credited for seizing the computer systems of an Iowa farmers collective called NEW Cooperative.

Experts have traced similarities between BlackMatter and both the DarkSide and REvil ransomware gangs, but a purported BlackMatter representative last month told Recorded Future threat intelligence analyst Dmitry Smilyanets that the new ransomware is the result of the new batch of criminals having learned some lessons from both those ransomware-as-a-service (RaaS) operators, as well as from the LockBit gang, and that BlackMatter is an improvement on them all.

The BlackMatter rep said that the gang believes that, to a large extent, REvil and DarkSide exited the RaaS market due to saber rattling from the U.S.

In fact, REvil’s servers went offline just days after President Biden demanded that Russian President Putin shut down ransomware groups. Shortly before the geopolitical scene got hot, REvil had attacked an important piece of critical infrastructure: namely, the global meat supplier JBS Foods. For its part, DarkSide had launched a ransomware attack on Colonial Pipeline leading up to Memorial Day Weekend, leading to gas hoarding.

BlackMatter took the geopolitical situation into account when designing its infrastructure, the rep said, and believes that ” we can withstand the offensive cyber capabilities of the United States.”

The BlackMatter spokesperson also said that the gang plans to moderate the targets and is taking a hands-off approach to encrypting critical infrastructure, given that such attacks “would attract unwanted attention to us.”

The threat actors behind the NEW Cooperative attack are demanding a $5.9 million ransom in exchange for a decryptor, which was supposed to increase to $11.9 million if not paid in five days.

Attacks on Food Suppliers Are Becoming as Common as Dirt

Anurag Kahol, CTO and co-founder of Bitglass, told Threatpost on Wednesday that the Crystal Valley attack highlights how common ransomware attacks against critical infrastructure have become.

“Unfortunately, cybercriminals are more likely to target and put up a hefty ransom for large organizations that are vital to the flow of the U.S. economy in hopes that they will hastily pay the ransom to recover their operations,” Kahol said via email.

To prevent ransomware attacks, he suggested that organizations have to get full visibility and control over their entire IT ecosystem. “Comprehensive security platforms such as a secure access service edge (SASE) can deliver end-to-end threat protection, while actively identifying and remediating both known and zero-day threats,” he commented. “With a multi-faceted, unified solution in place, organizations can proactively stay ahead of sophisticated threats.”

Rule #1 of Linux Security: No cybersecurity solution is viable if you don’t have the basics down. JOIN Threatpost and Linux security pros at Uptycs for a LIVE roundtable on the 4 Golden Rules of Linux Security. Your top takeaway will be a Linux roadmap to getting the basics right! REGISTER NOW and join the LIVE event on Sept. 29 at Noon EST. Joining Threatpost is Uptycs’ Ben Montour and Rishi Kant who will spell out Linux security best practices and take your most pressing questions in real time.

Suggested articles