Major American Agriculture Cooperative Hit by the ‘BlackMatter’ Ransomware Gang

A very important entity for food supply in the U.S. has been hit by the ‘BlackMatter’ ransomware group.
The actors didn’t believe the entity belongs in the list of 16 sectors that should be excluded from cyberattacks.
Although they proceeded to extort the organization, they have now removed the entry from their portal.

The Iowa-based agricultural cooperative ‘New Cooperative’ has confirmed that it was the target of a ransomware attack launched by the ‘BlackMatter’ group, believed to be a Russian-speaking actor who appeared in the field this summer, following the disbanding of other highly successful RaaS programs. In fact, it is thought that ‘BlackMatter’ is the spiritual continuator of ‘DarkSide,’ the ransomware group that was responsible for the attack on the 'Colonial Pipeline' that sparked a political crisis between Russian and the United States.

The latest attack crippled some of the systems in the organization, while the rest were taken offline out of an abundance of caution. As such, whatever could return to manual has gone “old school,” and farmers of the cooperative are now using pen and paper for measuring grain moisture content, truck weight, etc. Some systems, though, like the animal feeding systems, don’t have very effective workarounds as the livestock is too populous to handle with the existing workforce and without automation, so the cyberattack has had a considerable impact on the speed of all processes.

According to what was made known thanks to deep web intelligence firms, the attack unfolded during the weekend, which is typical, and the ransom that is demanded by the organization was set to $5.9 million, threatening to double the amount in five days if a resolution isn’t reached by then. The actors raise the extortion heat by threatening to leak the files they stole from ‘New Cooperative,’ including employee information, financial documents, R&D stuff, source code, and more.

Because ‘New Cooperative’ is so crucial in the food supply of the state of Iowa and the country in general, the crosstalk that has leaked is interesting. The company representative basically warns ‘BlackMatter’ that they hit an entity that should be excluded based on the agreements made between the two presidents a few months ago. The actor said ‘New Cooperative’ doesn’t fall under the rules, so the approach to extortion remained unchanged.

https://twitter.com/ido_cohen2/status/1439863554606305286

Interestingly, we have checked BlackMatter’s Tor portal today, and the entry is no longer there. Possibly, the actors have decided that they bit more than they could chew, or they took the negotiations to a more private space.

Jake Williams, Co-Founder and CTO at BreachQuest, told TechNadu:

Although ‘BlackMatter’ says it will not target “critical infrastructure facilities”, the definition the group uses in its blog is different from the US government’s definition of critical infrastructure, which would include New Cooperative. Given that the Biden administration is already telegraphing more oversight and regulation around paying ransoms, impacting yet another critical infrastructure target certainly won’t help the situation for threat actors. They may view New Cooperative as an IT company, possibly owing that distinction to the SoilMap software product. Ironically, this distinction would be meaningless to the administration since the information technology sector is also considered a critical infrastructure under the designations from DHS and CISA.