NSA, DHS shine light on BlackMatter ransomware threat to food industry, demands of up to $15 million
A government advisory published Monday warned that BlackMatter ransomware attackers are going after U.S. critical infrastructure, including food and agriculture organizations, and demanding exorbitant payouts.
It’s the latest joint alert from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, the FBI and the National Security Agency, this time about a form of ransomware that first emerged in July. It comes just days after a similar alert about ransomware threats to water and wastewater facilities. It’s also part of a recent push by federal security agencies to put a focus on the food and agriculture sector.
“This advisory highlights the evolving and persistent nature of criminal cyber actors and the need for a collective public and private approach to reduce the impact and prevalence of ransomware attacks,” said Eric Goldstein, executive assistant director for cybersecurity at CISA.
BlackMatter seeks between $80,000 and $15 million in cryptocurrency, including bitcoin and Monero, to unlock its victims’ systems, the government agencies said. BlackMatter ransomware developers operate on a ransomware-as-a-service model, where they lease some illicit responsibilities and share in the profits with other scammers who use their malware.
The report doesn’t name the two food and agriculture organizations mentioned in the alert, and CISA referred questions about their identities to the FBI, which did not immediately respond to a request for comment. But in September, two separate ag organizations suffered ransomware attacks.
Intruders first breached New Cooperative, an Iowa grain collective, which resulted in the business taking some of its systems offline and warning of food supply disruptions. By October, New Cooperative was still working to restore normal operations. BlackMatter took credit for that attack.
Then, Crystal Valley Cooperative, a Minnesota agriculture supplier, said it was breached, but didn’t identify its attackers. Alan Liska, a senior intelligence analyst at cybersecurity firm Recorded Future, said BlackMatter was behind that attack, and posted about it on its extortion site.
Both incidents followed an intrusion at meat supplier JBS, which led to meat processing plant shutdowns in June. The FBI blamed the REvil gang for that attack.
The latest alert says that BlackMatter might be a rebranded version of DarkSide, which he FBI said was behind the attack on Colonial Pipeline. That echoes private sector research that found links between BlackMatter, DarkSide and REvil. DarkSide and REvil both disappeared after a series of major attacks, although REvil has had a rocky return.
Monday’s alert comes shortly after a September private industry notification from the FBI about ransomware threats to the food and agriculture industry.
“Ransomware attacks targeting the Food and Agriculture sector disrupt operations, cause financial loss, and negatively impact the food supply chain,” that notification read. “Ransomware may impact businesses across the sector, from small farms to large producers, processors and manufacturers, and markets and restaurants.”