The BlackMatter ransomware gang has struck an Iowa agricultural business, New Cooperative, and is demanding a $5.9 million ransom.
Several security researchers first called attention to the hack on Monday, and the company confirmed that it had been hit with a cyberattack and shut down its systems in response. It’s another big hit against the agriculture industry, following the May ransomware attack on JBS by REvil, a gang that researchers said has ties to BlackMatter.
“Out of an abundance of caution, we have proactively taken our systems offline to contain the threat, and we can confirm it has been successfully contained,” New Cooperative said in an emailed statement. “We also quickly notified law enforcement and are working closely with data security experts to investigate and remediate the situation.”
New Cooperative is a grain collective based out of Fort Dodge. In negotiations dated Sept. 19 and posted online, a person speaking on behalf of the company said the attack would cause severe problems in the food supply chain.
“We are critical infrastructure – we [sic] intertwined with the food supply chain in the US,” they wrote. “If we are not able to recover very shortly, there is going to be a very very public disruption in the grain, pork and chicken supply chain. About 40% of grain production runs on our software, and 11 million animal feed schedules rely on us.”
The negotiator for New Cooperative said that the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency would be demanding answers within 12 hours, and called attention to BlackMatter’s claim that it doesn’t target critical infrastructure. BlackMatter’s negotiator answered, “You do not fall under the rules.”
The firm did not immediately respond to request for comment. CISA referred questions back to the company. The federal government has labeled “food and agriculture” as one of the nation’s critical infrastructure sectors.
Dmitry Smilyanets, an analyst at threat intelligence company Recorded Future, said the attack “looks bad.”
“The threat actors claimed to have stolen data related to the complete line of precision tools for guidance, steering, and controlled input usage,” he said via email.
The negotiator told BlackMatter that “The impact of this attack will likely be much worse than the pipeline attack for context,” referring to the Colonial Pipeline ransomware attack in May, which spurred a fuel panic.
The company said in its statement that it was “treating this matter with the utmost seriousness, and we are using every available tool and resource to quickly restore our systems.”
Allan Liska, another analyst at Recorded Future, said he expected CISA and the U.S. Department of Agriculture would be involved in responding to the attack.
Tonya Riley contributed reporting.
Updated, 9/20/21: To include comment from New Cooperative.
Corrected, 9/21/21: To fix the spelling of Dmitry Smilyanets’ name.