Exposed ransomware negotiations shed light on cybercrime, but complicate things for victims

The hijacking raises questions about what happens with sensitive negotiations become public.
A French wheat cooperative (JEAN-FRANCOIS MONIER/AFP/GettyImages)

Less than 48 hours before the deadline for Iowa-based grain cooperative New Cooperative to pay the BlackMatter ransomware group’s demands, negotiations seemed to take an interesting turn.

BlackMatter, which has threatened to leak sensitive data allegedly stolen from New Cooperative, ramped up those threats this week after claiming the company “violated our data recovery guidelines” during negotiations by allegedly working with recovery firm Coveware.

The victim shot back with a surprising barb.

“The only thing we violated was your mother,” the victim said, according to chat logs shared by Dmitry Smilyanets, an analyst at threat intelligence company Recorded Future.


Except, there was a problem: The “victim” wasn’t actually New Cooperative. It was a random troll.

“We don’t know who the user ‘victim’ is but it is not us. Please close this TOR page so no more random people from the internet make posts here,” a user that appears to be a negotiator for New Cooperative wrote after escalating threats from BlackMatter to leak the data.



At this point, the fake “victim” seemed to break character. “Don’t you dare give them your email or pay them!” they wrote. After the trolling incident, BlackMatter added a verification process to the victim chat page.

The incident raises questions about the potential drawbacks of highly sensitive ransomware negotiations entering the public spotlight. Once public, chats that can provide a goldmine of intelligence for researchers and law enforcement can also become a stomping ground for trolls.

And while New Cooperative was able to regain control of its chat, it may not have been so lucky.

“It’s a possibility that maybe the threat actor won’t catch on as easily and they’ll just sever communication altogether,” said Drew Schmitt, principal threat intelligence analyst at GuidePoint Security. “And now you’re not able to decrypt files, so I definitely think that there is a relatively high potential for a lot of negative aspects to come out of that.”

Recorded Future’s Smilyanets agrees that the hijacking of negotiations can add complications for victims. However, he argued that there is value in adding transparency to the process.


“Every medal has two sides. I see value in transparent and unaltered reporting that disrupts threat actor’s activities,” Smilyanets wrote in an email. “We publicly reported the activities of DarkSide and their transformation to BlackMatter. Those reports help the policymakers to make their decisions.”

A New Cooperative spokesperson declined to comment on the negotiations or provide information on what if any systems had been restored. The spokesperson said that the company had backup processes in place to prevent supply chain disruptions.

“We’ve made progress on remediation and our engagement with law enforcement and CISA has been very helpful in those efforts,” a New Cooperative spokesperson said, referring to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.

Coveware CEO Bill Siegel declined to comment.

While there’s no evidence that the attack has yet led to any major supply chain disruptions, New Cooperative’s situation could get worse if BlackMatter follows through on leaking the documents it allegedly stole from the company, however.


Hackers claimed to have stolen financial information such as invoices and payrolls; “full legal and executive information”; information about employees, including their driver’s licenses and Social Security numbers; and product information including research and development results.

The hackers also claim to have access to code for the company’s SOILMAP, a precision agriculture service that partners with companies including John Deere. As of Friday, the service remains unavailable.

The hackers’ deadline for New Cooperative to pay the ransom is noon Saturday.

The attack against New Cooperative is the second against the agricultural sector within a week, underscoring the fragility of the sector’s cyber defenses. Minnesota-based Crystal Valley Cooperative had the operations of its payment systems disrupted earlier this week by unidentified attacks, the Mankato Free Press reported. An unnamed U.S. farm lost $9 million after a January ransomware incident, according to an FBI security alert earlier this month.

The incidents have also gained the attention of the Biden administration.


“I would strongly encourage all of us as commissioners, directors, and secretaries to encourage our coops in our respective states to do what they need to do, to learn what they need to learn, to make sure their systems are hardened against any kind of cyberattack,” Agriculture Secretary Tom Vilsack said at a National Association of State Departments of Agriculture meeting Wednesday.

Tonya Riley

Written by Tonya Riley

Tonya Riley covers privacy, surveillance and cryptocurrency for CyberScoop News. She previously wrote the Cybersecurity 202 newsletter for The Washington Post and before that worked as a fellow at Mother Jones magazine. Her work has appeared in Wired, CNBC, Esquire and other outlets. She received a BA in history from Brown University. You can reach Tonya with sensitive tips on Signal at 202-643-0931. PR pitches to Signal will be ignored and should be sent via email.

Latest Podcasts