New Cooperative latest victim of Black Matter ransomware

New Cooperative, an Iowan agricultural group which plays a key part to the agricultural supply chain, has suffered a ransomware attack from BlackMatter, a Russian-linked ransomware-as-a-service group, forcing them to take their systems offline. 

Iowan-based New Cooperative, which produces the most corn in the US and comes second with soybeans, went public with the cyber attack on Monday, stating it had “recently identified a cybersecurity incident that is impacting some of our company’s devices and systems” and that they had “proactively taken our systems offline to contain the threat”. 

The company also confirmed they had “notified law enforcement” and were “working closely with data security experts to investigate and remediate the situation”.  

The New Cooperative have assured customers that they are “treating this matter with the utmost seriousness”, stating they are “using every available tool and resource to quickly restore our systems” and “will share additional information directly with [their] customers” as they learn more about the situation. 

The ransom demand made by BlackMatter is said to be over 5.9 million dollars. BlackMatter has also threatened to release 1 terabyte of sensitive data they had also stolen if the company didn’t comply by late Saturday. 

The Threat Landscape 

This ransomware attack comes the latest in a long line of escalating cyber attacks targeting key organisations related to US critical infrastructure and supply chains.  

REvil, another Russian-linked ransomware group, attacked IT giant Kaseya in July, flooding over 1,500 organisations with ransomware. Kaseya publicly refused to pay the ransom of 70 million and revealed that they had managed to obtain the decryption key from a third party that remains undisclosed. 

REvil was also previously linked to a ransomware attack on Brazilian-based JBS in late May, disrupting operations in the US, Australia and Canada. Their US division, JBS USA, one of the nation’s largest meat providers whose plants processed over one-fifth of the US’ meat, revealed in June they’d paid the 11 million ransom demand. 

Earlier in May, the US Colonial Pipeline, a major pipeline that provides the East Coast with 45 percent of their fuel, suffered a ransomware attack by DarkSide. They were forced to pay a ransom of 4.4 million dollars, although the US Justice Department was able to recover the majority of it from a DarkSide bitcoin wallet.  

BlackMatter is believed to be rebranding of the infamous DarkSide, with Emsisoft, a New Zealand-based anti-virus software company, even discovering technical links and code overlaps between them.  

Biden’s Warning 

The Cybersecurity and Infrastructure Security Agency (CISA) is a federal agency charged with securing critical US infrastructure and has outlined 16 critical sectors, including Food and Agriculture, that hackers should avoid unless they want action from the US government. 

In July, President Joe Biden warned the Russian President, Vladimir Putin, that they “expect him to act” when Russian threat groups, even if not state-sponsored, attacked sectors that fall under CISA and that there would be “consequences” for Russia if they don’t clamp down on them. 

A screenshot of a Sunday conversation between BlackMatter and a victim, that is currently believed to be New Cooperative, was posted on twitter by security researchers. In it, the victim stated their software accounts for 40 percent of the US’s grain production, saying the ransomware attack would “break the supply chain very shortly” and that “CISA is going to be demanding answers” if the threat group didn’t cease their malicious activity.  

Allan Liska, a senior intelligence analyst at cybersecurity group Recorded Future who has been tracking the ransomware attack, has stated, in regards to the released chats, that “New Coop is likely invoking CISA” because the threat actor behind BlackMatter “is a sniveling little coward who ran and hid after the Colonial Pipeline attack”.  

As for how far reaching the consequences of this cyber attack will be, Liska said “New Coop is the 51st largest farm cooperative in the US, so there may be regional disruptions in the food deliveries and the ransomware attack appears to have taken New Coop’s Soil Map offline”. 

By attacking New Cooperative, BlackMatter seems to be testing Biden’s mandate.  

However, the threat group maintains that ransomware attack on Iowa’s New Cooperative hasn’t violated Biden’s terms, saying on their dark webpage that they “don’t see any critical areas of activity” and that New Cooperative “will pay or have nothing”. 

BlackMatter has previously stated they avoid targeting organisations which are “really critical”, such as “companies associated with oil, minerals and many others much more serious”. They have also said they won’t attack entities like Hospitals, non-profits, the defense industry or critical government sectors. 

As of yet, the spokesperson for CISA has declined to comment on the New Cooperative hack.