Sandhills Global hit with ransomware by Conti threat group

Sandhills Global, a US-Based publication and hosting company whose customers range from agriculture to aircraft and technology, has suffered a ransomware attack on Thursday, which has caused numerous hosted services and sites operating to be taken offline, leading to mass denial of service for customers. 

Sandhill’s main site, which was offline over the weekend, is now up and running, along with a number of other hosted sites. Numerous sites were taken out by this ransomware attack, including notably TractorHouse, HiBid and AuctionTime. 

When a user attempted to access any of these sites, a Cloudflare Origin DNS error page would appear instead, showing that Cloudflare was unable to connect to Sandhills’ servers. 

The Nebraska-based firm said in an email to customers, which was shared with BleepingComputer and also on social media, that they are “currently responding to a ransomware attack that impacted our operations” and “Systems and operations have been temporarily shut down to protect data and information”. 

The company also said in the email that they had “cybersecurity experts to assist us with the investigation, which is ongoing” and were “continuing to investigate whether any of our client's information has been accessed or impacted by this incident”. 

The company stated it had yet to confirm if customer information had been compromised. 

The cyber attack is currently believed to be the work of Conti, a ransomware extortion group recently in the news for trying to suppress media coverage if their chats with their victims continued to be made public, saying “If we see a clear indication of our negotiations being sent to the media we will terminate the negotiations and dump all the files on our blog”. 

Conti, like many ransomware groups, infect company servers with their ransomware and encrypt the files, demanding a multi-million ransom be paid by the victim in exchange for a decryption key. They also often practice double-extortion, where, before encrypting the systems, they will exfiltrate sensitive files and threaten to publish them as a further pressuring technique to get companies to pay the ransom. 

Cascade Effect 

The list of victims from the cyber attack on Sandhills includes sites like: 

• TractorHouse.  
• HiBid. 
• AuctionTime. 
• RentalYard.  
• Truck Paper. 
• Machinery Trader. 
• ForestryTrader. 
• Motorsports Universe. 
• CraneTrader.  
• MarketBook. 
• RV Universe. 
• Oil Field Trader. 
• LiveStockMarket.  
• Controller. 
• Aircraft. 
• EquipmentFacts. 

Due to the nature of a lot of Sandhill’s customers also, themselves, hosting sites, this cyber attack has led to a cascade of outages, including numerous small to mid-range equipment dealers’ sites hosted by a customer of Sandhill’s, TractorHouse.   

Randall Brothers Farm Equipment, an Ohio-based auctioning firm for new and old farm equipment, announced on Instagram that “Due to issues with Sandhills Publishing, we are experiencing difficulties with our telephone lines and website” and were “very sorry for the inconvenience”.  

Meanwhile, droves of customers and sellers have taken to social media to post their dissatisfaction at the news and critique a number of the companies for lack of response in regards to the attack. Some of them have been forced to advertise and sell time-sensitive commodities via other means. 

Growing Attacks on Supply Chains 

This year has seen growing cyber attacks on supply chains, with 50 percent being performed by known APT groups. After a string of cyber attacks on US supply chains, President Biden issued a stark warning in July that under CISA there were 16 critical  infrastructure sectors that would garner a response from the US government, including Food and Agriculture.  

Although, over the past weeks, hackers have either ignored this warning or reinterpreted the parameters of it on their terms. 

When New Cooperative, an Iowan-based agricultural group of farmers, suffered a cyber attack at the hands of the BlackMatter ransomware gang, who set the ransom at 5.9 million dollars, the threat actors denied the New Cooperative fell under CISA, saying that they didn’t “see any critical areas of activity”. 

Part of this growing trend of threat actors being able to target food and agriculture supply chains is due to the Covid-19 pandemic. In this case, the pandemic accelerating the use of online bidding for equipment auction companies has opened up another attack vector for this sector that malicious actors can exploit.  

Greg Peterson, who runs MachineryPete.com and is well-known in the farm auctioning community, said in talk with AgriTalk on October 4th that the ransomware attack on Sandhills was “unprecedented” and said that bidding online has become so common “even locals stay home to bid” via online methods instead of going in-person.   

At time of publication, Sandhills Global have not publicly commented on the ransomware attack and details remain unknown on any ransom demand.