Iowa-based farm service provider NEW Cooperative has been hit by a BlackMatter ransomware attack, forcing it to shutdown systems and warn of “disruption” to food supplies if it does not promptly get back online.

Russia-linked cybercrime group BlackMatter is demanding $5.9m to end the ransomware attack by providing a decryptor key and returning a reported 1,00GB of stolen data, which is said to include employee personal data, R&D files and agritech intellectual property. The ransomware attack is also one of the first tests of US President Joe Biden’s warning to Russia that critical infrastructure targets are “off-limits” to cyberattacks.

The cooperative, which has more than sixty locations across Iowa, said in a statement that it “recently identified a cybersecurity incident that is impacting some of our company’s devices and systems”.

It added: “Out of an abundance of caution, we have proactively taken our systems offline to contain the threat, and we can confirm it has been successfully contained.”

If NEW Cooperative refuses to pay the $5.9m by 25 September, the demand will rise to $11.8m – a common technique used by ransomware groups to exert pressure.

Should NEW Cooperative decide to pay the ransom demand there is no guarantee that it will end the attack. Research by Cybereason found that 80% of businesses that paid the ransom went on to be attacked a second time.

NEW Cooperative provides farming technology that includes grain storage elevators, along with farming software platforms.

“The consequence of an attack like this on the food supply chain will not only affect the company itself but its suppliers, vendors, and customers,” said Brooks Wallace, VP EMEA at Deep Instinct.

“CISA is going to be demanding answers from us”

BlackMatter is widely believed to be a rebranded version of DarkSide, the cybercrime group behind the Colonial Pipeline attack that led to fuel price rises in the US in May.

Security researchers gained access to the negotiation chat between NEW Cooperative and BlackMatter after a ransomware sample was uploaded to a public malware analysis site.

Screenshots of the conversation have since been circulated on social media and show a BlackMatter representative claiming NEW Cooperative is not critical national infrastructure.

Following the backlash from the Colonial Pipeline ransomware attack, the rebranded BlackMatter claimed it would not target critical infrastructure facilities.

In June Biden gave his Russian counterpart Vladimir Putin a list of 16 critical infrastructure sectors that are “off-limits” from cyberattacks. Among them is the food and agriculture sector.

“Your website says you do not attack critical infrastructure,” a message to BlackMatter that appears to be from NEW Cooperative reads. “We are critical infrastructure – we intertwined [sic] with the food supply chain in the US. If we are not able to recover very shortly, there is going to be public disruption to the grain, pork, and chicken supply chain.”

The message added that “about 40% of grain production” runs on NEW Cooperative software and continued downtime would “break the supply chain very shortly”.

BlackMatter responded by claiming that New Cooperative does not “fall under the rules” and that “everyone will only incur losses”.

They added: “Since everything is so serious with you, let’s come to an agreement quickly and solve everything quickly.”

NEW Cooperative also warned BlackMatter that it would be contacting the US Cybersecurity and Infrastructure Security Agency (CISA).

“I assume you have thought that through? CISA is going to be demanding answers from us within the next 12 hours or so and we are going to have to tell them exactly what has happened,” the message reads.

Verdict has approached CISA for comment.

“There is no honour among thieves,” said Andrea Carcano, co-founder, Nozomi Networks. “Trusting they won’t attack because you’re in a special category – or on a no-target – list is naive.”

Lior Div, CEO and co-founder at Cybereason said that if the supply of food and grain is disrupted across Iowa it “could have a ripple effect” that “possibly forces the hand of the US government”.

Yet another agriculture ransomware attack

The New Cooperative ransomware attack follows a string of cyberattacks against the US agriculture sector.

In May 2021, meat processor JBS was forced into pausing operations after its computer networks were compromised by the REvil ransomware. The shutdown caused a shortage in the US meat supply, driving up wholesale prices by as much as 25%. JBS later paid $11m to the attackers despite resuming operations and claiming no customer data was stolen – an explanation that the former chief of the UK’s National Cyber Security Centre found “unconvincing”.

Earlier this month the FBI sent out a notice warning food and agriculture companies to be vigilant in case of ransomware attacks.

It listed four other ransomware attacks against US food and agriculture companies since 2020, including one farm experiencing losses of approximately $9m due to the temporary shutdown.

For more information on ransomware and what to do in the event of an attack, read our explainer here.