BlackMatter ransomware group strikes NEW Cooperative, makes demand of $5.9 million

NEW Cooperative

NEW Cooperative, has been targeted by the BlackMatter ransomware group. The weekend ransomware attack to the food critical infrastructure sector comes with the hackers initially making a demand for US$5.9 million, which will increase to $11.8 million, if the pay-off is not made in five days. 

The Fort Dodge, Iowa-based NEW Cooperative has “proactively taken our systems offline to contain the threat, and we can confirm it has been successfully contained. We also quickly notified law enforcement and are working closely with data security experts to investigate and remediate the situation,” according to a company statement. 

The move by NEW Cooperative, among one of the nation’s large farm cooperatives, recognizes “that they can’t demonstrate positive control over their IT environment. It’s therefore a natural reaction to shut down operations, as you don’t know how deeply or broadly the hackers have infiltrated,” Grant Geyer, chief information security officer and chief product officer at industrial cybersecurity company Claroty, said in an emailed statement. 

The member-owned cooperative has 36 operating locations throughout the western and central parts of Iowa. In addition to their strong grain marketing and storage services, NEW also offers quality feed, fertilizer, crop protection and seed resources, and delivers agronomic opportunities in soil mapping, site-specific field management, and precision technology services through their MAPS department.

The playbook used by NEW Cooperative is similar to the measures taken by Colonial Pipeline when it was hit by the DarkSide ransomware in May, which led the company to take certain systems offline to contain the threat. Colonial had a temporary halt of all pipeline operations with some of its IT systems also affected. The pipeline company that runs from Texas to New Jersey shut down much of its network for several days, leaving thousands of gas stations across the U.S. Southeast without fuel. The closure of the 5,500-mile (8,900-km) system was considered one of ‘the most disruptive cyberattack on record, preventing millions of barrels of gasoline, diesel and jet fuel from flowing to the East Coast from the Gulf Coast.’

Earlier this month, the Federal Bureau of Investigation (FBI) had warned on the likelihood of ransomware attacks targeting the food and agriculture sector, which could potentially lead to disruption of operations, cause financial loss, and negatively impact the food supply chain. In a ransomware attack, victims’ files are encrypted and made unavailable, and the attacker demands a payment for the decryption tool and key.

Ransomware may impact businesses across the sector, from small farms to large producers, processors, and manufacturers, and markets and restaurants, the FBI said in its alert.

The BlackMatter ransomware comes as a successor to DarkSide, LockBit, and ReVil. Founded in July this year, the BlackMatter group is reported to have said on their public blog that “the threat actor group does not conduct attacks against organizations in several industries, including healthcare, critical infrastructure, oil and gas, defense, non-profit, and government.”

“It should come as no surprise that taking a cybercriminal at their word is not wise,” Geyer said in an emailed statement. “But whether or not this specific group is going against their word, the fact remains that critical infrastructure organizations are still a lucrative target for many other malicious actors out there. These organizations still need to shore up their defenses as much as possible.”

Identifying that the implications of the NEW Cooperative attack on the U.S. economy, Geyer said that it, “demonstrates just how deeply and broadly the U.S. economy and supply chain is interconnected. Ransomware gangs feed on the psychological impact of putting businesses integral to the supply chain between a rock and a hard place, in order to make the choice to pay the ransom the easiest path forward.”

Allan Liska, a senior intelligence analyst at cybersecurity group Recorded Future told The Hill that “New Coop is the 51st largest farm cooperative in the US, so there may be regional disruptions in the food deliveries and the ransomware attack appears to have taken New Coop’s Soil Map offline.”

“What is interesting here is the invocation of CISA by New Coop in the released chats,” Liska said, pointing to messages to the hackers from New Cooperative threatening to involve the agency. “We know that the threat actor behind BlackMatter is a sniveling little coward who ran and hid after the Colonial Pipeline attack, the New Coop is likely invoking CISA for the same reason, we’ll see if it has the same impact.”

Recorded Future pointed out in a blog post in July that BlackMatter was a member of the top-tier forum Exploit and likely an operator of BlackMatter ransomware, currently advertising the purchase of access to corporate networks in the US, Canada, Australia, and the UK. The hacker is interested in all industries, except healthcare and governments, and has the following requirements for targets with revenue of $100 million and more, and between 500 to 15,000 hosts in the network. BlackMatter offers a $3,000-$100,000 price range for network access, as well as a share from the potential ransom amount, it added.

The attack on NEW Cooperative comes following weeks and months of cyber-attackers targeting the critical infrastructure sector. In May, hackers using a variant of the Sodinokibi/REvil ransomware compromised computer networks in the U.S. and overseas locations of JBS USA, a global meat processing company, which resulted in the possible exfiltration of company data and the shutdown of some US-based plants for several days. 

Before that, U.S. beverage maker Molson Coors suffered a ransomware attack in March that caused significant disruption to its business operations, including its operations, production, and shipping.

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on whatsapp


Join over 5,000 Industrial OT & Cyber professionals

Weekly Newsletter direct to your inbox