BlackMatter ransomware attacks on agriculture may cause food shortages

Published 9/29/21, 9:00am

Three significant attacks last week by the BlackMatter ransomware group caused significant problems in the agricultural and business sectors, including potential food supply problems down the road. Two attacks targeted farming cooperatives–New Cooperative and Crystal Valley– while the third attack hit the marketing services company Marketron.

The attacks against New Cooperative and Crystal Valley occurred within days of each other and just three weeks after the FBI’s cyber division issued a Private Industry Notification (PIN) warning businesses in the agricultural and food sectors of potential ransomware attacks. (You can read more in our article: FBI warning: ransomware attacks targeting food and agriculture businesses.)

The ransomware attackers demanded $5.9 million from Iowa-based New Cooperative, threatening to raise the ransom to $11.8 million if the ransom were not paid within five days. New Cooperative stated that systems were taken offline and that it was able to contain the threat. They also stated that law enforcement was quickly informed and that they were working with data security experts to investigate and remediate the situation. 

The software that powers New Cooperative business activities supports 40 percent of grain production and feed schedules for 11 million farm animals. The cooperative states that the attack could significantly impact the public supply of grain, pork, and chicken if systems are not brought back online soon.

The BlackMatter ransomware group claims it doesn’t attack critical infrastructure; however, it apparently limits the definition of critical infrastructure to only power generation and water treatment facilities. (Food and agriculture are defined as critical infrastructure by the United States Government.) The criminals also appear unwilling to work out a solution with the cooperative, despite representatives from New Cooperative indicating that their company has little control over the ransom situation since it is heavily regulated.

Security researchers are also reporting that when running the credentials for New Cooperative staff and systems through a database of previously stolen credentials and passwords, information on New Cooperative came up 653 times. This includes the repeated use of the password “chicken1,” which was common among New Cooperative employees.

The attack against Minnesota-based Crystal Valley caused the shut down of their IT systems and prevented credit card payment processing. The company operates eight grain elevators with the capacity to store 25 million bushels. Farmers are reporting that drivers are using hand-written tickets instead of computer scanning for grain delivery to the Crystal Valley facilities, which has slowed but not stopped operations.

The third BlackMatter attack against business software solution company Marketron impacted all 6,000 of its customers, taking their software and cloud services offline. (Other services, such as email marketing and mobile messaging remained unaffected.) In a letter to customers, Marketron indicated that it was working with the FBI and third-party security experts.

Next Steps

Ransomware attacks show no sign of slowing. Businesses are urged to change passwords with regularity and use multifactor authentication. Cybersecurity professionals are urging businesses to patch bugs and vulnerabilities immediately and engage with a vulnerability management service. If organizations believe they have been victims of a ransomware attack, they are urged to work with a professional ransomware investigation and response team.