Iowa-based grain company NEW Cooperative Inc. has been hit by a ransomware attack, forcing the company to shut down its system to counter the attack. The BlackMatter group behind the attack has demanded the ransom of $5.9 million, concerning the public as it may affect the supply chain in the US, causing a potential food shortage.
NEW Cooperative has confirmed that they have been hit and have said that they are in contact with law enforcement to remedy the situation as soon as possible before it affects the supply chain.
BlackMatter Ransomware Attack Details
Ransomware group BlackMatter is demanding $5.9 million from NEW Cooperative, according to a screenshot shared online by threat analysts. In a private negotiation chat of a NEW Cooperative representative with BlackMatter, the gang says that they didn’t hit the critical infrastructure. The NEW Cooperative representative further said:
“Your website says you do not attack critical infrastructure. We are a critical infrastructure…we intertwined with the food supply chain in the US. If we are not able to recover very shortly, there is going to be very very public disruption to the grain, pork, and chicken supply chain. About 40% of the grain production runs on our software…this will break the supply chain very shortly….”
The representative further said that if they don’t solve this soon, and it disrupts the supply chain, CISA will have to step in if NEW Cooperative’s systems don’t come online.
🌐 BlackMatter #Ransomware group just ransomed another food critical infrastructure in the US, The ransom demand is 5,900,000$ for now 🚨
The victim is playing by the rules: "@CISAgov is going to be demanding answers from us within the next 12 hours" 🧐#BlackMatter pic.twitter.com/Iciet8lhwQ
— DarkFeed (@ido_cohen2) September 20, 2021
BlackMatter responded that farming companies don’t fall under the “critical infrastructure” category. Ars Technica noticed on the BlackMatter’s Tor leak website that the group does not attack hospitals, oil, gas industry, defence industry, non-profit organizations, government sectors and “critical infrastructure facilities.” These industries include nuclear power plants, water treatment facilities and power plants.
BlackMatter ransomware gang claims that it does not attack critical infrastructure (Ars Technica)
“I am [not] threatening you. This is pretty much out of our hands. We can’t control what the regulators and U.S. government [do]. The impact of this attack will likely be much worse than the pipeline attack for context, and we have no way to control that given the disruption this has already caused,” a NEW Cooperative. Inc representative told the ransomware gang.
Ars Technica also noticed that the company’s SOILMAP project is also unavailable since the attack. SOILMAP is a software solution that offers various features such as soil testing, mapping and supplier accounting to streamline the process.
The threat actors have also claimed to have stolen the source code of the SOILMAP project, employee information, financial documents and R&D results.
Non-public data leak page of SOILMAP project of NEW Cooperative (Bleepingcomputers)
BlackMatter Ransomware Gang
BlackMatter emerged right after Darkside, and REvil ransomware gangs disappeared back in July after cyberattacks on Kaseya and Colonial Pipeline. Jake Williams, Co-Founder at BreachQuest, says:
“BlackMatter appears to be a spinoff of the REvil group and has been actively recruiting for initial accesses into victim networks in recent months. Although the group says it will not target “critical infrastructure facilities,” the definition the group uses in its blog is different from the U.S. government’s definition of critical infrastructure, which would include NEW Cooperative.”
Interestingly, this attack on NEW Cooperative came after President Biden’s meeting with tech giant CEOs and his public statement regarding Russia-based cybercriminals harming US infrastructure. If it really is a response to President Biden’s warning, then this could be just the start of a string of attacks to come.
This was the second attack by this gang in September, as BlackMatter attacked Olympus, a Japanese tech giant, on September 8. Emisoft also recorded over 40 ransomware attacks linked to this threat actor.
Ransomware attacks have constantly been increasing, with US organizations a primary target of criminals. In the past month, T-Mobile and AT&T also faced ransomware attacks. This attack on NEW Cooperative is very similar to REvil’s ransomware attack on JBS, the world’s largest meat processor, forcing the company to pay a ransom of $11 million.
Hank Schless, Senior Manager at Lookout, a California based endpoint-to-cloud security, says:
“This should serve as a wake-up call to every organization that they need to take action to protect themselves. The President’s statements on these types of attacks have done a fantastic job of conveying the importance of cybersecurity, but it’s on organizations to put those words into actions and shore up their defenses.”
