In an attack on U.S. agriculture, Iowa-based NEW Cooperative, Inc., a member-owned farmer’s feed and grain cooperative, was hit sometime on or around last Friday by a ransomware attack, forcing the company to take its systems offline. The BlackMatter group behind the attack has set a $5.9 million ransom demand. With over sixty locations throughout the state, the company produces the most corn in the country and the second most soybeans. 

The attack comes a little over two months after the Biden administration warned Russian president Vladimir Putin on July 9 that Russian-based hacking groups should stay away from sixteen critical infrastructure sectors of the U.S. economy. BlackMatter, founded in July, has stated in its public blog that the threat actor group refrains from attacking organizations in several industries, including critical infrastructure, healthcare, oil and gas, non-profit, and government. 

https://www.recordedfuture.com/blackmatter-ransomware-successor-darkside-revil/

History of BlackMatter

BlackMatter, presumably a ransomware-as-service (RaaS) affiliate program, has, according to the group, united the best features of the now-obsolete DarkSide, LockBit, and REvil ransomware groups. Darkside was allegedly responsible for the Colonial Pipeline attack in May 2021. Although not advertising as a RaaS, the group, which targets companies with revenues of $100 million per year or more, has advertised it is seeking partners. 

In an August 2, 2021 interview with Recorded Future, a representative from BlackMatter spoke to threat analyst Dmitry Smilyanets. The representative explained how BlackMatter is learning from the mistakes of other ransomware groups, what they look for when they recruit partners, and why they avoid specific targets. The ransomware attacker believes its rivals have disappeared from the scene because of attention from governments following high-profile attacks. BlackMatter states on its website that it intends to bypass attacking critical infrastructure indicating the group hopes to avoid such attention.

In the interview, a confident BlackMatter explained to Smilyanets that their ransomware plan takes its new affiliate program seriously, stating, “We created a project and brought it to the market exactly at a time when the niche is vacant and the project fully meets the market demands, therefore its success is inevitable.” The group has forbidden attacks like the one on Colonial Pipeline, explaining it believes the recent retreat of REvil, DarkSide, and others resulted from the attention paid to ransomware attacks from the top leadership in the U.S. and Russia. BlackMatter, who noted that its software is constantly being improved, described to Smilyanets:

We believe that to a large extent, their exit from the market was associated with the geopolitical situation on the world stage. First of all, this is the fear of the United States and its planning of offensive cyber operations, as well as a bilateral working group on cyber extortion. We are monitoring the political situation, as well as receiving information from other sources.

When designing our infrastructure, we took into account all these factors and we can say that we can withstand the offensive cyber capabilities of the United States. For how long? Time will tell. For now, we are focusing on long-term work. We also moderate the targets and will not allow our project to be used to encrypt critical infrastructure, which will attract unwanted attention to us.

Additional Details on NEW Cooperative Ransomware Attack

Following the attack, NEW Cooperative, which has more than 50 locations across Iowa, let its feed customers know the company is working on alternative ways to feed animals while its systems are down. The company indicated it has contacted law enforcement and is working with data security experts to investigate and remediate the situation. Farmers explained to Bloomberg that grain delivery, usually a digital procedure, “has gone old school.” The company is using the tried and true method of paper tickets to record truck weight and grain moisture by hand. Still, the process has been slowed considerably. The co-op announced in a statement:

“NEW Cooperative recently identified a cybersecurity incident that is impacting some of our company’s devices and systems. Out of an abundance of caution, we have proactively taken our systems offline to contain the threat, and we can confirm it has been successfully contained.”

The farming co-op says its software powers about 40 percent of grain production and feed schedules of 11 million farm animals. With that in mind, U.S. federal government regulators like CISA may soon step in should the company’s systems not come back online soon. During a private negotiation chat, a NEW Cooperative representative appears to be telling BlackMatter:

“Your website says you do not attack critical infrastructure. We are critical infrastructure. Intertwined with the food supply chain in the U.S. If we are not able to recover very shortly, there is going to be very very public disruption to the grain, pork, and chicken supply chain.”

Neither the White House nor the U.S. Cybersecurity and Infrastructure Security Agency has commented on the attack. BlackMatter maintains that, although it targeted U.S. agriculture infrastructure, its attack on NEW Cooperative didn’t violate the Biden administration warning against attacking critical infrastructure. In a message on its dark web page, BlackMatter insisted the grain producer was “fair game” when issuing its $5.9 million ransomware demand, which will increase to $11.8 million if not paid in five days. The group pointed out:

“The volumes of [NEW Cooperative] production do not correspond to the volume to call them critical. We don’t see any critical areas of activity. Also this company only works in one state.”

According to a post on BlackMatter’s website, the group has seized NEW Cooperative’s financial information, human resources data, research, development information, and source code for its “SoilMap” product, a technology platform for agricultural producers. A message on SoilMap’s website says the product is currently unavailable. In a message on Monday, the ransomware group spoke of the attack on NEW Cooperative, declaring:

“They will pay or have nothing.”

The U.S. is Steps Closer to Zero Trust Model

On September 7, 2021, the Biden Administration released several documents for public comment, seeking feedback on the overarching federal policy from the Office of Management and Budget (OMB) and draft technical reference architecture and maturity model from CISA. In May, the guidance follows Biden’s executive order (EO), designed to bolster cybersecurity across the federal government. The EO mentioned specific security methods and tools such as multifactor authentication, encryption, and Zero-trust. (The Zero-trust model is open for public comment until October 1).

Zero-trust models constantly check on a user’s credentials to verify they are who they say they are, operating under the assumption hackers have already gained access to a computer system. Accordingly, the system must be constantly challenged and impeded. “Never trust, always verify”—this premise is key to the Biden administration’s security overhaul of decades-old networks. The new strategy, which seeks to prevent potential threats from both outside and inside a network, will require a barrage of actions to lock down software applications, restrict users’ access to data and protect network traffic from prying eyes.