Attack is believed to have been carried out by BlackMatter, a successor of Colonial Pipeline hacker DarkSide.
The U.S. grain, pork and chicken supply could be at risk after a ransomware attack on New Cooperative Inc. has forced the Iowa-based agriculture services provider’s systems to go offline.
“Out of an abundance of caution, we have proactively taken our systems offline to contain the threat, and we can confirm it has been successfully contained,” a New Cooperative spokesperson told the Wall Street Journal.
A spokesperson for New Cooperative did not immediately return FOX Business’ request for comment.
Security researchers say the attack was carried out by ransomware group BlackMatter, which has reportedly encrypted New Cooperative’s data and stolen 1,000 gigabytes worth of files, including invoices, research and development documents, and the source code to its soil-mapping technology. The hacking group is asking for a $5.9 million ransom payment in exchange for a tool to decrypt the data.
According to screenshots shared by DarkFeed Threat Intelligence of what appears to be a conversation between BlackMatter and New Cooperative on Sunday, the agriculture group said there would be a “very very public disruption to the grain, pork and chicken supply chain” if it was not able to recover its systems immediately.
BlackMatter, founded in July 2021, claims to have incorporated the “best features” from Russian ransomware group DarkSide, REvil and LockBit, according to Recorded Future.
On its website, BlackMatter advertises the purchase of access to corporate networks in the U.S., Canada, Australia and the U.K. The group targets companies with revenue of $100 million or more that have 500 to 15,000 hosts on their network.
BlackMatter offers a $3,000 to $100,000 price range for network access, as well as the share from the potential ransom amount.
BlackMatter’s website emphasizes that the group does not attack “critical infrastructure,” including hospitals, nuclear power plants, water treatment facilities, oil pipelines and refineries, the defense industry, nonprofit companies, and the government sector.
Though New Cooperative states it is considered critical infrastructure as defined by the Department of Homeland Security, BlackMatter argues that it does not “fall under its rules,” according to the screenshot.
“Everyone will only incur losses. Everything is tied to the commerce, the critical ones mean the vital needs of a person, and you earn money,” the group added before offering to come to an agreement to resolve the situation.
New Cooperative warned BlackMatter that it would have to contact the Cybersecurity and Infrastructure Security Agency (CISA) and other regulators about the attack.
In additional messages exchanged between the parties shared by Recorded Future’s Dmitry Smilyanets on Twitter, BlackMatter writes “do not threaten us, otherwise you will stay without a decryption,” before threatening to double the price of the ransom payment.
New Cooperative replies that the situation is “pretty much out of our hands,” adding that it “can’t control what regulators and the U.S. government does.”
“The impact of this attack will likely be much worse than the pipeline attack for context,” New Cooperative added, referencing the Colonial Pipeline. “We have no way to control that given the disruption that this has already caused.”
“No one will give you decrypters for free,” BlackMatter replied. “Look for money.”
As the frequency of ransomware attacks have surged in 2021, the Biden administration has called on the private sector to help “raise the bar on cybersecurity.” Biden also put Russian President Vladimir Putin on notice, giving him a list of 16 critical infrastructure entities that are “off limits” to Russian cyber attacks.
The entities include energy, water, health care, emergency, chemical, nuclear, communications, government, defense, food, commercial facilities, IT, transportation, dams, manufacturing and financial services.
A spokesperson for the FBI said the agency is aware of the attack on New Cooperative, but declined to comment further. A spokesperson for CISA declined to comment.
