Navigation
  •  

US farm cooperative takes systems offline after ransomware attack linked to Russian hackers

SolarWinds hackers. (Pop Nukoonrat/Dreamstime/TNS)
September 23, 2021

This article was originally published by Radio Free Europe/Radio Liberty and is reprinted with permission.

A ransomware attack believed to be the work of Russian hackers has forced an association of corn and soy farmers based in the U.S. state of Iowa to take its systems offline.

New Cooperative said in a statement that the attack was “successfully contained” and that it had quickly notified law enforcement.

The statement said the association took its systems offline out of “an abundance of caution” and was working with data security professionals to remedy the situation. It did not specify when the ransomware attack occurred.

The cooperative has created workarounds to receive grain and distribute feed, according to news reports on September 21 quoting people close to the business.

The hackers demanded a $5.9 million ransom for a key to decrypt files they scrambled, according to security researcher Allan Liska of Recorded Future.

New Cooperative stores and sells the grain it collects from farmers and offers feed for chickens, hogs, and cattle along with fertilizer, crop protection, and seed.

The attack on its systems follows ransomware attacks earlier this year that targeted targeted companies and critical infrastructure, including a major U.S. pipeline and a meatpacker. There was also an attack on the software firm Kaseya that impacted some 1,500 businesses.

The attack on New Cooperative, which is believed to have been launched last week just as Iowa’s corn and soy harvesting got under way, has been attributed to a group called BlackMatter.

BlackMatter has threatened to publish 1 terabyte of data it claims to have stolen from New Cooperative if its ransom demand is not paid by September 25.

The data includes invoices, research and development documents, and the source code to the cooperative’s soil-mapping technology, according to cybersecurity experts quoted by The Washington Post.

Security researchers believe BlackMatter may be a reconstituted version of the ransomware syndicate DarkSide, another operation believed to be tied to Russia, that disrupted Colonial Pipeline in May and then disbanded.

That ransomware attack disrupted fuel service for six days to the U.S. East Coast, and Colonial Pipeline officials eventually paid a $4.4 million ransom. Federal law enforcement officials were able to get a portion of the ransom back and sideline much of DarkSide’s infrastructure.

But experts cautioned at the time that the hackers would probably reemerge.

REvil, another Russian-based cybercrime operation, carried out a ransomware attack in June on JBS, the world’s largest meat producer. The company eventually paid an $11 million ransom. In July, REvil claimed responsibility for the attack on the U.S. company Kaseya.

After the attack on Kaseya, President Joe Biden repeated a warning to Russian President Vladimir Putin that the United States would take “any necessary action” to defend Americans and critical infrastructure threatened by cyberattacks.

Biden had previously warned Putin about ransomware attacks during the two leaders’ summit in June.

The United States is also moving to cut off the flow of money by sanctioning cryptocurrency exchanges that facilitate the ransom payments.

On September 21, the Treasury Department imposed sanctions on a Russian-based cryptocurrency exchange over its alleged role in facilitating the payments.