U.S. farmers cooperative NEW Cooperative has gone through a BlackMatter ransomware attack asking for $5.9 million not to expose the hijacked data and facilitate a decryptor.
NEW Cooperative is a farmer’s feed and grain cooperative with over sixty locations throughout Iowa. In a weekend ransomware attack, the threat actor demands a 5.9 million dollar ransom, which will escalate to $11.8 million if a ransom is not paid in five days.
These ransom demands are an initial point for compensation and usually lead to significantly smaller transactions if a victim decides to pay. NEW Cooperative has proved the attack to our experts and stated that they had taken their systems offline to contain the attack’s spread.
“NEW Cooperative currently identified a cybersecurity incident that is affecting some of the organization’s devices and systems. From all the abundance of caution, we have proactively taken our systems offline to contain the threat, and we can confirm it has been completely contained,” a NEW Cooperative spokesperson told our experts. “We also immediately alert the law enforcement and are working closely with the data security experts to research and alleviate the current situation.”
How BlackMatter Targets Sensitive Infrastructure?
Investigators first learned of the attack after a ransomware sample was initially uploaded to a public malware analysis site in recent days. This sample permitted access to the BlackMatter ransom note, the ransomware compensation page, and a non-public data exposure page containing screenshots of allegedly hijack data.
BlackMatter is believed to be a rebrand of the DarkSide ransomware that disappeared after attacking the Colonial Pipeline. When BlackMatter first comes, they said that they would not target “Critical infrastructure facilities (nuclear power plants, power plants, water treatment facilities).” From the various screenshots of the compensation page shared on Twitter, NEW Cooperative asked BlackMatter why they were attacked as they are considered as the sensitive infrastructure and the attack will lead to food supply disruption for grain, pork, and chicken.
New Cooperative also stated that they would have to contact the regulators and CISA about the attack. BlackMatter revert that they do not “fall under the rules” and threaten to double the ransom amount in case the NEW Cooperative didn’t change its approach to the compensation.
“We are not threatening you. This is pretty much out of our hands. We can’t even control what the handlers and the US government does,” a NEW Cooperative representative told the attackers in the negotiation chats.
“The affect of this attack will likely be much worse than the pipeline attack for context, and we have no way to control that given the disruption this has already caused.” “We are just telling you this so you are not surprised as it does not seem like you understood who we are and what role our company plays in the food supply chain.” BlackMatter responded with, “No one will give you decrypters for free, look for money.”
If you have first-hand information about this or other unreported cyberattacks, you can confidentially contact us on Signal at +16469613731, Wire at @lawrenceabrams-bc, or on Jabber at [email protected].
Attackers Claim to Hijack 1,000 GB of Data
On the non-public data exposure page, the threat actors claim to have hijacked the source code for the soilmap.com project, R&D results, sensitive employee information, financial documents, and an exported database for the KeePass password manager.
The pages consist up of screenshots of supposedly hijack data, including legal documents, a screenshot of an application, and financial information. Our Experts have decided not to disclose these images due to their potentially sensitive nature.
