New Cooperative Ransomware Attack Timeline: Status Updates

New Cooperative, an Iowa-based part of the agriculture supply chain recently addled by a ransomware attack, is refusing to pay a $5.9 million ransom the cyber hijackers have demanded to restore its systems.

The timeline looks something like this...

On Monday, September 20, 2021, the co-op publicly disclosed that it had been hit by the Russia-tied BlackMatter cyber cell in an attack that locked up its computers used to manage food supply chains and animal feeding schedules. BlackMatter, which is said to be heir to the notorious DarkSide crew that carried out the Colonial Pipeline operation earlier this year, has threatened to publish a terabyte of data it claimed to have stolen from the co-op, setting a payment deadline of Saturday, September 25, 2021 or else.

However, as of September 24, New Coop had not paid the ransom and is unlikely to do so, according to a farmer associated with the company, the Messenger, a local media outlet reported. By comparison, in other high profile critical infrastructure attacks carried out earlier this year, food processor JBS paid $11 million to hackers to restore its systems and Colonial Pipeline shoveled some $5 million to the DarkSide syndicate. Federal law enforcement and cybersecurity providers have strongly advised victims not to meet ransom demands.

The unnamed farmer told the Messenger that federal law enforcement considers the incident a terrorist attack. Cybersecurity specialists, possibly managed security service providers, are helping New Coop to reconstitute the affected systems. New Coop officials have not confirmed nor denied whether the company will pay the ransom, the Messenger said.

Following the incident, New Coop officials said that 40 percent of the nation’s grain production runs through its software, and that the ransomware attack could “break the supply chain very shortly.” While the BlackMatter cyber extortionists initially forced New Coop to shut down its systems, the company has reportedly created some workarounds to receive grain and distribute feed.

The pain to organizations big and small hobbled by ransomware has skyrocketed over the past year. Ransomware groups demanded three times the payoff from their cyber attack victims in the first half of 2021 compared to the corresponding period in 2020, according to Coalition, a cybersecurity insurance provider. The average ransom demand made to its policyholders during the period roughly tripled to $1.2 million per claim from $450,000 the year earlier, the insurer said.

Password Attacks Involved?

To gain entry into New Coop’s network BlackMatter breached hundreds of employee credentials left exposed by poor password management, a ZDNet report said. Tammy Kahn, chief operating officer of FYEO, a startup password management firm, told ZDNet that its researchers found the password "chicken1" was used more than 10 times among the company's 120 employees. Passwords used by some of the co-op’s top executives were also compromised. In sum, FYEO discovered 653 instances of breached credentials connected to New Cooperative.

It’s not known how the hackers lifted some passwords belonging to New Coop's employees. Brute force attacks, in which hackers try to log onto different user accounts using a single password guess, or credential stuffing, where hackers use leaked usernames and passwords to find logins that work, are popular among cyber robbers. Brute force password infiltrations have more than doubled in the last year as a share of overall attacks, security specialist Kaspersky said in a recent incident analysis. While a stringent password policy can lower the chances of being attacked by 60 percent and staying on top of patch management could drop the overall risk of cyber incidents by 30 percent, both protections remain stubbornly weak points in many organizations’ security profiles, Kaspersky said.

That the attack was carried out allegedly by Russian operatives against a U.S. critical infrastructure operation gives it added importance. President Biden has warned Russian President Putin that attacks on U.S. critical infrastructure, including the agriculture sector, will be met with a response, suggesting the nation could hit back with a cyber volley of its own. Perhaps recognizing that its attack on New Coop may reverberate beyond the single event, BlackMatter has posted on its website that it refrains from lining up critical infrastructure targets, even though to all appearances it apparently does.