BlackMatter Ransomware Group Ignores Own Rules, Attacks Iowa Grain Cooperative

BlackMatter reportedly said it wouldn't attack critical infrastructure.

Edward Gately, Senior News Editor

September 20, 2021

5 Min Read
ransom payment

The Russia-linked BlackMatter ransomware group attacked a grain cooperative in Iowa over the weekend and is demanding a $5.9 million ransom that could escalate to $11.8 million.

According to BleepingComputer, the BlackMatter ransomware group is demanding $5.9 million from New Cooperative not to leak stolen data and provide a decryptor. New Cooperative is a farmer’s feed and grain cooperative with more than 60 locations throughout Iowa.

BlackMatter said the ransom will increase to $11.8 million if a ransom isn’t paid in five days.

New Cooperative provided the following statement to BleepingComputer:

“New Cooperative recently identified a cybersecurity incident that is impacting some of our company’s devices and systems. Out of an abundance of caution, we have proactively taken our systems offline to contain the threat, and we can confirm it has been successfully contained. We also quickly notified law enforcement and are working closely with data security experts to investigate and remediate the situation.”

BlackMatter first surfaced in July. It reportedly claimed it wouldn’t target hospitals, critical infrastructure facilities, nonprofit companies, government, the defense industry, or the oil and gas industry.

Criminals Don’t Follow Even Their Own Rules

Quentin Rhoads-Herrera is director of professional services at CriticalStart. He said just like any other criminal organization, BlackMatter won’t even follow its own rules.


CriticalStart’s Quentin Rhoads-Herrera

“While they claim they do not attack critical infrastructure, they also don’t categorize New Cooperative as critical infrastructure, ensuring them they will only incur financial losses not a risk to life and limb,” he said.

New Cooperative knows BlackMatter has stolen its KeePass password manager data, Rhoads-Herrera said. Therefore, it needs to lock out accounts and create new ones with complex passwords and multifactor authentication (MFA),

“In terms of negotiations, if New Cooperative is going to look at paying for recovery, they need to make sure that the group can actually recover their data before issuing any payments,” he said. “While unlikely, they should also see if the group will disclose items such as how they got the access initially and how they got the data off the network. Finally, they should make sure they have some form of evidence that the data taken off the network is destroyed.”

Agriculture Sector Particularly Susceptible

Chris Morgan is senior cyber threat intelligence analyst at Digital Shadows.


Digital Shadows’ Chris Morgan

“Companies working in the agricultural sector are particularly susceptible to ransomware activity as the harvest and fertilization of crops is highly sensitive to external factors,” he said. “This typically involves weather changes and time of the year. However, any delays caused by a ransomware attack could result in a significant loss of productivity and in turn lead to huge amounts of crops being wasted. The attack also comes at a time where COVID-19 has resulted in a global shortages of truck drivers, which is impacting food supply chains.”

The FBI has highlighted the risk posed by ransomware groups targeting food and beverage, and agricultural sectors, Morgan said. It said ransomware groups are actively targeting the systems used by agriculture.

“The attack against New Cooperative also shows a willingness from ransomware groups to continue targeting critical national infrastructure (CNI),” he said. “In July, President Joe Biden provided Russian Premier Vladimir Putin a list of 16 sectors that were reportedly off limits for ransomware attacks, which included those involved with food production. While Putin likely does not have a direct influence on the operations conducted by ransomware groups, the dialogue between the two leaders was aimed at pressuring Russia to take a more active role in tackling ransomware activity. This, predictably, appears to have fallen on deaf ears, with BlackMatter since claiming that they did not believe New Cooperative constituted CNI.”

Biden Administration Already Targeting Ransoms

Jake Williams is co-founder and CTO of BreachQuest.


BreachQuest’s Jake Williams

“Given that the Biden administration is already telegraphing more oversight and regulation around paying ransoms, impacting yet another critical infrastructure target certainly won’t help the situation for threat actors,” he said. “The threat actors may view New Cooperative as an IT company, possibly owing that distinction to the SoilMap software product.”

Ironically, this distinction would be meaningless to the administration, Williams said. That’s because the IT sector is also considered critical infrastructure under the Department of Homeland Security (DHS) and Cybersecurity and Infrastructure Security Agency (CISA) designations.

Hank Schless is senior manager of security solutions at Lookout. He said threat actors already operate outside the bounds of the law, so why would the BlackMatter ransomware group “suddenly comply” with Biden’s statements?


Lookout’s Hank Schless

“If this is the attitude Russia-based threat actors have towards the president’s warnings, then this could be indicative of similar attacks to come,” he said. “This should serve as a wake-up call to every organization that they need to take action in order to protect themselves. The president’s statements on these types of attacks have done a fantastic job of conveying the importance of cybersecurity, but it’s on organizations to put those words into actions and shore up their defenses.”

Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn.

Read more about:


About the Author(s)

Edward Gately

Senior News Editor, Channel Futures

As news editor, Edward Gately covers cybersecurity, new channel programs and program changes, M&A and other IT channel trends. Prior to Informa, he spent 26 years as a newspaper journalist in Texas, Louisiana and Arizona.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like