Cyber Incident Victim: NEW Cooperative
Date:
Sep 2021
Location:
United States of America
Summary
A US agricultural cooperative suffered a ransomware attack by the BlackMatter group, which demanded $5.9 million to prevent data leaks and provide decryption tools, threatening to double the ransom if unpaid within five days. The victim took systems offline to contain the incident, notified law enforcement, and engaged cybersecurity experts, while warning that the disruption threatened grain, pork, and chicken supply chains as critical infrastructure. Attackers dismissed these concerns, leaked samples of stolen data including soilmap.com source code, R&D materials, employee information, financial records, and KeePass database exports, and refused to waive the ransom despite the victim's appeals about broader food security impacts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On September 20, 2021, U.S. agricultural cooperative NEW Cooperative suffered a BlackMatter ransomware attack that disrupted operations across its network of over sixty grain and feed facilities in Iowa. The attackers demanded an initial ransom of $5.9 million, threatening to double this amount to $11.8 million if payment wasn't made within five days. NEW Cooperative confirmed the incident to BleepingComputer, stating they proactively took systems offline to contain the threat's spread and successfully isolated the attack. The organization engaged law enforcement and third-party data security experts to investigate and remediate the breach. Researchers first identified the incident when a ransomware sample was uploaded to a public malware analysis platform, revealing BlackMatter's ransom note, negotiation portal, and non-public data leak page containing evidence of stolen information.
During negotiations documented in chat screenshots, NEW Cooperative challenged the attackers by asserting their status as critical infrastructure supporting food supplies for grain, pork, and chicken production, warning that the attack would cause severe supply chain disruptions exceeding the impact of the Colonial Pipeline incident. BlackMatter dismissed these claims, stating the cooperative didn't "fall under the rules" prohibiting attacks on critical infrastructure and threatened to double the ransom unless negotiations changed course. The attackers claimed possession of stolen data including soilmap.com source code, research and development materials, sensitive employee information, financial documents, and an exported KeePass password database. NEW Cooperative indicated they would notify regulators and CISA about the breach, emphasizing their inability to control governmental responses to an attack they predicted would have widespread agricultural consequences. The cooperative maintained systems offline during recovery efforts while BlackMatter continued demanding payment for decryption tools and data suppression.