Ransomware gangs may be timing their attacks on U.S. agriculture organizations to inflict maximum damage.
The FBI’s cyber division published a flash alert Wednesday for the food and agriculture sector stating that “ransomware actors may be more likely to attack agricultural cooperatives during critical planting and harvest seasons” like the fall and early spring.
The FBI warning is one of many issued by the U.S. government over the past year regarding the cybersecurity of the agriculture industry and the rising risk of ransomware attacks. This latest warning cites several instances in which different agriculture sector organizations across the country have been targeted by ransomware in both the planting and harvesting seasons.
The warning describes why agriculture groups like co-ops are at such a great risk.
“Cyber actors may perceive cooperatives as lucrative targets with a willingness to pay due to the time sensitive role they play in agricultural production,” the alert said. “Although ransomware attacks against the entire farm-to-table spectrum of the FA sector occur on a regular basis, the number of cyber-attacks against agricultural cooperatives during key seasons is notable.”
The FBI also noted the importance of the agricultural industry and the impact that potential ransomware attacks could have on the country.
“A significant disruption of grain production could impact the entire food chain, since grain is not only consumed by humans but also used for animal feed,” the warning said. “In addition, a significant disruption of grain and corn production could impact commodities trading and stocks. An attack that disrupts processing at a protein or dairy facility can quickly result in spoiled products and have cascading effects down to the farm level as animals cannot be processed.”
The FBI’s warning cited two ransomware attacks on U.S. agriculture so far in 2022. The two incidents were a March attack on a grain company by Lockbit 2.0 and a February attack on “a company providing feed milling and other agricultural services,” which reportedly thwarted the ransomware before it could fully deploy and encrypt systems.
Other noted incidents were from September and October 2021 when several grain co-ops were hit by ransomware groups, including BlackByte, BlackMatter, Conti, Sodinokibi and Suncrypt. While the FBI warning did not release the names of the victims, there were two large co-ops in Minnesota and Iowa that reported ransomware attacks last fall.
On Sept. 19, the Crystal Valley co-op in Minnesota suffered a ransomware attack that initially interrupted services and led to preventative system shutdowns. While their computer systems were shut down, the group was still able to record transactions using physical tickets, according to the Minnesota Post.
A day later, on Sept. 20, New Cooperative in Iowa had to take its systems offline following a BlackMatter ransomware attack, but said that they continued to receive grain and distribute feed without disruption. Following the attack, BlackMatter demanded a $5.9 million ransom for a decryption key and the return of sensitive data.
There has been no evidence that New Cooperative ever paid the ransom or engaged in negotiations with BlackMatter. New Cooperative could not be reached for comment.
The recent flash alert from the FBI is not an unfamiliar sight, as similar warnings were released in 2021 by federal agencies.
On Oct. 18, CISA released a report on the BlackMatter ransomware group and their attacks on U.S. critical infrastructure, including agriculture, and on Sept. 1, the FBI released a warning stating that threat actors would continue to target the agriculture sector with ransomware after growing threats in 2020.
The FBI alert on ransomware threats to the agriculture industry coincided with another warning from the U.S. government. A joint security advisory from the Cybersecurity and Infrastructure Security Agency, the National Security Agency and Department of Justice announced critical infrastructure organizations could “increased malicious cyber activity” from Russian threat groups. Wednesday’s advisory followed statements from the White House in March that the Russian government was “exploring” potential cyber attacks against U.S. critical infrastructure.