CISA, NSA, FBI say BlackMatter ransomware group is targeting the US food industry

A joint advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI) and the National Security Agency (NSA) has warned that the BlackMatter ransomware group has targeted “multiple” organizations deemed critical infrastructure, including two organizations in the U.S. food and agriculture sector.

The agencies did not name the victims, but Iowa New Cooperative, an Iowa-based farm service provider, was last month hit by a ransomware attack that saw hackers demand a $5.9 million ransom to unlock their systems. The attack was followed by a similar attack on Crystal Valley, a Minnesota-based farm supply and grain marketing cooperative.

The advisory provides an overview of the BlackMatter threat, its tactics (which includes the wiping of backup data stores and appliances, rather than encrypting them), detection signatures, and mitigation best practices. It also lends credence to the wider belief that BlackMatter might be a “possible rebrand” of the now-defunct DarkSide ransomware operation, which the FBI said was behind the attack on Colonial Pipeline.

BlackMatter provides ransomware-as-a-service (RaaS) that allows other groups to rent its infrastructure, taking a cut of the ransom if a victim pays. The advisory notes that BlackMatter ransom demands have ranged from $80,000 to $15 million in cryptocurrency.

The advisory urges organizations, particularly those in critical infrastructure, to shore up cybersecurity defenses and to follow security best practices, including the use of strong passwords and multi-factor authentication. The three agencies also recommend keeping all operating systems up to date, using a host-based firewall and ensuring all backup data is encrypted.

The agencies also urge any organization hit by a ransomware attack to report it immediately and to refuse to pay the hackers’ ransom demands.

“Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or may fund illicit activities,” the three agencies warned. “Paying the ransom also does not guarantee that a victim’s files will be recovered.”

BlackMatter has also hit Japanese technology giant Olympus, which forced the shutdown of its European, Middle East and Africa network.