Citing ransomware attacks against six grain cooperatives during the fall 2021 harvest and two attacks already in early 2022, the FBI is advising that additional cyberattacks targeting farm cooperatives could affect the planting season by disrupting the supply of seeds and fertilizer.
Two attacks on grain co-ops — Iowa’s NEW Cooperative and Minnesota’s Crystal Valley — made headlines last fall, followed by another attack on Sandhills Global, which operates online platforms for auctioning farm equipment, that shut down the company’s operations on Oct. 4.
“Cyber actors may perceive cooperatives as lucrative targets with a willingness to pay due to the time-sensitive role they play in agricultural production,” the FBI warned. “Although ransomware attacks against the entire farm-to-table spectrum of the FA sector occur on a regular basis, the number of cyberattacks against agricultural cooperatives during key seasons is notable.”
Brad Deacon, emergency management coordinator for the Michigan Department of Agriculture and Rural Development (MDARD), said the FBI alert underscores the potential impact of ransomware to food security.
“The food and agriculture sector faces many challenges, but cybersecurity cannot be one put on the back burner,” Deacon said. “The FBI’s guide provides some valuable considerations for the private sector to review.”
According to a February joint cybersecurity advisory authored by cybersecurity authorities in the U.S., Australia and the United Kingdom, ransomware tactics and techniques continue to evolve. Sophisticated, high-impact ransomware incidents against critical infrastructure organizations increased globally.
The FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency observed incidents involving ransomware against 14 of the 16 U.S. critical infrastructure sectors, including food and agriculture, the defense industrial base, emergency services, government facilities and information technology sectors.
Since 2021, multiple agricultural cooperatives have been affected by a variety of ransomware variants, according to the FBI alert.
Production was affected for some of the targeted entities, resulting in slower processing because of manual operations, while other targeted entities lost access to administrative functions such as websites and email but did not have production impacted.
In March, a multistate grain company suffered a Lockbit 2.0 ransomware attack. In addition to grain processing, the company provides seed, fertilizer and logistics services, which are critical during the spring planting season.
In February, a company providing feed milling and other agricultural services reported two instances in which an unauthorized actor gained access to some of its systems and may have attempted to initiate a ransomware attack. The attempts were detected and stopped before encryption occurred.
Between Sept. 15 and Oct. 6, 2021, six grain cooperatives experienced ransomware attacks. A variety of ransomware variants were used, including Conti, BlackMatter, Suncrypt, Sodinokibi and BlackByte. Some targeted entities had to completely halt production while others lost administrative functions.
In July 2021, a business management software company found malicious activity on its network, which was later identified as HelloKitty/Five Hands ransomware. The threat actor demanded a $30 million ransom. The ransomware attack on the company led to secondary ransomware infections on a number of its clients, which included several agricultural cooperatives.
MDARD’s Deacon encourages private-sector firms to work with reputable contractors and service providers to review their procedures and computer network security settings. He expects cyberthreat actors will continue to exploit network, system and application vulnerabilities.
The FBI recommends implementing the following steps to mitigate the threat and protect against ransomware attacks:
- Regularly back up data, air gap and password protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
- Implement a recovery plan that includes maintaining and retaining multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (i.e., hard drive, storage device, the cloud).
- Identify critical functions and develop an operations plan in the event that systems go offline. Think about ways to operate manually if it becomes necessary.
- Implement network segmentation.
- Install updates or patch operating systems, software, and firmware as soon as they are released.
- Use multifactor authentication where possible.
- Use strong passwords and regularly change passwords to network systems and accounts, implementing the shortest acceptable time frame for password changes. Avoid reusing passwords for multiple accounts and use strong pass phrases where possible.
- Disable unused remote access/RDP ports and monitor remote access/RDP logs.
- Require administrator credentials to install software.
- Audit user accounts with administrative or elevated privileges and configure access controls with least privilege in mind.
- Install and regularly update anti-virus and anti-malware software on all hosts.
- Only use secure networks and avoid using public Wi-Fi networks. Consider installing and using a virtual private network.
- Consider adding an email banner to messages coming from outside your organizations.
- Disable hyperlinks in received emails.
- Focus on cybersecurity awareness and training. Regularly provide users with training on information security principles and techniques, as well as overall emerging cybersecurity risks and vulnerabilities (i.e. ransomware and phishing scams).
For additional resources related to the prevention and mitigation of ransomware, visit stopransomware.gov, a centralized, U.S. whole-of-government webpage providing ransomware resources and alerts.
CISA’s Ransomware Readiness Assessment is a no-cost self-assessment based on a tiered set of practices to help organizations better assess how well they are equipped to defend and recover from a ransomware incident.
CISA offers a range of no-cost cyber-hygiene services to help critical infrastructure organizations assess, identify and reduce their exposure to threats, including ransomware. By requesting these services, organizations of any size could find ways to reduce their risk and mitigate attack vectors.