FBI releases warning around ransomware attacks targeting US agriculture sector

On Wednesday 20th of April 2022, the United States Federal Bureau of Investigation (FBI) released a joint TLP:WHITE Private Industry Notification which warned the Food and Agriculture (FA) sector organizations that ransomware actors are likely to attack agricultural cooperatives during critical periods like the planting and harvest seasons which may cause disruptions to operations and therefore cause financial loss and negatively impacting food supply chains.

This notification was released in coordination with the United States Department of Agriculture (USDA) and the U.S. Department of Homeland Security (DNS) and the Cybersecurity and Infrastructure Security Agency (CISA). This notification comes about due to the FBI noting that ransomware attacks during past critical periods like harvesting seasons in previous years have led to impacts on the supply of seeds and fertilizer as well as food supply chains. The FBI mentioned that six-grain cooperatives had ransomware operations conducted against them during the fall 2021 harvest and two ransomware attacks were also conducted in early 2022 which had led to possible impacts on the planting season by disrupting the supply of seeds and fertilizer.

The FBI believe that ransomware gangs and other cybercriminals may see agricultural cooperatives as valuable targets as it is the belief that these cooperatives may be willing to pay the ransom due to the time-sensitive roles they play in agricultural production. Although the FBI has clarified that the ransomware attacks against “the entire farm-to-table spectrum of the FA sector occur on a regular basis”, there is a notable increase in the number of cyber-attacks against agricultural cooperatives during key seasons.

The FBI detailed four separate incidents which demonstrate the warning around ransomware attacks against the Food and Agriculture sector:

• “In March 2022, a multi-state grain company suffered a Lockbit 2.0 ransomware attack. In addition to grain processing, the company provides seed, fertilizer, and logistics services, which are critical during the spring planting season.”
• “In February 2022, a company providing feed milling and other agricultural services reported two instances in which an unauthorized actor gained access to some of its systems and may have attempted to initiate a ransomware attack. The attempts were detected and stopped before encryption occurred.”
• “Between 15 September and 6 October 2021, six grain cooperatives experienced ransomware attacks. A variety of ransomware variants were used, including Conti, BlackMatter, Suncrypt, Sodinokibi, and BlackByte. Some targeted entities had to completely halt production while others lost administrative functions.”
• “In July 2021, a business management software company found malicious activity on its network, which was later identified as HelloKitty/Five Hands ransomware. The threat actor demanded $30 million USD ransom. The ransomware attack on the company led to secondary ransomware infections on a number of its clients, which included several agricultural cooperatives”