Wide shot of smiling farmer carrying bin of freshly harvested organic curly kale through field on fall morning

FBI warns food and agriculture to brace for seasonal ransomware attacks

The Federal Bureau of Investigation (FBI) recently released a Private Industry Notification warning agriculture cooperatives (also known as “farmers’ co-ops”) of the looming danger of well-timed ransomware attacks. The agency warns that during the critical planting and harvesting seasons, attacks could result in the theft of proprietary information, and operational disruption leading to financial losses and even food shortages.

This is the second time the FBI has warned the food and agriculture sector. In September 2021, the agency revealed that ransomware threat actors were ramping up attacks as the sector adopted more smart technologies.

“Since 2021, multiple agricultural cooperatives have been impacted by a variety of ransomware variants,” the agency said, “Initial intrusion vectors included known but unpatched common vulnerabilities and exploits and secondary infections from the exploitation of shared network resources or compromise of managed services.”

The FBI is concerened that threat actors might think agricultural cooperatives have an extra incentive to pay ransoms because some phases of their work are so time-sensitive.

After-effects of ransomware attacks against the FA sector

Attacks against organizations at the root of the food supply chain can cause significant downstream disruption.

During the same month as the FBI’s initial warning, in September 2021, BlackMatter ransomware hit Iowa’s NEW Cooperative, demanding a ransom of $5.9 million. The company was forced to take affected devices offline to stop the threat from spreading, and the ransomware gang was reportedly able to steal 1,000GB of data, including financial documents, employee data, and source code for a farming technology platform.

Two days after the NEW Cooperative attack, Crystal Valley Cooperative, a major farmer’s co-op in Minnesota, was hit by a still-unnamed ransomware strain. This stopped the group from processing major payment cards and caused its phone system some downtime.

In the last decade, the agriculture sector has been through a rapid technological transformation as traditional farm machinery—such as tractors—have joined the Internet of Things (IoT).

In a recent Lock and Code podcast about the vulnerability of agricultural technology, podcast host Davd Ruiz interviewed Sick Codes, a hacker who has taken a deep dive into the security of John Deere and other agricultural equipment manufacturers.

He told us that while the industry is beginning to think about the cybersecurity of its devices and systems, many vendors still struggle with the basics like where they store data and how to make it safe, leaving it open to easy exploitation. In one example of what might be possible, Sick explained that threat actors might be able to “game” the market for corn prices by intercepting unencrypted data about the crop as it moves from tractor fleets into the cloud:

If somebody is to catch that data on the way out, they will be able to predict the price of corn. And corn is a commodity. It fluctuates daily. So actually if you have all that data, you’d be out to make serious money.

The FBI has taken stock of ransomware gangs that have hit organizations within the food and agriculture sector: BlackByte, BlackMatter, Conti, HelloKitty(aka Five Hands), LockBit, Sodinokibi(aka REvil), and SunCrypt.

FBI recommendations

The agency advises the sector to focus on protecting its networks, systems, and applications as threat actors can and will exploit vulnerabilities in them. It also offered some guidance on how to protect against ransomware attacks, including:

  • Regularly back up datato an offline, air-gapped location where it can’t be reached by attackers.
  • Patch softwareand firmware as soon as security updates become available.
  • Segment networksto slow down attackers, make finding them easier, and limit their damage.
  • Use multi-factor authentication (MFA)whenever possible.
  • Use strong passwordsand avoid reusing them.

More guidelines can be found in the agency’s Private Industry Notificationon the subject.

For a glimpse of the current state of cybersecurity in an Internet-connected agriculture sector, listen to our Lock and Code podcast below: