The scumbag parasites of the internet have struck again, with American farmers’ consortium NEW Cooperative hit by ransomware. The attack could cripple US food supply chains and put the lives of millions of animals at risk, its negotiators implored the attackers in leaked screenshots of negotiations — although the cooperative says publicly that the attack has been “contained”. (The Stack has opted to stop naming the specific cybercrime syndicates behind these attacks unless it clearly helps defenders understand their tactics, techniques and procedures.)
“If we are not able to recover very shortly, there is going to be very, very public disruption to the grain, pork, and chicken supply chain. About 40% of grain production runs on our software, and 11 million animals [sic] feed schedules rely on us. This will break the supply chain very shortly”, a NEW Cooperative negotiator said in screenshots of discussions with the attackers that were leaked and widely shared on social media.
NEW Cooperative ransomware attack: “Successfully contained”?
NEW Cooperative, an Iowa-based farmers’ coop, operates grain storage infrastructure in the top US wheat-producing state, as well as buying crops, selling fertilizer, and running technology platforms including a trading application that lets farmers view grain bids, make offers and view and sign purchase contracts. While the incident is no doubt damaging for the company and its partners, the comments appear to have been designed to help persuade the attackers that the organisation was critical infrastructure and as such — in line with the criminals’ mission statement on their .onion site — out of bounds in the wake of the Colonial Pipeline attack.
“We have proactively taken our systems offline to contain the threat, and we can confirm it has been successfully contained,” NEW Cooperative Inc said in a statement shared by Reuters. “We also quickly notified law enforcement and are working closely with data security experts to investigate and remediate the situation.” (The company’s VP of comms did not respond to a request for further information from The Stack).
The attackers appear to have first started leaking data from an attack on September 18. It said on its website that it had encrypted NEW Cooperative’s data and stolen 1TB of files spanning invoices, research and development documents, and the source code to its soil-mapping technology. The hackers demanded $5.9 million in cryptocurrency by Sept. 25 for a tool to decrypt the data. As per yesterday’s piece by The Stack, companies looking to shore up their security should focus on five key tasks, according to Phil Robinson, principal consultant and founder of Prism Infosec.
- Staff/User Awareness – regular security awareness training which covers the dangers of common attacks (spear phishing etc), what to look for and how to report quickly. Implement a “no blame” culture and encourage reports. You don’t want people covering their tracks for fear of reprisals from management.
- Device Security – ensure that devices (such as workstations and servers but also mobile devices and other networking hardware) are configured to be as secure as possible, with users having a low level of privilege, effective Anti-Virus (AV) and/or Endpoint Detection and Response (EDR) software deployed. Remove unnecessary software, follow best practice guides on hardening (e.g. NCSC and CIS) and limit execution of unknown executables and scripts (e.g. Microsoft Defender Application Control).
- Centralised Management – wherever possible use a centralised security management solutions (such as Mobile Device Management, centralised AV/EDR consoles and centralised patch management tools).
- Logging and Event Reporting – in the absence of a SOC or SIEM solution, wherever logs and events can be enabled across the technology stack, make sure these are set-up and tuned. Ensure coverage at firewall, network device (switch/router), workstations, servers, applications and cloud services. Ensure that logging is not overwhelming to prevent alert fatigue and that key events are prioritised (e.g. multiple password failures, AV/EDR alerts, unexpected privilege escalation)
- Robust Authentication – many breaches (particularly for Internet-based services) occur due to weak passwords combined with a lack of additional controls such as MFA or password lockouts. Review all login interfaces (prioritising Internet-facing) and ensure that as many as possible support these controls.”
A good backup strategy is more critical than ever
As per NCSC guidance, a good backup strategy is also critical. The UK’s NCSC urges organisations to:
- “Make regular backups of your most important files – it will be different for every organisation – check that you know how to restore files from the backup, and regularly test that it is working as expected.
- Ensure you create offline backups that are kept separate, in a different location (ideally offsite), from your network and systems, or in a cloud service designed for this purpose, as ransomware actively targets backups to increase the likelihood of payment. Our blog on ‘Offline backups in an online world‘ provides useful additional advice for organisations.
- Make multiple copies of files using different backup solutions and storage locations. You shouldn’t rely on having two copies on a single removable drive, nor should you rely on multiple copies in a single cloud service.
- Make sure that the devices containing your backup (such as external hard drives and USB sticks) are not permanently connected to your network. Attackers will target connected backup devices and solutions to make recovery more difficult.
- You should ensure that your cloud service protects previous versions of the backup from being immediately deleted and allows you to restore to them. This will prevent both your live and backup data becoming inaccessible – cloud services often automatically synchronise immediately after your files have been replaced with encrypted copies.
- Ensure that backups are only connected to known clean devices before starting recovery.
- Scan backups for malware before you restore files. Ransomware may have infiltrated your network over a period of time, and replicated to backups before being discovered.
- Regularly patch products used for backup, so attackers cannot exploit any known vulnerabilities they might contain.
As the agency adds, attackers increasingly look to destroy copied files or disrupt recovery processes before conducting ransomware attacks.
“Ideally, backup accounts and solutions should be protected using Privileged Access Workstations (PAW) and hardware firewalls to enforce IP allow listing. MFA should be enabled, and the MFA method should not be installed on the same device that is used for the administration of backups. Privileged Access Management solutions remove the need for administrators to directly access high-value backup systems.”