Recent ransomware attack on NEW Cooperative, an association of Iowa corn and soybean farmers based in Fort Dodge, Iowa, has paralyzed transportation of grain to livestock and poultry farms that rely on it for feed supplies and smooth running of their farms.
The ransomware attack was carried out by BlackMatter, who indicated on their website that they had encrypted NEW Cooperative data and stolen over one terabyte of data from the firm. They also demanded a ransom of $5.9 million from the coop, failure to which they would double the amount to $11.8 million if their demands were not met within five days.
The group behind the attack
Research into the ransomware group, BlackMatter, indicated they might be the same group behind the Colonial Pipeline attack in May that triggered a six-day shutdown of gas supply on the East Coast. This was based on similarities between the two Russia-linked ransomware groups and the mode of attack used against NEW Cooperative in their latest attack.
BlackMatter first appeared in July, coinciding with the shutdown of DarkSide, resulting in speculations that it might be a revamped DarkSide cybercriminal gang.
Since its inception, Emsisoft has recorded over 170 cybersecurity incidents from the ransomware group, including the recent high-profile attack on technology giant Olympus in September.
NEW Cooperative response to the ransomware attack
The response from the NEW Cooperative ransomware attack was swift, according to the firm’s spokesperson, who indicated that they immediately shut all systems to stifle the spread of ransomware. The spokesperson added that the decision to shut down the system was out of an abundance of caution and indicated that they had successfully contained the ransomware attack.
The coop was, however, able to create a workaround after taking their systems offline and was able to continue receiving grains and distributing feeds to livestock and poultry farms, avoiding massive disruptions that the cybercriminals were aiming for.
NEW Cooperative also indicated that, upon noticing that their firm was under attack, they notified law enforcement and procured services of Certified Information Systems Auditor (CISA) and data security experts to help them solve the problem.
An anonymous farmer close to NEW coop confirmed that paying the ransomware group the $5.9 million they were asking was out of question, disclosing that the federal government was treating the ransomware attack as a terrorist attack and ransom would, therefore, not be paid.
Lesson for veterinary practices
The attack and response of the NEW Cooperative provide veterinary practices with a blueprint of what to expect during a ransomware attack and how to respond to a ransomware attack.
Lessons During the attack
The NEW Cooperative ransomware attack response was swift and included shutting down all their systems to avoid the spread of ransomware to other unaffected areas.
After systems shut down, they were quick to institute alternatives for their day-to-day running of the businesses. This allowed them to continue servicing their clients with grains required in their livestock and poultry farms.
NEW Cooperative also did not give in to extortion by the BlackMatter ransomware gang. Reports indicate that the group had successfully stolen over a terabyte of data and encrypted computer systems of the firm. However, even with sustained threats that the ransomware group would release the data, the coop failed to negotiate with the attackers and instead called the help of law enforcement, CISA, and cybersecurity experts to evaluate and handle the cybersecurity threats.
The NEW Cooperative response to the ransomware attack should be a standard for veterinary practices, who in the future may find themselves in the middle of a ransomware attack. The attack also highlighted why veterinary practices should keep backup of their systems because it would allow them to respond quickly by using backups to continue serving the clients.
The most important lesson, however, was that NEW Cooperative never considered paying ransom to cybercriminals. It is important, as veterinary practices, not to support the work of cybercriminals, as payment of ransoms only emboldens the criminals and can lead to legal troubles for practices.
Lessons after the attack
The response by NEW Cooperative after the ransomware attack was also impeccable. They notified all their clients and the public that they had come under a ransomware attack and released a statement explaining why their systems went offline.
Their response also included working with law enforcement and cybersecurity experts to come up with a solution as soon as they realized they had been attacked. This allowed them to formulate a plan quickly and get their systems back online in a very short time.
As veterinary practices, notifying clients after ransomware should be part of our response to cybersecurity compromises.
Contacting law enforcement and cybersecurity experts should also be considered if the problem is severe and cannot be handled internally. This will also make your response faster, helping you to get your systems back online as soon as possible.
Your post-attack response should also include not negotiating to pay a ransom with the cybercriminals. Avoiding paying them a ransom denies them money to operate with and can save the next victim or deter future attacks on your veterinary practice.
Need an Incident Response Plan?
The best way to protect your veterinary hospital is with an incident response plan. Lucca can help you build your response plan to keep operations running in the midst of a crisis. Schedule your FREE call today to start building your plan.