The FBI on Wednesday alerted food and agriculture companies to be prepared for ransomware operatives to potentially attack agricultural entities during planting and harvest seasons — a time frame the feds warned is more likely to draw the attention of ransomware actors bent on leveraging the sector at its most vulnerable, including now as the spring planting season gets underway.
The FBI’s notice to industry asserted that ransomware hackers are bent on “disrupting operations, causing financial loss, and negatively impacting the food supply chain,” and noted there were ransomware attacks against six grain cooperatives during the fall 2021 harvest, along with two attacks in early 2022 against targets the bureau did not name that could affect the planting season by disrupting the supply of seeds and fertilizer.
Wednesday’s FBI notice revealed for the first time how extensive ransomware attacks against agricultural targets were last year and earlier this year, according to Allan Liska, an intelligence analyst at Recorded Future.
“While a couple of the attacks against agricultural co-ops were known, there were a lot more that didn’t make the news,” Liska said via email. “This may be a sign of a common vulnerability or initial access vector that was previously unknown and hopefully has since been resolved.”
Liska said the FBI notice’s mention of third-party partners, such as managed service providers collaborating with ransomware actors to mount attacks is also striking.
“Agricultural companies cannot always afford to staff IT and security roles, so they are very reliant on the MSPs to provide protection,” Liska said. “When those MSPs are compromised there are usually no protections in place to protect the victims.”
The agricultural sector has experienced a mounting number of ransomware attacks in recent months. Last October, plants and distribution centers at Schreiber Foods, a multibillion-dollar dairy company, were forced offline following what the company called a “cyber event.” That incident followed a September FBI notice to the food and agriculture industry warning about ransomware threats. The notice said that from 2019 to 2020 the average ransom demand doubled and the average cyber insurance payout increased by 65%.
Around the same time, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, the FBI, and the National Security Agency warned the agricultural sector that BlackMatter ransomware attackers were targeting them as part of a broader threat against U.S. critical infrastructure.
A ransomware attack on meat supplier JBS last May led the company to pay an $11 million extortion fee. Hackers attacked two grain cooperatives with ransomware shortly thereafter.
The FBI’s Wednesday notice warns that ransomware hackers “may perceive cooperatives as lucrative targets with a willingness to pay due to the time-sensitive role they play in agricultural production.”
Brett Callow, a threat analyst at Emsisoft, said ransomware gangs sometimes wait before encrypting the networks they’ve compromised. He said there is typically a surge in attacks on the education sector around the start of the school year, when ransomware gangs often encrypt networks they compromised over the summer months. Ransomware operatives know to wait for the moment when educational institutions are most vulnerable to actually attack, a cycle Callow said he sees parallels to now as the agriculture sector faces heightened threats with the start of planting season.
“The reason for this is they want to strike at the time they believe their targets will be under the most pressure to pay,” Callow said in an email. “But there is a positive to these delays: They mean organizations may have a window of opportunity in which compromises can be identified and neutralized before they escalate into full-blown ransomware attacks.”