PSA: FBI Warns of Ransomware Attacks on Ag Timed to Critical Season

by | Apr 20, 2022 | Security

The Federal Bureau of Investigation (FBI) today reminded food and agriculture sector companies that cybercriminals and ransomware gangs are actively targeting the industry.

They note that these actors are “more likely to attack agricultural cooperatives during critical planting and harvest seasons, disrupting operations, causing financial loss, and negatively impacting the food supply chain.”

Although the FBI called out Ag cooperatives specifically in their announcement, their advice is materially relevant to all food and agriculture businesses.

“Cyber actors may perceive cooperatives as lucrative targets with a willingness to pay due to the time-sensitive role they play in agricultural production. Although ransomware attacks against the entire farm-to-table spectrum of the food and agriculture sector occur on a regular basis, the number of cyberattacks against agricultural cooperatives during key seasons is notable.”

The Threat

The FBI described the threat in detail, which I’ll copy here verbatim because it makes for informative and interesting reading:

Since 2021, multiple agricultural cooperatives have been impacted by a variety of ransomware variants. Initial intrusion vectors included known but unpatched common vulnerabilities and exploits, as well as secondary infections from the exploitation of shared network resources or compromise of managed services. Production was impacted for some of the targeted entities, resulting in slower processing due to manual operations, while other targeted entities lost access to administrative functions such as websites and email but did not have production impacted.

A significant disruption of grain production could impact the entire food chain, since grain is not only consumed by humans but also used for animal feed. In addition, a significant disruption of grain and corn production could impact commodities trading and stocks. An attack that disrupts processing at a protein or dairy facility can quickly result in spoiled products and have cascading effects down to the farm level as animals cannot be processed.

  • In March 2022, a multi-state grain company suffered a Lockbit 2.0 ransomware attack. In addition to grain processing, the company provides seed, fertilizer, and logistics services, which are critical during the spring planting season.
  • In February 2022, a company providing feed milling and other agricultural services reported two instances in which an unauthorized actor gained access to some of its systems and may have attempted to initiate a ransomware attack. The attempts were detected and stopped before encryption occurred.
  • Between 15 September and 6 October 2021, six grain cooperatives experienced ransomware attacks. A variety of ransomware variants were used, including Conti, BlackMatter, Suncrypt, Sodinokibi, and BlackByte. Some targeted entities had to completely halt production while others lost administrative functions.
  • In July 2021, a business management software company found malicious activity on its network, which was later identified as HelloKitty/Five Hands ransomware. The threat actor demanded $30 million USD ransom. The ransomware attack on the company led to secondary ransomware infections on a number of its clients, which included several agricultural cooperatives.

Are You Already Hacked?

According to Arctic Wolf, it takes an average of 203 days for a cybersecurity intrusion to be detected. IT security professionals call this “dwell time.” In their 2021 Cost of a Data Breach Report, (PDF) IBM noted that it takes an average of 287 days to identify and contain a breach. In other words, it takes another three months to stop and remediate an intrusion once identified.

(The average time to identify and contain varied widely depending on the type of data breach, attack vector, factors such as the use of security AI and automation, and cloud modernization stage.)

The point is that cyber actors are likely already in their victim’s networks today—as in, right now—and are simply waiting for the right time to set off the bomb. Data is already exfiltrated, including personally identifiable information. They’re waiting for the right time to cryptolock the environment and make the ransomware demand.

If you haven’t audited your IT security posture recently, now is a good time to do it.

How to Protect Your Business

The FBI provided a lengthy list of security recommendations in their advisory, recommending the implementation of the following measures to mitigate threats and protect against ransomware attacks:

  • Regularly back up data, air gap, and password protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
  • Implement a recovery plan that includes maintaining and retaining multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (i.e., hard drive, storage device, the cloud).Identify critical functions and develop an operations plan in the event that systems go offline. Think about ways to operate manually if it becomes necessary.
  • Implement network segmentation.
  • Install updates/patch operating systems, software, and firmware as soon as they are released.
  • Use multifactor authentication where possible.
  • Use strong passwords and regularly change passwords to network systems and accounts, implementing the shortest acceptable timeframe for password changes. Avoid reusing passwords for multiple accounts and use strong pass phrases where possible.
  • Disable unused remote access/RDP ports and monitor remote access/RDP logs.
  • Require administrator credentials to install software.
  • Audit user accounts with administrative or elevated privileges, and configure access controls with least privilege in mind.
  • Install and regularly update anti-virus and anti-malware software on all hosts.
  • Only use secure networks and avoid using public Wi-Fi networks. Consider installing and using a virtual private network (VPN).
  • Consider adding an email banner to messages coming from outside your organization.
  • Disable hyperlinks in received emails.
  • Focus on cyber security awareness and training. Regularly provide users with training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities (i.e., ransomware and phishing scams).

Where to Start?

It can be challenging to determine what to prioritize. Although everything on the FBI’s list is necessary, start with immediately actionable tasks like improving password policies, patching operating systems, and installing anti-virus.

We recommend that all companies deploy MFA (everywhere if possible) and create an incident response and recovery plan.

Security of our food sources and supply chains is critical to the nation’s security, and we urge our colleagues in the broader food, beverage, and agriculture sectors to take warnings like these seriously.

If your IT team or IT services provider struggles to get these things done, contact our technology strategy team to discuss the best path forward.

Download the FBI Advisory

Related Content