Iowa Grain Cooperative Hit by Cyberattack Linked to Ransomware Group

“Out of an abundance of caution, we have proactively taken our systems offline to contain the threat, and we can confirm it has been successfully contained,” the co-op said in a statement.

New Cooperative is working to transport grain to livestock and poultry farms that rely on it for feed supplies, a person familiar with the matter said. The organization also disabled its soil-mapping platform as a precautionary measure to protect customers from hackers, the person said.

The farming service provider is the latest victim in a monthslong surge in cyberattacks against businesses that has pushed the Biden administration to increase security measures and call for an international crackdown on hacking gangs. U.S. officials say they are particularly concerned with attacks on critical infrastructure that could disrupt broader economic sectors or supply chains.

A recently launched ransomware group known as BlackMatter said on its website that it had encrypted New Cooperative’s data and stolen 1,000 gigabytes worth of files, including invoices, research and development documents, and the source code to its soil-mapping technology. The hackers demanded $5.9 million in cryptocurrency by Sept. 25 for a tool to decrypt the data, according to cybersecurity firm Recorded Future, which tracks ransomware attacks but isn’t working with New Cooperative.

New Cooperative warned its attackers in an online chat that they were targeting critical infrastructure and could face a more forceful government response as a result, according to screenshots of the conversation taken by Recorded Future and viewed by WSJ Pro Cybersecurity.

“Do not threaten us, otherwise you will stay without a decryption,” BlackMatter replied, threatening to double the price.

New Cooperative didn’t respond to a request for further comment.

Cybersecurity experts say BlackMatter bears similarities to DarkSide, the group that hacked Colonial Pipeline Co. in May and triggered a six-day shutdown of the largest conduit for gas on the East Coast. DarkSide told associates soon after that it would cease operations, citing the disruption of its computer infrastructure. The Federal Bureau of Investigation later seized a portion of Colonial’s $4.4 million ransom payment.

Cyber researchers say BlackMatter uses similar types of malware and overlapping cryptocurrency wallets with DarkSide, suggesting the hackers may have rebranded under a new name to avoid law-enforcement scrutiny.

The Biden administration has urged Russian President Vladimir Putin to prosecute ransomware gangs, many of which work out of formerly Soviet states, and push them to avoid targeting critical infrastructure such as food and agriculture. In June, the meat-processing giant JBS SA paid attackers $11 million after a hack disrupted its computer systems and forced it to temporarily halt operations across the U.S.

BlackMatter says on its site that it won’t target critical infrastructure such as hospitals, pipelines and power plants. Individuals behind the site didn’t immediately respond to a request for comment.

The Cybersecurity and Infrastructure Security Agency declined to comment on the incident. The FBI, which earlier this month warned of ransomware attacks targeting the agriculture sector, said it is aware of the situation but declined to comment further.

Allan Liska, a senior solutions architect at Recorded Future, said BlackMatter’s site suggests it hacked New Cooperative on or before Sept. 18. Regardless of whether the co-op is considered critical infrastructure, he said, attacks on such sectors are likely to draw more pushback.

“That didn’t go so well for DarkSide last time,” Mr. Liska said, referencing the Colonial Pipeline attack.

—Jacob Bunge contributed to this article.

Write to David Uberti at david.uberti@wsj.com