The FBI says ransomware gangs are actively targeting and disrupting the operations of organizations in the food and agriculture sector, causing financial loss and directly affecting the food supply chain.
The bureau’s Cyber Division issued this warning on Wednesday in the form of a TLP:WHITE Private Industry Notification (PIN).
These ransomware attacks can potentially impact a wide range of businesses across the sector, from small farms, markets, and restaurants to large-scale producers, processors, and manufacturers.
Ransomware gangs started focusing their attacks against this industry sector after food and agriculture orgs have become increasingly dependent on smart tech, industrial control systems (ICS), and internet-based automation systems.
“Food and agriculture businesses victimized by ransomware suffer significant financial loss resulting from ransom payments, loss of productivity, and remediation costs,” the FBI said.
“Companies may also experience the loss of proprietary information and personally identifiable information (PII) and may suffer reputational damage resulting from a ransomware attack.”
Paying the ransom won’t stop future attacks
According to the agency, the average ransom demand has doubled between 2019 and 2020, with the highest ransom demand reaching $50 million this year following a REvil ransomware attack that hit computer giant Acer.
The FBI Internet Crime Complaint Center (IC3) also received over 2,400 ransomware attack complaints amounting to adjusted losses of over $29.1 million during last year according to the IC3’s 2020 Internet Crime Report, after a massive 100% increase in received cybercrime complaints and adjusted losses of more than $29.1 million across all industry sectors.
“Separate studies have shown 50-80 percent of victims that paid the ransom experienced a repeat ransomware attack by either the same or different actors,” the FBI added.
The federal law enforcement agency also highlighted some examples of ransomware attacks impacting businesses in the food and agriculture industry, including :
- In July 2021, a US bakery company lost access to their server, files, and applications, halting their production, shipping, and receiving as a result of Sodinokibi/REvil ransomware which was deployed through software used by an IT support managed service provider (MSP). The bakery company was shut down for approximately one week, delaying customer orders and damaging the company’s reputation.
- In May 2021, cyber actors using a variant of the Sodinokibi/REvil ransomware compromised computer networks in the US and overseas locations of a global meat processing company, which resulted in the possible exfiltration of company data and the shutdown of some US-based plants for several days. The temporary shutdown reduced the number of cattle and hogs slaughtered, causing a shortage in the US meat supply and driving wholesale meat prices up as much as 25 percent, according to open source reports.
- In March 2021, a US beverage company suffered a ransomware attack that caused significant disruption to its business operations, including its operations, production, and shipping. The company took its systems offline to prevent the further spread of malware, directly impacting employees who were unable to access specific systems, according to open source reports.
- In January 2021, a ransomware attack against an identified US farm resulted in losses of approximately $9 million due to the temporary shutdown of their farming operations. The unidentified threat actor was able to target their internal servers by gaining administrator level access through compromised credentials.
- In November 2020, a US-based international food and agriculture business reported it was unable to access multiple computer systems tied to their network due to a ransomware attack conducted by OnePercent Group threat actors using a phishing email with a malicious zip file attachment. The cybercriminals downloaded several terabytes of data through their identified cloud service provider prior to the encryption of hundreds of folders. The company’s administrative systems were impacted. The company did not pay the $40 million ransom and was able to successfully restore their systems from backups.
Increased risk of ransomware attacks on holidays, weekends
The FBI and CISA also urged organizations this week not to let down their defenses during weekends or holidays, given that ransomware gangs are increasingly more likely to hit their networks when everyone is out of office.
The two federal agencies warned that they “observed an increase in highly impactful ransomware attacks occurring on holidays and weekends—when offices are normally closed—in the United States, as recently as the Fourth of July holiday in 2021.”
The recent attacks on the networks of Colonial Pipeline, JBS, and Kaseya were given as examples seeing that they were all hit during weekends.
JBS, the world’s largest beef producer, paid an $11 million ransom to the REvil ransomware gang after a Memorial Day weekend attack. After a Mother’s Day weekend attack, Colonial Pipeline paid a $4.4 million ransom to the DarkSide group.
A large-scale REvil ransomware attack also hit dozens of Kaseya customers and up to 1,500 other downstream businesses over the Fourth of July weekend.
These warnings come after Deputy National Security Advisor Anne Neuberger urged US businesses to take ransomware seriously following the Colonial Pipeline and JBS ransomware attacks.
Interpol also asked industry partners and police agencies last month to work together to prevent what looks like a ransomware pandemic that’s quickly closing in.
As the FBI and CISA advised in this week’s joint advisory, organizations can take several actions to protect their systems and block ransomware attacks, including: