Home > Cybersecurity > BlackMatter tests limits of supposed hacker ethics
An agricultural cooperative in the state of Iowa, a major US grain producer, a few days ago fell victim to a ransomware attack whose impacts may have been worse than the Colonial Pipeline in May. The group responsible for breaking into NEW Cooperative was the BlackMatter group, which appears to have links to or be a new brand of DarkSide, precisely the gang involved in the pipeline case in May. The ransom demand was $5.9 million to not leak stolen data and provide a decryption tool.
In messages exchanged with Bloomberg News, BlackMatter claims that it operates according to rules that exclude hospitals and defense and government sectors from its targets and that the attack on the cooperative did not violate these supposed ethics, nor did it ignore the conversation between US President Joe Biden and Russian leader Vladimir Putin that sought to establish limits, mainly leaving critical sectors for the United States out of the attacks. The argument of the BlackMatter group, which expresses itself in Russian and whose source codes are also in Russian, was precise that the agricultural activity of this cooperative could not be considered critical.
However, in a screenshot of the negotiations between the group and the co-op posted on Twitter, the co-op spokesperson suggests that the ransomware group misjudged the scale of the attack’s impacts on the supply chain as it led to the disruption of grain, pork, and chicken supplies.
“The impacts of this attack are likely to be much worse than the di attack on the pipeline for context, and we have no way of controlling this due to the disruption that has already been caused,” a NEW Cooperative representative told the threat actors in the negotiation chat. “No one is going to give you decryptors for free, raise money,” BlackMatter replied.
“BlackMatter claimed that the co-op is off-limits set by the president. Biden, but these hackers already operate outside the limits of the law, so why would they suddenly obey the new rules? If this new invasion is related to the US warning, then it could be indicative of further similar attacks,” comments Allan Liska, senior analyst at cybersecurity firm Recorded Future.
NEW Cooperative said it is working to create alternative solutions to maintain feed supplies while the systems are down, a person familiar with the matter told Bloomberg. Based in Fort Dodge, the co-op is a major buyer of crops from member farmers. It also distributes fuel and agricultural chemicals.
Emerged at the end of July, BlackMatter presents itself as a new Ransomware-as-a-Service (RaaS) that has come to fill the void left by the DarkSide and REvil groups, adopting the best tools and techniques from each of them, as well as LockBit 2.0.
The DarkSide ransomware affiliate group was blamed for the temporary shutdown of the Colonial Pipeline in May, which led to fuel supply shortages and subsequent price hikes in the United States. The gang announced it was shutting down operations after its servers were allegedly seized and its cryptocurrency wallets, used to pay affiliates, emptied.
The DarkSide message includes passages apparently written by a leader of the REvil platform, saying that the RaaS program was introducing new restrictions on the types of organizations that could be attacked. Health and educational institutions and government bodies in any country, for example, were to be excluded from the targets. Affiliates would also have to seek approval before attacking victims.
In a blog on DarkSide’s shutdown, cyber intelligence firm Intel 471 said it believes the attitude of ransomware groups could be directly related to the reaction to the attacks covered in the media.
Is BlackMatter, then, just a new brand of the groups after a strategic retreat? Or else a cyber gang that has filled the space left by them? In either case, let’s wait for the next chapters to see whether the limits imposed by the United States will be respected or not.