{ "id": "7513490b-0d9a-4e69-955c-6d9cc61910d5", "created_at": "2026-04-06T00:22:11.136527Z", "updated_at": "2026-04-10T13:11:20.11963Z", "deleted_at": null, "sha1_hash": "bd5035cb1809c7c311d2a407ece70b61c805821b", "title": "US farmer cooperative hit by $5.9M BlackMatter ransomware attack", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1785643, "plain_text": "US farmer cooperative hit by $5.9M BlackMatter ransomware attack\r\nBy Lawrence Abrams\r\nPublished: 2021-09-20 · Archived: 2026-04-05 16:37:07 UTC\r\nSource: newcoop.com\r\nU.S. farmers cooperative NEW Cooperative has suffered a BlackMatter ransomware attack demanding $5.9 million not to\r\nleak stolen data and provide a decryptor.\r\nNEW Cooperative is a farmer's feed and grain cooperative with over sixty locations throughout Iowa.\r\nIn a weekend ransomware attack, the threat actors demand a 5.9 million dollar ransom, which will increase to $11.8 million\r\nif a ransom is not paid in five days. \r\nThese ransom demands are a starting point for negotiations and usually lead to significantly smaller payments if a victim\r\ndecides to pay.\r\nhttps://www.bleepingcomputer.com/news/security/us-farmer-cooperative-hit-by-59m-blackmatter-ransomware-attack/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/us-farmer-cooperative-hit-by-59m-blackmatter-ransomware-attack/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nNEW Cooperative has confirmed the attack to BleepingComputer and stated that they had taken their systems offline to\r\ncontain the attack's spread.\r\n“NEW Cooperative recently identified a cybersecurity incident that is impacting some of our company’s devices and\r\nsystems. Out of an abundance of caution, we have proactively taken our systems offline to contain the threat, and we can\r\nconfirm it has been successfully contained,\" a NEW Cooperative spokesperson told BleepingComputer.\r\n\"We also quickly notified law enforcement and are working closely with data security experts to investigate and remediate\r\nthe situation.\"\r\nBlackMatter targets critical infrastructure\r\nResearchers first learned of the attack after a ransomware sample was uploaded to a public malware analysis site early this\r\nmorning.\r\nThis sample allowed access to the BlackMatter ransom note, the ransomware negotiation page, and a non-public data leak\r\npage containing screenshots of allegedly stolen data.\r\nBlackMatter is believed to be a rebrand of the DarkSide ransomware that disappeared after attacking the Colonial Pipeline.\r\nWhen BlackMatter first appeared, they stated that they would not target \"Critical infrastructure facilities (nuclear power\r\nplants, power plants, water treatment facilities).\"\r\nFrom screenshots of the negotiation page shared on Twitter, NEW Cooperative asked BlackMatter why they were attacked\r\nas they are considered critical infrastructure and the attack will lead to food supply disruption for grain, pork, and chicken.\r\nNEW Cooperative also said that they would have to contact regulators and CISA about the attack.\r\nBlackMatter responded that they do not \"fall under the rules\" and threatened to double the ransom if NEW Cooperative\r\ndidn't change their approach to the negotiation.\r\nhttps://www.bleepingcomputer.com/news/security/us-farmer-cooperative-hit-by-59m-blackmatter-ransomware-attack/\r\nPage 3 of 6\n\nhttps://www.bleepingcomputer.com/news/security/us-farmer-cooperative-hit-by-59m-blackmatter-ransomware-attack/\r\nPage 4 of 6\n\n\"I am no threatening you. This is pretty much out of our hands. We can't control what the regulators and US government\r\ndoes,\" a NEW Cooperative representative told the threat actors in the negotiation chat.\r\n\"The impact of this attack will likely be much worse than the pipeline attack for context, and we have no way to control that\r\ngiven the disruption this has already caused.\"\r\n\"I am just telling you this so you are not surprised as it does not seem like you understood who we are and what role our\r\ncompany plays in the food supply chain.\"\r\nBlackMatter responded with, \"No one will give you decrypters for free, look for money.\"\r\nIf you have first-hand information about this or other unreported cyberattacks, you can confidentially contact us on Signal\r\nat +16469613731, Wire at @lawrenceabrams-bc, or on Jabber at lawrence.abrams@anonym.im.\r\nThreat actors claim to steal 1,000 GB of data\r\nOn the non-public data leak page, the threat actors claim to have stolen the source code for the soilmap.com project, R\u0026D\r\nresults, sensitive employee information, financial documents, and an exported database for the KeePass password manager.\r\nNon-public data leak page for NEW Cooperative\r\nhttps://www.bleepingcomputer.com/news/security/us-farmer-cooperative-hit-by-59m-blackmatter-ransomware-attack/\r\nPage 5 of 6\n\nThe page includes screenshots of allegedly stolen data, including legal documents, a screenshot of an application, and\r\nfinancial information.\r\nBleepingComputer has decided not to disclose these images due to their potentially sensitive nature.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/us-farmer-cooperative-hit-by-59m-blackmatter-ransomware-attack/\r\nhttps://www.bleepingcomputer.com/news/security/us-farmer-cooperative-hit-by-59m-blackmatter-ransomware-attack/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.bleepingcomputer.com/news/security/us-farmer-cooperative-hit-by-59m-blackmatter-ransomware-attack/" ], "report_names": [ "us-farmer-cooperative-hit-by-59m-blackmatter-ransomware-attack" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434931, "ts_updated_at": 1775826680, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bd5035cb1809c7c311d2a407ece70b61c805821b.pdf", "text": "https://archive.orkl.eu/bd5035cb1809c7c311d2a407ece70b61c805821b.txt", "img": "https://archive.orkl.eu/bd5035cb1809c7c311d2a407ece70b61c805821b.jpg" } }