PRECURSOR ANALYSIS REPORT: BLACKMATTER RANSOMWARE ATTACK ON NEW COOPERATIVE 2021

The BlackMatter Ransomware Attack on New Cooperative 2021 Precursor Analysis Report leverages publicly available information about the New Cooperative cyber attack and catalogs anomalous observables for each technique employed in the attack. This analysis is based upon the methodology of the Cybersecurity for the Operational Technology Environment (CyOTE) program. The BlackMatter ransomware was first identified in July 2021 and is reported to have infected more than 50 corporations around the world. , The Iowa-based grain cooperative, New Cooperative, was impacted by the BlackMatter ransomware on or before 18 September 2021. The adversary likely resided on New Cooperative’s networks for 15 days prior to encrypting its network and demanding New Cooperative pay $5.9 million in ransom by 25 September to unlock systems and prevent 1 terabyte (TB) of sensitive data from being publicly released. It is not clear if New Cooperative paid the ransom. The full impact of the ransomware attack is not known; however, according to New Cooperative’s general manager, the attack caused the company’s automated processes to revert back to processes used in the 1970s. , As of 6 October, only 50 percent of New Cooperative’s operations were utilizing automated processes. The company took eight weeks to rebuild the entire network and information technology (IT) systems from the ground up, which puts the date of fully recovery around 13 November. Researchers and analysts identified 20 unique techniques utilized during the attack with a total of 404 observables using MITRE ATT&CK® for Industrial Control Systems. The CyOTE program assesses observables accompanying techniques used prior to the triggering event to identify opportunities to detect malicious activity. If observables accompanying the attack techniques are perceived and investigated prior to the triggering event, earlier comprehension of malicious activity can take place. Seventeen of the identified techniques used during the New Cooperative cyber attack were precursors to the triggering event. Analysis identified 360 observables associated with these precursor techniques, 284 of which were assessed to have an increased likelihood of being perceived in the 15 days preceding the triggering event. The response and comprehension time could have been reduced if the observables had been identified earlier. The information gathered in this report contributes to a library of observables tied to a repository of artifacts, data sources, and technique detection references for practitioners and developers to support the comprehension of indicators of attack. Asset owners and operators can use these products if they experience similar observables or to prepare for comparable scenarios.