Hacking the hackers? Hey, it happens.
And when it does, it can catch all sides off guard and muddy the waters between hackers who hit an organization and the hackers who hit the hackers.
This is one of those cases.
Ransomware negotiations interrupted by 'unauthorized access'
Negotiations between New Cooperative, an Iowa-based grain co-op, and the Russian ransomware gang BlackMatter took an unexpected turn—and security researchers took notice.
SecureWorld News recently covered this cyberattack, in which BlackMatter was reportedly demanding $5.9 million in ransom.
During the ensuing text chat negotiations on a Tor page, the BlackMatter representative made a veiled threat posed as a question: Did the grain co-op want to buy the decryption key, or should the ransomware gang delete the stolen data and publish it to the world? This data included the source code to SoilMap, a proprietary technology.
We bet the BlackMatter group didn't see the following responses coming.
The "Victim" [as listed in messages] responded by saying this:
"We do not care. You will not receive payment. Delete key and go away."
To keep the dialog going, the BlackMatter representative then told the grain coop it had violated BlackMatter's "data recovery guidelines." The "victim" then responded with a drop the mic response:
"The only thing we violated was your mother."
Dmitry Smilyanets, a cybercrime and underground intelligence analyst at Recorded Future, shared this exchange on Twitter, with the message #ransomware negotiations on fire.
While this would certainly be one way to handle a ransomware negotiation—essentially flipping the bird to the attacker—it appears the "Victim" listed in the chat was not a New Cooperative representative but instead was another hacker himself. A sort of hack-ception to the rule, if you will.
Smilyanets shared the following messages:
At some point, it appears the real "victim" reappears in the stream of messages and tells the BlackMatter representative something is wrong here:
"We don't know who the user 'victim' is, but it is not us. Please close this Tor page so no more random people from the internet make posts here."
And as the messages make clear, there is not much love for Coveware, which helps firms negotiate with ransomware operators.
"You and your company coveware - clowns..."
The hijacked ransomware negotiation
A New Cooperative spokesperson declined to comment on the hijacked negotiations, but did share this about its incident response:
"We've made progress on remediation and our engagement with law enforcement and CISA has been very helpful in those efforts."
Tom Vilsak, the U.S. Secretary of Agriculture, spoke this week at the National Association of State Departments of Agriculture (NASDA) annual meeting about this incident:
"I would strongly encourage all of us as commissioners, directors, and secretaries to encourage our coops in our respective states to do what they need to do, to learn what they need to learn, to make sure their systems are hardened against any kind of cyberattack."
We're still waiting to see how all of this case plays out.
BlackMatter claims to have stolen personal data that includes financial information, legal and executive information, driver licenses and Social Security numbers of employees, and product information including research and development results.