On July 15, 2021 at 4 p.m. the 85 computers of Augusta Cooperative Farm bureau, Inc, flashed, and then the screens went white.
The next morning, the cyber hackers (formally called threat actors) made their ransom known via a phone call. Then five minutes later, the hackers took down the ag retailer’s website.
It took nearly a month until the Stanton, VA, based cooperative was back to business in a new normal and no longer receiving communication from the threat actors.
“It’s all still pretty fresh in our mind,” says Brad Brown, assistant general manager. “It’s a month that will wear you out.”
This story is one of multiple agricultural cooperatives which were targets of ransomware variants in 2021.
The threat is serious for the industry, and the FBI issued a public advisory because of the potential to disrupt significant and essential parts of the agricultural industry.
So what can retailers learn from this case study?
There are two key lessons: get a plan, and have a team you can rely on.
How to prioritize your plan for cyber security.
“In ag retail, when we talk about budgeting it’s about facility updates, capital dollars on equipment, automation–those are what’s usually forefront,” Brown says. “Those are the things we know there’s a return on investment. When it comes to spending money on ways to prepare for something like this, you don’t see if pay off as well.”
He cites in agriculture it’s normal for less than 1% of gross revenue to be budgeted for technology. And traditional corporate America is on average investing 1 to 2%. However, a healthy level is about 3 to 4%, and excellent is more than 5% of gross revenue.
Referring to the incident that started in July, Brown says, “we did a couple of years of upgrades in a couple of weeks.”
Augusta’s business spans four retail locations, three fertilizer plants, one feed mill and includes its wholesale division.
Assemble your team.
It took a team to navigate the leadership at Augusta through the reality they were forced to face.
This included their software vendor, EFC Systems, their insurance company, who provided a negotiator as the key contact with the threat actors, and a privacy attorney.
Mike Moore with EFC traveled to be on-site and assist.
Seven steps in recovering from the ransom attack:
- Immediate isolation of systems upon notice
- Evaluate damage
- Contact your insurance provider if you have a cyber policy
- Verify if additional forensics is required.
- Restore infected systems
- Restore critical business systems
- Restore email and user files if applicable
Moore says the challenge during these events is to manage emotions.
“In time of a disaster: pause, isolate. huddle up. and determine next steps,” he says. “Of the options to move forward in Augusta—some options were visible. Some we had to be creative.”
He worked to help Augusta recover data from its automatic backups. However, there were four days from the last backup up until the cyber attack. So the Augusta team worked to recreate that data from paper records so they could be ready to get back online.
“At EFC, we have a generic response plan and it’s been updated since this incident,” Moore says. “A plan is better than no plan.”
The team had to retrain employees on how to do hand written tickets.
“We had a cyber policy in our of board of directors policy,” explains Brown. “So we called insurance, and they put us in touch with a forensics team.”
It was discovered the hackers very likely got into one machine then crawled the system undetected
From a data sample provided by the threat actors, Augusta could tell they focused on human resources and personnel files.
“We worked with a privacy attorney—who gave all employees identity protection,” Brown says. “On the dark web, names and birthdays go for $1/piece. Credit card, names, and the associated security codes go for $15/piece.”
They determined the hackers did not access farmer customer data as the Merchant Ag system was secure.
The next two weeks escalated with multiple threats of releasing data and multiple phone calls. The threat actors were able to simulate caller ID to look like the name and number of specific individuals.
“I was sitting in the same room as our general manager, and my cell phone light up saying it was his name and number calling me,” Brown says.
The final call received from the threat actors was August 14. Augusta never paid any ransom. But the event cost the co-op both emotionally and financially. However, the investments and lessons learned will inform the business for the future and if another attack is ever attempted again.
“Retailers can consider this a bit like whack a mole,” Moore says. “Technology budgets, training and multi-factor authentication are tools to help.”
Some tips to avoid cyber attacks:
- Consider phishing awareness training.
- Reconsider the content on your website (for example, be mindful of financial information posted online that could be used by threat actors to gauge ransom)
- Revaluate the technology budget to verify alignment
- Have an incident response plan
- Isolated and encrypted backups that are regularly tested
- Defined internet policies with layered security model
- Identify end of life legacy software and hardware
- Keep systems current
