What you can learn from one co-op’s ransomware attack
Kyle Kurth, left, and Jon Langland spent weeks reinstalling Crystal Valley Cooperative’s servers and computers after a cyberattack in September 2021.
When Jon Langland logged into his cooperative work account on a Sunday morning last September, he discovered he hadn’t received the regular morning updates from the co-op’s systems.
“Initially, I didn’t think anything of it. I presumed it was a hardware or provider issue,” says Langland, IT manager for Crystal Valley Cooperative, based in Mankato, Minn. He texted CEO Roger Kienholz and System Administrator Kyle Kurth and drove to the co-op’s data center in downtown Mankato to see if he could troubleshoot the problem.
Later that day, ominous messages popped up on computer monitors at many of the co-op’s 16 locations and at the data center. “There was a statement saying all of our files have been encrypted, and to get our data back and keep our privacy safe, we must click on a file and follow the instructions,” recalls Kienholz.
The Cybersecurity and Infrastructure Security Agency reports the criminal group behind the attack is likely related to a Russian-speaking group the FBI blames for a ransomware attack on Colonial Pipeline a few months earlier. The criminals encrypt networks and data, making it inaccessible, then demand ransom payments ranging from $80,000 to $15 million to be paid in cryptocurrency.
Langland and Kienholz didn’t know it then, but Crystal Valley was not alone. That same weekend, a large co-op in central Iowa was attacked by the same group, just weeks after the FBI released a warning about ransomware attacks in the food and agriculture sector.
These attacks have become more frequent across all industries, according to the FBI Internet Crime Complaint Center. The center received 2,084 ransomware complaints from January to July 31, 2021, a 62% year-over-year increase. In 2020 (the most recent year financial statistics are available), companies reported ransomware losses of $29.1 million. And that number includes only ransom payouts, not other costs associated with the attacks.
Cyberattacks can cause logistical nightmares
As the Crystal Valley team soon learned, those costs can be considerable — in both time and money. Kienholz says they decided not to click on the file in the message or respond to the harassing phone calls that followed. “We never found out what the ransom demand was, and we never negotiated with them,” he says. “We decided we weren’t going to let the bad guys win.”
Drawing that hard line meant the company’s networks, data and automated systems were inaccessible for weeks. Every automated process had to move immediately to paper and pen — and the timing couldn’t have been worse, says Kienholz, with harvest just beginning.
Crystal Valley grain elevator teams had to hand-write vehicle weights and moisture testing results on paper, causing long delays. The co-op’s automated energy and agronomy businesses were affected, too, requiring handwritten tickets for fuel and propane deliveries and paper instructions for custom applications delivered in person to fertilizer tender drivers.
The co-op’s feed mills, which also rely on automated systems, shut down completely for about 10 days. In a heartening show of support, six neighboring co-ops and six other local companies stepped in to help manufacture and deliver feed.
“There were poster-sized sticky notes plastered all over the walls because we had to track everything manually,” says Kienholz. “We had to record when a farm needed so many tons of feed, which mill was making it for us, and which trucks would pick up the feed and deliver it. It was a logistical nightmare.”
Forensic investigations by the FBI and a cybersecurity recovery firm, both of which assisted Crystal Valley after the attack, were unable to determine whether co-op data had actually been stolen, but Crystal Valley posted a notice on its website and mailed letters to 15,000 owners, customers, suppliers and other business partners to let them know sensitive information may have been compromised.
The investigators determined the cyberattack likely came in through a spare server that had been used for migrating the co-op’s email systems to the cloud several years ago and was still connected to the network. “It got forgotten because it was never really a requirement except for the email migration,” says Langland.
What you can learn from the cyberattack
Crystal Valley operations are largely up and running again after a staggering amount of work, says Kienholz. With the help of a company specializing in cyberattack recovery, the co-op team rebuilt systems, isolated parts of its network to make it harder for intruders to reach all data, strengthened passwords and multifactor authentication, reinstalled computers and servers, limited administrative access to various systems and invested in an endpoint detection and response system that monitors for malicious activity.
Related: 5 tips for preventing cyberattacks
They’re also doubling down on training employees on cybersecurity measures, even though the entry point for the cyberattack was not an employee account. Combined, the added security measures cost Crystal Valley about $200,000, says Langland.
No one is immune to cyberattacks, says Kienholz. “We had started to talk to cybersecurity vendors in the months before the attack, but my mindset was that we’re a small company in rural America, so who would possibly be interested in messing with us?” he says. “My mind obviously has changed considerably since then.”
Check out the full Winter 2022 issue of C magazine with this article and more.