Food and ag continues to be a target for ransomware attacks, according to a new report from threat intelligence agency the Food and Ag-ISAC (Information Sharing and Analysis Centers).
“Farm-to-Table Ransomware Realities” examines ransomware attacks on the sector, which increased in 2024 and are predicted to rise further as threat actors target vulnerabilities in the supply chain. Last year, food and ag saw 212 ransomware attacks, up 27% from 167 in 2023.
More than half of all attacks on food and ag are ransomware, says the Food and Ag-ISAC, which partners with the IT-ISAC to monitor ransomware incidents, Ransomware in food and agriculture now accounts for 5.5% of total ransomware attacks across industries. Of the 11 sectors monitored by ISAC, food and ag ranked sixth for ransomware attack volume.
‘Cascading impacts’ on the whole sector
Ransomware attacks put the company as well as its suppliers and partners at risk, notes the report, and a single disruption can have “cascading impacts” on the whole industry.
As an example, the report highlights ransomware attacks impacting agricultural production lines:
“Any downtime caused by an attack could lead to a chain reaction of delays, potentially causing late planting or harvesting windows. As a result, crops may need to be palletized and moved to other regions during an active growing season. This is already done in cases of severe weather, such as droughts or flooding, but it is an expensive and taxing process that strains limited resources.”
The report also highlights the additional stressor of health and human safety being at risk when food and ag production are put at risk.
Intellectual property — particularly where genetics are concerned — is also at risk, although the Food and Ag-ISAC notes that at this point, financial gain is the primary motivation for attacks on the sector.
Who is making the attacks?
RansomHub — a comparatively young ransomware group, having emerged in 2024 — carried out the most attacks on the food and ag sector last year.
The group uses the “ransomware-as-a-service” model, where an operator recruits affiliates who pay to use the ransomware service. LockBit (see below) was previously the world’s most active RaaS group; law enforcement officials from 10 different countries disrupted the operation in 2024. The Food and Ag-ISAC suggests this disruption (amongst others) likely boosted RansomHub’s ability to recruit affiliates.
RansomHub usually targets larger organizations, according to the report.
Akira had the second-highest number of attacks on food and ag in 2024, with 16 attributed to the group.
Akira emerged in 2023 and has since acquired an estimated $42 million in ransom payments. The group uses double extortion tactics, which ISAC says involves “infecting the target with ransomware, exfiltrating sensitive information, and then threatening to sell the information unless a ransom is paid.”
According to the report, the group commonly exploits “vulnerable, public-facing systems” and targets “known vulnerabilities” in virtual private networks (VPNs).
Despite global law enforcement disruptions in 2024, LockBit still took the number three spot for ransomware attacks in food and ag, followed by Play, which also uses double extortion, and RaaS group Hunters International.
Threat landscape is ‘ever changing’
ISAC notes that attacks in food and ag tend to be opportunistic, rather than on specific companies.
“For initial access, threat actors will search for organizations with publicly exposed and vulnerable systems, leverage phishing and social engineering attacks, or employ initial access brokers – cybercriminals and insiders who sell access to vulnerable networks,” says the report.
Jonathan Braley, director of the Food and Ag-ISAC, notes that the food and agriculture sector has shared intelligence and collaborated over the past year, “making it much more capable of responding to these attacks and protecting our networks.”
However, he notes, the threat landscape is ever changing.
“We strongly encourage organizations to implement multi-factor authentication (MFA), network segmentation, regular system updates, and end-user training to reduce vulnerabilities and protect themselves from threats.”
