Introduction
Since 2024, the number of ransomware attacks targeting the food and agriculture sector has been increasing. Some gangs are focusing on OT environments in particular, which makes ransomware a major threat that cannot be ignored. As these groups’ strategies against the food and agriculture sector continue to evolve, the TXOne Networks threat research team has identified the following trends:
- Since spoilage is such a major concern, the food and agriculture sector faces more severe consequences from operational disruptions than many other OT sectors, making it more vulnerable. Additionally, reputational pressure increases the likelihood that these organizations will pay in response to data extortion
- Active threat actors in the wild are using living-off-the-land (LoTL) techniques, making it difficult for modern antivirus and endpoint detection and response (EDR) tools to detect long-term persistence attacks
- The Food and Agriculture – Information Sharing and Analysis Center (Food and Ag-ISAC) reports five ransomware groups whose attack patterns are specifically of interest. These include RansomHub, Akira, LockBit 3.0, and Hunters International. In some cases, gangs opt for conducting extort-only operations, foregoing encryption when the theft of sensitive data alone provides enough incentive for victims to make ransomware payments
With these trends in mind, this article draws on findings from the FBI, the Food and Ag-ISAC, and our own research to identify ways to reduce attack paths exploited by threat actors.
Ransomware Spills into the Food Chain
Battle lines have been drawn as a new wave of ransomware assaults batters the farm and food sector. This industry accounts for roughly one-fifth of the U.S. economy, according to Matthew Eggers, vice president for cybersecurity policy in the Cyber, Space, and National Security Policy Division at the U.S. Chamber of Commerce. The increasing digitization of this industry has enhanced efficiency but has also created new vulnerabilities for hackers to exploit. “With innovation and advancement in precision ag technology, the agricultural industry has become more technologically advanced, creating new challenges and vulnerabilities for farmers across southern Minnesota and the nation,” House Representative Brad Finstad said in a statement.
Coca-Cola, a leader in the beverage industry, has been working toward becoming “the world’s most digitized bottler.” However, in May 2025, the company was reportedly hacked by the notorious ransomware group Everest, which claimed to have exfiltrated over 23 million internal messages. Alarming news like this could undermine digital transformation efforts across the entire food automation industry. Coca-Cola isn’t alone—many other food-related organizations have been targeted by cybercriminals. Ahold Delhaize, one of the world’s largest food retail groups, suffered a ransomware attack in November 2024. RansomHub reportedly took over the SCADA system of a Spanish meat plant in August 2024. More recently, DragonForce-affiliated attackers launched ransomware attacks against Marks & Spencer in April 2025 and the Co-op Group shortly afterward.
So, why are the farm, food, and agriculture sectors getting targeted more frequently? Unlike other OT industries, where products can be stockpiled without strict time constraints, the food industry constantly faces the risk of spoilage in both raw materials and finished goods. This creates an extremely low tolerance for operational downtime in companies like JBS Foods, the world’s largest meat supplier, with its massive scale and 24/7 production schedule. Even a few disruptions, or Denial-of-Service attacks, would be a complete nightmare. According to Claroty’s 2021 survey, more than one-third of respondents from the food & beverage sector said that an hour of operational downtime would cost them at least $1 million in revenue. Unsurprisingly, this hefty price tag on downtime makes it easier for ransomware attackers to extort from them. In Q1 of 2024 alone, there were 40 incidents in food and agriculture reported.
From Disruption to Double Extortion: The Dire State of Food Sector Cybersecurity
The food and agriculture sector is unique in that it is highly interdependent with many other critical infrastructure sectors. As reported by Industrial Cyber, the sector relies on water and wastewater systems to provide clean water, on transportation systems to move produce and livestock, on energy to power equipment, and on the chemical sector for fertilizers and pesticides. This intricate interconnectedness means that an attack on one sector could have a knock-on effect, where one compromised OT & IoT system can lead to the compromise of many, or even all, of them. On top of that, as AgriTech Tomorrow points out, “many technologies farmers use today — automated feeding systems, robotics, temperature-control sensors and systems powered by artificial intelligence (AI) — underwent development years before cybersecurity threats were the issue they are today.” These technologies also contribute to how susceptible this industry is to hackers, particularly those launching ransomware attacks.
Even worse, according to a 2023 report by FMI, The Food Industry Association, profit margins in food processing, manufacturing and retail were as low as 1.6%, compared to 10-15% in most manufacturing sectors. Naturally, operators are reluctant to increase fixed costs by pushing for a large-scale digital transformation. Unless it can be clearly demonstrated that the ROI is sufficient to cover the costs in the short term, most small and medium-sized manufacturers will delay adoption. The cost constraints of implementing cybersecurity in farm and food businesses have resulted in old and unpatched assets remaining in operation throughout the industry. In addition, this tight budget makes it difficult to introduce a new security solution into currently running operations. An industry consisting of a complicated ecosystem, vulnerable assets, and a 24/7 ticking time bomb in the form of spoilage risks… what better target could there be for ransomware groups?
In a 2021 alert, the FBI (Federal Bureau of Investigation) warned that “sensitive data files are commonly exfiltrated prior to encryption, and the attacker demands a payment not to publish the sensitive data on a ‘name-and-shame’ website.” This tactic is known as double extortion, and it pressures victims on two fronts: both to recover encrypted systems and to prevent public leaks. Because the food and agriculture sector produces goods sold directly to consumers, brand reputation has an outsized impact on consumer purchasing decisions. To avoid reputational damage, operational disruption, and spoilage, many companies in this sector are particularly willing to negotiate privately and pay ransoms.
Top Ransomware Threats to the Food Sector in 2024
Because the food and agriculture sector is uniquely motivated to pay ransoms, ransomware groups are naturally targeting it. As noted in the 2024 annual report by The Food and Agriculture-Information Sharing and Analysis Center:
“Ransomware attacks can have consequences for the victim company’s suppliers or partners and a direct impact on the company itself. In the highly interconnected food and ag industry, a disruption in one company has the potential to trigger cascading impacts… For example, ransomware attacks could impact or disrupt processes along agricultural production lines. Any downtime caused by an attack could lead to a chain reaction of delays, potentially causing late planting or harvesting windows. As a result, crops may need to be palletized and moved to other regions during an active growing season. This is already done in cases of severe weather, such as droughts or flooding, but it is an expensive and taxing process that strains limited resources.”
Figure 1. Food and Agriculture Ransomware Attacks
In the report, the IT-ISAC and the Food and Ag-ISAC tracked 3,494 ransomware incidents in total. Of these, 212 targeted the Food and Ag sector, accounting for 5.8% of all attacks by volume. This marks an increase from 2023, which saw 2905 total incidents, with 167 targeting the sector (5.5% by volume). As ransomware groups look for more attack opportunities in all OT/ICS sectors, the number of incidents in this sector continues to increase. According to Industrial Cyber in February of this year:
“Data revealed that about 90 percent of threat actor TTPs use readily available tools or living off the land (LOTL) techniques; targeted spear-phishing attacks were observed in about 83 percent of attacks against organizations, while 80 percent of these attacks involved the development of custom malware and tools.”
The Food and Ag-ISAC 2024 annual report also identified five ransomware actors specifically targeting food-related sectors. At the top is RansomHub, followed by Akira, LockBit 3.0, and Hunters International. Even outside the food and agriculture sector, RansomHub has been “the most active ransomware group in 2024.” Despite being a newcomer, RansomHub dominates the scene, likely due to its profit-sharing model, which gives affiliates 90% of ransom payments as opposed to the 70-80% that other Ransomware-as-a-Service (RaaS) groups offer. This gives affiliates the lion’s share of the profits, making recruitment easy. Some affiliates have been spotted using compromised VPN accounts and spear-phishing voice scams for initial access into target networks.
Interestingly, Sophos researchers say they have seen Akira actors performing extortion-only operations, foregoing the encryption of systems and ransomware deployment and jumping directly into data exfiltration. As companies have increased their resilience against ransomware attacks, the theft of sensitive data and threats of data leaks still works well in pressuring companies to make ransomware payments. This change in tactics to performing extortion-only operations can also be seen in other RaaS groups, e.g., LockBit 3.0, Play, and Hunters International. The Food and AG-ISAC annual report explains that:
“Double extortion will continue to be a normal process for most ransomware groups. In many cases, the stolen data from ransomware incidents can have more financial and reputational damages than the temporary disruptions due to encrypted systems. We expect ransomware to continue to steal sensitive data from organizations as a means to elicit a ransom payment. Groups like CL0P have continued to leverage zero-day vulnerabilities, especially those in file transfer applications. Ransomware groups will continue to leverage zero-day and recently disclosed vulnerabilities as a means to breach victims.”
How to Harden ICS Defenses Against Ransomware
Since 2021, multiple agricultural cooperatives have been impacted by several ransomware variants, often during critical planting and harvest periods. As for how the food and agriculture sector can cope with such incidents, Dino Busalachi, Chief Technology Officer (CTO) and co-founder at Velta Technology offers several recommendations in this Industrial Cyber article.
He advises that companies establish a dedicated OT Digital Safety team with its own budget that includes not just internal staff but also OT vendors, OEMs, automation suppliers, and System Integrators (SIs). Crucially, he cautions that IT “should NOT be leading the cyber initiative,” considering that “they lack fundamental knowledge of process integrity requirements related to Industrial Control Systems/Process Automation Systems (ICS/PAS) and the necessary steps to mitigate and remediate vulnerabilities associated with ICS/PAS.”
Busalachi also encourages organizations to adopt cybersecurity frameworks like MITRE ATT&CK, IEC 62443, and NIST-800-xxx that align with their specific operational needs. Additionally, he advises that organizations reassess how remote access is managed for ICS/PAS environments. A remote access tool, according to him, should provide audit capabilities and visibility into the Software Bill of Materials (SBOM) on SCADA systems. Once the reassessment is done, the software and applications found unnecessary should be removed from the ICS/PAS environments.
A Federal Push for Secure Agriculture
The Farm and Food Cybersecurity Act was reintroduced by U.S. lawmakers to protect America’s food supply chain, with a focus on cybersecurity concerns like vulnerabilities in the agricultural sector and the improvement of security measures for both governmental and private entities against cyber threats.
The bill proposes doing the following to protect the agricultural sector from cybersecurity risks:
- Increase visibility by delivering assessments every two years and report potential threats and vulnerabilities in the food and agricultural sector
- Prepare personnel for cyberattacks by annually conducting cross-sector exercises that simulate real-world security emergencies and disruptions
- Each simulation exercise should generate findings and recommendations that are shared with farmers to strengthen their cybersecurity preparedness and defenses
- Authorize $1 million per year from 2024 to 2028 to fund these crisis simulation exercises
Recommended Mitigations
Both the FBI alert and the Food and Ag-ISAC annual report observed a pattern of food-related cybersecurity incidents and offered similar guidance for defenses against cyber criminals attempting to exploit network system vulnerabilities within the food and agricultural sector. Key recommendations are as follows:
- Backup Data Securely
Regularly back up data, air gap assets, and password-protect offline backup copies. Ensure critical data backups cannot be modified or deleted from the systems they reside in - Segment Networks
To limit lateral movement, isolate OT systems using network segmentation - Establish Recovery Plans
To help with recovery, maintain and retain multiple copies of sensitive or proprietary data and servers in segmented, secure locations—keeping them either physically separate (e.g., external hard drives, offline storage devices) or logically isolated (e.g., the cloud with strong access controls) - Patch Promptly
Install updates and patch operating systems, software, and firmware as soon as updates and patches are released - Secure Access Control
Use multi-factor authentication and strong passphrases wherever possible - Strengthen Passwords
Use strong passwords and regularly change passwords to network systems and accounts, applying the shortest acceptable timeframe for password changes. Avoid reusing passwords for multiple accounts - Reassess and Secure Remote Access
Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs for anomalies - Restrict Software Installation
Require administrator credentials to install software - Limit Admin Privileges
Audit user accounts with administrative privileges and configure access controls with least privilege in mind - Update Endpoint Protections
Install and regularly update anti-virus and anti-malware software on all hosts - Avoid Unsecured Networks
Only use secure networks and avoid using public Wi-Fi networks. Consider installing and using a VPN - Secure Emails
Consider adding an email banner to messages coming from outside your organization and disable hyperlinks in received emails - Boost Cyber Awareness
Focus on cybersecurity awareness and training. Regularly provide employees with training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities (i.e., ransomware and phishing scams)
