On June 28, 2026, the Settra ransomware group claimed responsibility for a cyberattack against HMC Farms, a prominent agricultural holding based in California's Central Valley. The actors posted the victim to their leak infrastructure and threatened to publish stolen data unless a ransom is paid. The claim was reported publicly by threat intelligence firm DeXpose on June 29, 2026. As of this writing, HMC Farms has not issued a public statement confirming the breach, and the volume of exfiltrated data has not been disclosed.
What Happened
Settra listed HMC Farms (hmcfarms.com) on its extortion platform on June 28, 2026, accompanied by a taunting headline that read: "THE HMC GROUP: OPEN FIELD. A California Central Valley agricultural holding feeds America peaches." The post follows the now-standard double-extortion playbook, in which a victim's data is exfiltrated before or alongside encryption, and the threat of public leak is used as leverage to force payment.
HMC Farms is a well-known grower, packer, and shipper of stone fruit and table grapes serving national retail supply chains. A successful intrusion against a firm of this profile carries operational risk during a sensitive harvest and shipping window, when downtime translates directly into spoiled product and missed delivery commitments.
What Was Taken
The exact scope and volume of the stolen data have not been confirmed. Based on Settra's public extortion claim and the typical targeting of agricultural and mid-market enterprises, the data at risk likely includes corporate financial records, employee personally identifiable information, customer and supplier contracts, logistics and shipping documentation, and internal operational data. Until a sample or full leak is posted, defenders should treat the breach as potentially encompassing the full range of business-sensitive records. The absence of a confirmed data set does not lower the risk; it reflects an active negotiation window rather than a limited compromise.
Why It Matters
Agriculture and food production are increasingly attractive targets for ransomware operators precisely because of their low tolerance for downtime and their position in critical supply chains. A grower that must move perishable product on a fixed calendar has strong incentives to pay quickly, making the sector a high-value mark for extortion crews like Settra. The incident underscores a broader trend: mid-sized firms in operational technology-adjacent industries are being hit at scale, often with weaker security tooling than the enterprises that dominate headlines. For defenders across food, agriculture, and logistics, the HMC Farms claim is a reminder that sector size offers no protection from financially motivated actors.
The Attack Technique
The initial access vector for this specific intrusion has not been publicly confirmed. Settra, consistent with most contemporary ransomware operations, typically relies on a small set of proven entry points: phishing and malicious attachments, exploitation of internet-facing services and unpatched VPN or remote-access appliances, and the use of valid credentials harvested from infostealer malware and dark web credential markets. Stolen or reused credentials are an especially common precursor, frequently surfacing in malware log dumps weeks before a public ransom demand appears. Organizations should assume any of these vectors is plausible until a forensic assessment establishes the actual path.
What Organizations Should Do
- Validate and isolate backups: Confirm that backups are current, encrypted, and stored offline or in immutable storage that resists ransomware deletion and encryption attempts.
- Conduct a compromise assessment: Initiate a full incident review to determine how attackers may have entered, what data was exfiltrated, and whether persistence mechanisms remain active.
- Enforce multi-factor authentication: Apply MFA across all remote access, VPN, email, and administrative accounts to blunt attacks that rely on stolen or reused credentials.
- Monitor for leaked credentials and chatter: Use dark web and infostealer monitoring to detect breached credentials and threat actor activity tied to your domains and key personnel before damage spreads.
- Harden the human layer: Run phishing simulations and security awareness training, and prioritize patching of internet-facing services and remote-access appliances.
- Engage professional responders: Involve incident response specialists and legal counsel before any contact with the threat actor or ransom brokers.
Sources: Settra Ransomware Group Strikes HMC Farms in the USA - DeXpose