Arizona Beverages (Arizona), one of the largest beverage suppliers in the United States, was hit by a massive ransomware attack last month. The ransomware, believed to be iEncrypt, was triggered overnight on March 21. Almost three weeks after the attack, the company is still rebuilding its network.
Dridex Malware Found on Arizona’s Systems
Weeks before the iEncrpyt ransomware attack on Arizona, the FBI contacted the company to warn of an apparent Dridex malware infection. Incident responders within Arizona believed the systems had been compromised for at least a couple of months. Dridex is delivered through a malicious email attachment and once installed, the attacker can gain near unconstrained access to an entire network. The malware allows attackers to steal passwords, monitor network traffic and deliver additional malware. While the FBI, with help from international partners, took down Dridex in 2015, the malware still poses a serious threat. As of late, Dridex has been used to deliver ransomware to victims.
“Initially, Dridex was used to steal credentials to enable wire fraud, but since 2017 it is more commonly observed running more targeted and higher value operations,” commented Adam Meyers, Vice President of Intelligence at security firm CrowdStrike.
Those responding to the Arizona ransomware attack believe the Dridex compromise may have led to the iEncrypt infection.
iEncrypt Ransomware Infects Arizona Beverages
iEncrypt, which is related to another ransomware variant called BitPaymer, was triggered overnight on March 21. The ransomware infected more than 200 servers and workstations that all displayed the same message; “Your network has been hacked and encrypted.” Moreover, the company’s name was included in the ransom note, indicating a targeted attack.
In response to the incident, notices were posted around Arizona’s offices instructing employees to hand in their laptops to IT staff.
“Do not power on, copy files, or connect to any network. Your laptop may be compromised.”
iEncrypt ransomware also infected Arizona’s Window-powered Exchange server, knocking out all email; leaving the company without any computers to process customer orders for almost a week. Employees had to process orders manually several days into the outage.
To make matters worse, the IT staff found that their backup system wasn’t configured properly so that they were unable to retrieve their data until the company signed an expensive contract to bring in a Cisco incident response team. The incident response team found that many of the back-end servers were running old and outdated Windows operating systems that are no longer supported by Microsoft. When Microsoft stops supporting programs, patches are no longer pushed out. In Arizona’s case, their systems hadn’t been patched in years; leaving the incident response team in shock that the company hadn’t experienced an attack sooner.
Arizona’s Status as of Today
Several weeks after the iEncrypt ransomware attack, Arizona has spent millions on new hardware, software, and recovery costs. Essentially, once the backups were found to be improperly configured, the company started throwing money at the problem.
“We were losing millions of dollars a day in sales,” one source said. “It was a complete shitshow.”
Arizona is the latest high-profile victim of a ransomware attack in recent weeks. While the company’s security awareness has certainly improved, it’s believed Arizona is only functioning at about 60 percent of their capacity.
Photo courtesy of drinkarizona.com