A new targeted ransomware attack struck one of America's largest beverage producers in late March. Arizona Beverages USA, one of the country's largest beverage suppliers and producers of soft drinks, got hit by ransomware on March 21, 2019.
The attack affected some 200 devices in the company's network, including both networked computers and server units. According to a report from TechCrunch, the attack effectively paralyzed Arizona Beverages' ability to sell product for days on end, until finally external help was called in. One thing was made very clear in the course of the attack - the ransomware was made specifically for Arizona Beverages as the company’s name was in the ransom note text. After the internal IT unit of Arizona was unable to deal with the emergency situation, external experts were called in, but only five days after the incident.
Unforseen vulnerabilities aid in ransomware attack
A factor that probably helped the ransomware attack a lot was that the company's servers were running older versions of Windows that were outdated and were no longer officially supported by Microsoft, and were missing years' worth of cumulative security updates. Unfortunately, Arizona Beverages' backups were not set up properly as well, and recovering data was a real problem. This resulted in the company having to build its entire network again, from the ground up. According to the report, this cost the company "hundreds of thousands". In addition to that, being unable to process sale orders digitally, the estimated daily losses for Arizona were seven-digit figures.
The strain of ransomware that hit Arizona Beverages was iEncrypt, a threat related to the BitPaymer ransomware. Currently, there is no known decryption tool for victims of iEncrypt. No ransom sum or amount of cryptocurrency was listed in the iEncrypt ransom note. The instructions simply told Arizona to contact the bad actors by email to find out. According to the TechCrunch report, the FBI had previously contacted Arizona Beverages and warned them of a Dridex infection, but it seems no special measures were taken to counter the Dridex Trojan at the time.
Dridex started out as a banking Trojan used to steal credit card credentials off of private users but has slowly evolved into something much more. It has now become a tool for network infiltration that can then be used to deliver whatever malicious payload the bad actors want to plant on the network's devices, which is likely what happened with the iEncrypt attack of Arizona Beverages' network.
This incident comes on the heels of the LockerGoga ransomware attack that affected industrial giant Norsk Hydro mere days before the infection at Arizona Beverages. Hackers and bad actors are getting increasingly bolder and are starting to use ransomware with more finesse and precision, which could be bad news for other businesses that do not maintain a razor-sharp IT security team.