<div dir="ltr"><a href="https://techcrunch.com/2019/04/02/arizona-beverages-ransomware/">https://techcrunch.com/2019/04/02/arizona-beverages-ransomware/</a><div><br></div><div><p id="gmail-speakable-summary" style="background-repeat:no-repeat;box-sizing:inherit;margin:15px 0px;color:rgb(51,51,51);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:20.25px;letter-spacing:-0.1px">Arizona Beverages, one of the largest beverage suppliers in the U.S., is recovering after a massive ransomware attack last month, TechCrunch has learned.</p><p style="background-repeat:no-repeat;box-sizing:inherit;margin:15px 0px;color:rgb(51,51,51);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:20.25px;letter-spacing:-0.1px">The company, famous for its iced tea beverages, is still rebuilding its network almost two weeks after the attack hit, wiping hundreds of Windows computers and servers and effectively shutting down sales operations for days until incident response was called in, according to a person familiar with the matter.</p><p style="background-repeat:no-repeat;box-sizing:inherit;margin:15px 0px;color:rgb(51,51,51);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:20.25px;letter-spacing:-0.1px">More than 200 servers and networked computers displayed the same message: “Your network was hacked and encrypted.” The company’s name was in the ransom note, indicating a targeted attack.</p><p style="background-repeat:no-repeat;box-sizing:inherit;margin:15px 0px;color:rgb(51,51,51);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:20.25px;letter-spacing:-0.1px">Notices posted around the office told staff to hand in their laptops to IT staff. “Do not power on, copy files, or connect to any network,” read the posters. “Your laptop may be compromised.”</p><p style="background-repeat:no-repeat;box-sizing:inherit;margin:15px 0px;color:rgb(51,51,51);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:20.25px;letter-spacing:-0.1px">It took the company another five days before the company brought in incident responders to handle the outbreak, the source said. Many of the back-end servers were running old and outdated Windows operating systems that are no longer supported. Most hadn’t received security patches in years.</p><p style="background-repeat:no-repeat;box-sizing:inherit;margin:15px 0px;color:rgb(51,51,51);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:20.25px;letter-spacing:-0.1px">The source said they were “surprised” an attack hadn’t come sooner given the age of their systems.</p><p style="background-repeat:no-repeat;box-sizing:inherit;margin:15px 0px;color:rgb(51,51,51);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:20.25px;letter-spacing:-0.1px">A day after the attack hit, staff found the backup system wasn’t configured properly and were unable to retrieve the data for days until the company signed an expensive contract to bring in Cisco incident responders. A spokesperson for Cisco did not immediately comment. The company’s IT staff had to effectively rebuild the entire network from scratch. Since the outbreak, the company has spent “hundreds of thousands” on new hardware, software and recovery costs.</p><p style="background-repeat:no-repeat;box-sizing:inherit;margin:15px 0px;color:rgb(51,51,51);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:20.25px;letter-spacing:-0.1px">“Once the backups didn’t work, they started throwing money at the problem,” the person said.</p><p style="background-repeat:no-repeat;box-sizing:inherit;margin:15px 0px;color:rgb(51,51,51);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:20.25px;letter-spacing:-0.1px">The ransomware infection, understood to be iEncrypt (related to BitPaymer) per a screenshot seen by TechCrunch, was triggered overnight on March 21, weeks after the FBI contacted Arizona to warn of an apparent Dridex malware infection. The FBI declined to comment, but the source said incident responders believed Arizona’s systems had been compromised for at least a couple of months.</p><p style="background-repeat:no-repeat;box-sizing:inherit;margin:15px 0px;color:rgb(51,51,51);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:20.25px;letter-spacing:-0.1px">The ransom note asked to email the attacker “to get the ransom amount.” There’s no known decryption tool for iEncrypt.</p><p style="background-repeat:no-repeat;box-sizing:inherit;margin:15px 0px;color:rgb(51,51,51);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:20.25px;letter-spacing:-0.1px">Dridex is delivered <a href="https://securelist.com/dridex-a-history-of-evolution/78531/" style="background-repeat:no-repeat;box-sizing:inherit;background-color:transparent;text-decoration-line:none;color:rgb(0,165,98);border-bottom:1px solid rgb(241,241,241)">through a malicious email attachment</a>. Once the implant installs, the attacker can gain near-unfettered access to the entire network and can steal passwords, monitor network traffic and deliver additional malware. With help from international partners, the FBI took <a href="https://www.justice.gov/opa/pr/bugat-botnet-administrator-arrested-and-malware-disabled" style="background-repeat:no-repeat;box-sizing:inherit;background-color:transparent;text-decoration-line:none;color:rgb(0,165,98);border-bottom:1px solid rgb(241,241,241)">down the password-stealing botnet in 2015,</a> but the malware continues to <a href="https://securityintelligence.com/news/dridex-trojan-remains-a-risk-even-following-takedown-operation-and-fbi-arrest/" style="background-repeat:no-repeat;box-sizing:inherit;background-color:transparent;text-decoration-line:none;color:rgb(0,165,98);border-bottom:1px solid rgb(241,241,241)">pose a threat</a>. More recently, Dridex has been used to <a href="https://www.forbes.com/sites/geoffwhite/2018/09/26/how-the-dridex-gang-makes-millions-from-bespoke-ransomware/#4ffefb43440d" style="background-repeat:no-repeat;box-sizing:inherit;background-color:transparent;text-decoration-line:none;color:rgb(0,165,98);border-bottom:1px solid rgb(241,241,241)">deliver ransomware</a>to victims.</p><p style="background-repeat:no-repeat;box-sizing:inherit;margin:15px 0px;color:rgb(51,51,51);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:20.25px;letter-spacing:-0.1px">Kaspersky said two years <a href="https://www.kaspersky.com/about/press-releases/2017_the-dridex-banking-trojan-an-ever-evolving-threat" style="background-repeat:no-repeat;box-sizing:inherit;background-color:transparent;text-decoration-line:none;color:rgb(0,165,98);border-bottom:1px solid rgb(241,241,241)">after the takedown</a> that the malware is “still armed and dangerous.”</p><p style="background-repeat:no-repeat;box-sizing:inherit;margin:15px 0px;color:rgb(51,51,51);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:20.25px;letter-spacing:-0.1px">Incident responders seem to believe Arizona’s earlier Dridex compromise may have led to the subsequent ransomware infection.</p><p style="background-repeat:no-repeat;box-sizing:inherit;margin:15px 0px;color:rgb(51,51,51);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:20.25px;letter-spacing:-0.1px">“Initially, Dridex was used to steal credentials to enable wire fraud, but since 2017 it is more commonly observed running more targeted and higher value operations,” said Adam Meyers, vice president of intelligence at security firm CrowdStrike. He said the company has “observed this malware being used to deploy enterprise ransomware, which we call ‘Big Game Hunting.’ ”</p><p style="background-repeat:no-repeat;box-sizing:inherit;margin:15px 0px;color:rgb(51,51,51);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:20.25px;letter-spacing:-0.1px">The ransomware also infected the company’s Windows-powered Exchange server, knocking out email across the entire company. Although its Unix systems were unaffected, the ransomware outbreak left the company without any computers able to process customer orders for almost a week. Staff began processing orders manually several days into the outage.</p><p style="background-repeat:no-repeat;box-sizing:inherit;margin:15px 0px;color:rgb(51,51,51);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:20.25px;letter-spacing:-0.1px">“We were losing millions of dollars a day in sales,” the source said. “It was a complete shitshow.”</p><p style="background-repeat:no-repeat;box-sizing:inherit;margin:15px 0px;color:rgb(51,51,51);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:20.25px;letter-spacing:-0.1px">The company still has a ways to recover from the ransomware attack. The source put the figure at “about 60 percent up-and-running,” but the company’s security awareness has improved.</p><p style="background-repeat:no-repeat;box-sizing:inherit;margin:15px 0px;color:rgb(51,51,51);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:20.25px;letter-spacing:-0.1px">A spokesperson for Arizona Beverages did not respond to an email requesting comment. Phone lines to the company did not appear to be functioning. We sent several messages to senior executives via LinkedIn prior to publication but did not hear back.</p><p style="background-repeat:no-repeat;box-sizing:inherit;margin:15px 0px;color:rgb(51,51,51);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:20.25px;letter-spacing:-0.1px">It’s the latest in an uptick in high-profile ransomware events in recent weeks.</p><p style="background-repeat:no-repeat;box-sizing:inherit;margin:15px 0px;color:rgb(51,51,51);font-family:"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:20.25px;letter-spacing:-0.1px">Last year, German manufacturer KrausMaffei was also said to be hit on November 21 by the same iEncrypt ransomware, based off a leaked screenshot of the ransom note. Similar initial ransomware infections have been connected to later ransomware attacks. Trend Micro said in December that Dridex and other malware families like Emotet <a href="https://www.zdnet.com/article/georgia-county-pays-a-whopping-400000-to-get-rid-of-a-ransomware-infection/" style="background-repeat:no-repeat;box-sizing:inherit;background-color:transparent;text-decoration-line:none;color:rgb(0,165,98);border-bottom:1px solid rgb(241,241,241)">were linked</a>. Weeks before Arizona’s outbreak, a local Georgia county was hit by <a href="https://statescoop.com/rural-jackson-county-ga-recovering-from-ransomware-attack/" style="background-repeat:no-repeat;box-sizing:inherit;background-color:transparent;text-decoration-line:none;color:rgb(0,165,98);border-bottom:1px solid rgb(241,241,241)">a similar ransomware attack</a>.</p></div></div>