[BreachExchange] Arizona Beverages knocked offline by ransomware attack

[Inga Goddijn]

https://techcrunch.com/2019/04/02/arizona-beverages-ransomware/

Arizona Beverages, one of the largest beverage suppliers in the U.S., is
recovering after a massive ransomware attack last month, TechCrunch has
learned.

The company, famous for its iced tea beverages, is still rebuilding its
network almost two weeks after the attack hit, wiping hundreds of Windows
computers and servers and effectively shutting down sales operations for
days until incident response was called in, according to a person familiar
with the matter.

More than 200 servers and networked computers displayed the same message:
“Your network was hacked and encrypted.” The company’s name was in the
ransom note, indicating a targeted attack.

Notices posted around the office told staff to hand in their laptops to IT
staff. “Do not power on, copy files, or connect to any network,” read the
posters. “Your laptop may be compromised.”

It took the company another five days before the company brought in
incident responders to handle the outbreak, the source said. Many of the
back-end servers were running old and outdated Windows operating systems
that are no longer supported. Most hadn’t received security patches in
years.

The source said they were “surprised” an attack hadn’t come sooner given
the age of their systems.

A day after the attack hit, staff found the backup system wasn’t configured
properly and were unable to retrieve the data for days until the company
signed an expensive contract to bring in Cisco incident responders. A
spokesperson for Cisco did not immediately comment. The company’s IT staff
had to effectively rebuild the entire network from scratch. Since the
outbreak, the company has spent “hundreds of thousands” on new hardware,
software and recovery costs.

“Once the backups didn’t work, they started throwing money at the problem,”
the person said.

The ransomware infection, understood to be iEncrypt (related to BitPaymer)
per a screenshot seen by TechCrunch, was triggered overnight on March 21,
weeks after the FBI contacted Arizona to warn of an apparent Dridex malware
infection. The FBI declined to comment, but the source said incident
responders believed Arizona’s systems had been compromised for at least a
couple of months.

The ransom note asked to email the attacker “to get the ransom amount.”
There’s no known decryption tool for iEncrypt.

Dridex is delivered through a malicious email attachment
<https://securelist.com/dridex-a-history-of-evolution/78531/>. Once the
implant installs, the attacker can gain near-unfettered access to the
entire network and can steal passwords, monitor network traffic and deliver
additional malware. With help from international partners, the FBI took down
the password-stealing botnet in 2015,
<https://www.justice.gov/opa/pr/bugat-botnet-administrator-arrested-and-malware-disabled>
but
the malware continues to pose a threat
<https://securityintelligence.com/news/dridex-trojan-remains-a-risk-even-following-takedown-operation-and-fbi-arrest/>.
More recently, Dridex has been used to deliver ransomware
<https://www.forbes.com/sites/geoffwhite/2018/09/26/how-the-dridex-gang-makes-millions-from-bespoke-ransomware/#4ffefb43440d>to
victims.

Kaspersky said two years after the takedown
<https://www.kaspersky.com/about/press-releases/2017_the-dridex-banking-trojan-an-ever-evolving-threat>
that
the malware is “still armed and dangerous.”

Incident responders seem to believe Arizona’s earlier Dridex compromise may
have led to the subsequent ransomware infection.

“Initially, Dridex was used to steal credentials to enable wire fraud, but
since 2017 it is more commonly observed running more targeted and higher
value operations,” said Adam Meyers, vice president of intelligence at
security firm CrowdStrike. He said the company has “observed this malware
being used to deploy enterprise ransomware, which we call ‘Big Game
Hunting.’ ”

The ransomware also infected the company’s Windows-powered Exchange server,
knocking out email across the entire company. Although its Unix systems
were unaffected, the ransomware outbreak left the company without any
computers able to process customer orders for almost a week. Staff began
processing orders manually several days into the outage.

“We were losing millions of dollars a day in sales,” the source said. “It
was a complete shitshow.”

The company still has a ways to recover from the ransomware attack. The
source put the figure at “about 60 percent up-and-running,” but the
company’s security awareness has improved.

A spokesperson for Arizona Beverages did not respond to an email requesting
comment. Phone lines to the company did not appear to be functioning. We
sent several messages to senior executives via LinkedIn prior to
publication but did not hear back.

It’s the latest in an uptick in high-profile ransomware events in recent
weeks.

Last year, German manufacturer KrausMaffei was also said to be hit on
November 21 by the same iEncrypt ransomware, based off a leaked screenshot
of the ransom note. Similar initial ransomware infections have been
connected to later ransomware attacks. Trend Micro said in December that
Dridex and other malware families like Emotet were linked
<https://www.zdnet.com/article/georgia-county-pays-a-whopping-400000-to-get-rid-of-a-ransomware-infection/>.
Weeks before Arizona’s outbreak, a local Georgia county was hit by a
similar ransomware attack
<https://statescoop.com/rural-jackson-county-ga-recovering-from-ransomware-attack/>
.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20190403/01ddf40d/attachment.html>