Arizona Beverages, one of the largest beverage suppliers in the U.S., is recovering after a massive ransomware attack last month.
The company, famous for its iced tea beverages, is still rebuilding its network weeks after the attack hit, wiping hundreds of Windows computers and servers and effectively shutting down sales operations for days until incident response was called in, according to a person familiar with the matter.
More than 200 servers and networked computers displayed the same message: “Your network was hacked and encrypted.” The company’s name was in the ransom note, indicating a targeted attack.
Notices posted around the office told staff to hand in their laptops to IT staff. “Do not power on, copy files, or connect to any network,” read the posters. “Your laptop may be compromised.”
It took the company another five days before the company brought in incident responders to handle the outbreak, the source said. Many of the back-end servers were running old and outdated Windows operating systems that are no longer supported. Most hadn’t received security patches in years.
The source said they were “surprised” an attack hadn’t come sooner given the age of their systems.
A day after the attack hit, staff found the backup system wasn’t configured properly and were unable to retrieve the data for days until the company signed an expensive contract to bring in Cisco incident responders. A spokesperson for Cisco did not immediately comment. The company’s IT staff had to effectively rebuild the entire network from scratch and has spent “hundreds of thousands” on new hardware, software and recovery costs since the outbreak.
“Once the backups didn’t work, they started throwing money at the problem,” the person said.
The ransomware infection was triggered overnight on March 21, weeks after the FBI contacted Arizona to warn of an apparent Dridex malware infection. The FBI declined to comment, but the source said incident responders believed Arizona’s systems had been compromised for at least a couple of months.
Dridex is delivered through a malicious email attachment. Once the implant installs, the attacker can gain near-unfettered access to the entire network and can steal passwords, monitor network traffic and deliver additional malware. With help from international partners, the FBI took down the password-stealing botnet in 2015, but the malware continues to pose a threat. More recently, Dridex has been used to deliver ransomware to victims.
Kaspersky has stated two years after the takedown that the malware is “still armed and dangerous.”
Incident responders seem to believe Arizona’s earlier Dridex compromise may have led to the subsequent ransomware infection.
“Initially, Dridex was used to steal credentials to enable wire fraud, but since 2017 it is more commonly observed running more targeted and higher value operations,” said Adam Meyers, vice president of intelligence at security firm CrowdStrike. He said the company has “observed this malware being used to deploy enterprise ransomware, which we call ‘Big Game Hunting.’ ”
The ransomware also infected the company’s Windows-powered Exchange server, knocking out email across the entire company. Although its Unix systems were unaffected, the ransomware outbreak left the company without any computers able to process customer orders for almost a week. Staff began processing orders manually several days into the outage.
“We were losing millions of dollars a day in sales,” the source said. “It was a complete sh*tshow.”
The company still has a ways to go before recovering from the ransomware attack. The source put the figure at “about 60 percent up-and-running,” and the company’s security awareness certainly has improved.
The Take Away
John Wooden, nicknamed the “Wizard of Westwood” has been unilaterally referred as one of the best coaches of all time. While head coach at UCLA, he won ten NCAA national championships in a 12-year period, including a record 7 in a row.
One of his most effective strategies was making sure that every member of the team was to be excellent at the basics. For example, he would start a new season by having each of the players practice properly putting on and lacing up their shoes. Strange right? He knew that no matter how talented a player you were, a blister meant that the opposing team would beat you. We can all learn from this philosophy. Having a mastery of the basics, especially in the proper upkeep of the technology that runs your business, your life and your money is critical.
How could Arizona have prevented what happened? Here it is, straight and simple:
- Ensuring that all computers and software is patched, not running outdated or unsupported operating systems and receiving regular reports by email showing that this has been done
- Making sure that the backup system is being monitored and reports indicating that backup checks were performed
- Ensuring that security software was installed, updated and being monitored on all systems and that a proper UTM (such as a Total Security Firewall) was in place and being monitored
- Ensuring that a staff training program on preventing breaches was in place and that employees were actually completing the education
My question is: how sure are you that your company is solid on these points?
If you’re not, there’s work to do. We can help if you need it.
Stay safe out there