What appears to have been a targeted ransomware attack knocked over 200 networked computers and servers offline at Arizona Beverages, one of the largest beverage suppliers in the U.S., TechCrunch reports. The attack, which the company was still struggling to recover from two weeks later, halted sales operations for days, allegedly costing the company millions of dollars.

Arizona Beverages ransomware attack yet another lesson in what not to do

The ransomware that hit Arizona Beverages is believed to be iEncrypt, a form of ransomware that is used in targeted attacks. A few weeks before the iEncrypt attack hit, the FBI contacted Arizona Beverages to warn them that they had been compromised by another form of malware called Dridex, which leverages Microsoft Office macros and is usually delivered through phishing emails. The Dridex infection may very well have opened the door to the iEncrypt attack, possibly by stealing login credentials.

An anonymous source told TechCrunch that the Dridex infection had been ongoing for “at least a couple of months” at the time the FBI contacted Arizona Beverages. The same source remarked to TechCrunch that they were surprised something like this hadn’t happened sooner, given the company’s poor cybersecurity posture. This included servers that relied on on legacy versions of Windows that are so old, they’re no longer supported. These installations hadn’t been updated with security patches for “years.”

In addition to servers and computers, the iEncrypt ransomware locked down Arizona Beverages’ email server, leaving the company unable to process customer orders. The fun didn’t stop there. When internal IT staff attempted to restore the company’s network from backups, they discovered that they couldn’t — because the backups hadn’t been configured properly. Staff members scrambled for days to get the backups to work before, TechCrunch’s source said, “they started throwing money at the problem” and brought in a third-party vendor.

In addition to millions of dollars in lost sales, Arizona Beverages has allegedly spent “hundreds of thousands” more on new hardware, new software, paying the vendor to clean up the problem, and rebuilding its entire network. As of the publication of the TechCrunch article, the company was reportedly 60% restored.

Targeted ransomware attacks on the rise

Although there has been a drop in the overall number of ransomware attacks over the past year, attacks are becoming more sophisticated and targeted. Meanwhile, the bar for launching a complex attack has been significantly lowered by the proliferation of ransomware-as-a-service, which allows just about anyone to launch an attack regardless of technical ability.

The iEncrypt malware that hit Arizona Beverages uses the victimized company’s name as a file extension and also mentions it in the ransom note. It’s a very new strain of ransomware, discovered in November 2018, and its behavior is unpredictable. One thing is certain; once an infection hits, it is especially difficult to remove because the malware impersonates legitimate files.

What would happen if sales at your company halted for a week?

This is the question every company needs to be asking itself right now. Arizona Beverages lost millions of dollars because it literally couldn’t process customer orders for several days; this was on top of cleanup costs. As a very large company, Arizona Beverages could take this sort of financial hit. Many small companies aren’t so fortunate. Around the same time the Arizona Beverages ransomware attack hit the news, a small Michigan medical practice permanently closed after a ransomware attack destroyed their electronic health records system.

The Arizona Beverages ransomware attack may not have happened in the first place if the company had not been relying on old, unpatched, unsupported versions of Windows. When it did occur, the company should have been able to restore from a backup. Not having properly configured network backups is inexcusable. In addition to being able to restore systems after a cyberattack, backups allow companies to recover from events such as vandalism and natural disasters.

Arizona Beverages’ poor handling of the basics beg the question of what else was wrong with their internal cybersecurity. Was the Dridex infection properly mitigated? Why didn’t the company find out about it until they were contacted by the FBI? Whatever happened, it would have been far less expensive and disruptive for Arizona Beverages to have implemented proactive cybersecurity measures instead of throwing money at a problem after it happened.

Author's Bio: 

Michael Peters is the CEO of Lazarus Alliance, Inc., the Proactive Cyber Security™ firm, and Continuum GRC. He has served as an independent information security consultant, executive, researcher, and author. He is an internationally recognized and awarded security expert with years of IT and business leadership experience and many previous executive leadership positions.

He has contributed significantly to curriculum development for graduate degree programs in information security, advanced technology, cyberspace law, and privacy, and to industry standard professional certifications. He has been featured in many publications and broadcast media outlets as the “Go-to Guy” for executive leadership, information security, cyberspace law, and governance.