iEncrypt ransomware infects US drink producer Arizona Beverages

by Ugnius Kiguolis - - 2019-04-03

One of the biggest drink suppliers in the US was hit by iEncrypt ransomware in a targeted attack

Arizona Beverages attacked by iEncrypt ransomware Arizona Beverages, one of the largest iced team and juice cocktails manufacturer in the US, was hit by iEncrypt ransomware

A New York-based beverage producing company Arizona suffered a ransomware attack. The incident occurred last month on March 21, when iEncrypt ransomware^[1] encrypted and crippled the operation of over 200 computers connected to Arizona Beverages network, preventing the sales department from continuing their normal activities.

Unfortunately, the company soon discovered that its networks' backups are not adequately configured, which prompted a call to incident response team. According to the Tech Crunch report,^[2] it took Arizona Beverages five days before they contacted the security experts from Cisco, who then began the recovery operations.

Many of the company's servers were running on outdated Windows operating systems which had not been security patched for years. According to the individual closely familiar with the incident and the company, it is surprising that the attack did not occur earlier, considering the poor security practices.

Since the incident, the Arizona Beverages already spent thousands of dollars by buying new hardware and recuperating its networks. The final financial losses are yet unknown.

IEncrypt ransomware that was first discovered in November 2018 is a file locking virus that targets companies and organizations to extort money. It uses the company's name as a file extension after the encryption process and then drops a ransom note which is also named after the company or computer name. One of the most known previous instances of iEncrypt occurred on November 21, when malware locked up files of German machinery manufacturer Krauss-Maffei.^[3]

The attack was deliberate and targeted

Once the ransomware infection has been spotted, computer screens displayed a ransom note which displayed the company name, indicating a targeted attack:

Hello Arizona Beverages,

Your network was hacked and encrypted.
No free decryption software is available on the web.
Email us at SARAH.BARRICK@PROTONMAIL.COM (or) LINDA.HARTLEY@TUTANOTA.COM to get the ransom amount.

Please, use your company name as the email subject.

Notes posted across the offices also notified the staff – “Do not power on, copy files, or connect to any network. Your laptop may be compromised” read the posters.

When the company's IT staff determined that recovery from backups is not possible, Arizona Beverages had to hire expensive Cisco response team services. The unknown source familiar with the incident stated that the drink manufacturer “started throwing money at the problem.”

The infection spread to Windows Exchange server, which shut down the company's email services and prevented from any new orders to be processed via the software. For that reason, much of the staff had to start preparing orders manually just a few days after the ransomware attack. The operations were recovered only a week later. Due to Arizona being one of the biggest drink manufacturers in the US, it was losing millions of dollars in sales each day.

According to reports, Arizona is now running at 60 percent of its full capacity, and, while still not recovered from the attack completely, the cyber-security awareness inside the company improved. It is unfortunate, however, that such incidents need to happen and millions of dollars lost, for the company to implement adequate precautionary measures.

Dridex malware is suspected in iEncrypt ransomware delivery

Arizona Beverages was contacted by the FBI just a few weeks before ransomware attack, claiming Dridex malware^[4] infection. Dridex is an info-stealing cyber infection that is usually delivered via contaminated email attachments.

While the botnet created by malware was shut down back in 2015, the payload is still being distributed by hackers in order to steal sensitive information and install secondary malware payload, which is usually ransomware. Since 2017, the virus was used for “Big Game Hunting,” a technique recently employed by such widespread threats like GandCrab.^[5]

Because the info-stealer allows hackers to gain comprehensive access to the infected networks, Cisco researchers believe that the iEncrypt compromise is a consequence of Dridex infection.

Enterprise ransomware is currently on the rise, with such threats like LockerGoga^[6] and Ryuk targeting industry giants and causing millions of dollars in damages. Companies should start investing in cybersecurity immediately, or they might be the next victim of a costly malware attack.

About the author

Ugnius Kiguolis - The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.

Contact Ugnius Kiguolis
About the company Esolutions

References

^ Lucia Danes. IEncrypt ransomware. How to remove? (Uninstall guide). 2-spyware. Cybersecurity news and articles.
^ Zack Whittaker. Arizona Beverages knocked offline by ransomware attack. Tech Crunch. Startup and Technology News.
^ KraussMaffei target of cyber attack. Plastics News Europe. Plastics publishing organization.
^ Nikita Slepogin. Dridex: A History of Evolution. Kaspersky. Secure List blog.
^ Doug Olenick . Pinchy Spider goes big game hunting with GandCrab. SC Magazine. Breaking news on cybersecurity, cybercrime, and security product reviews.
^ Andy Greenberg. A guide to LockerGoga, the ransomware crippling industrial firms. Wired. American technology magazine.