Cyber Incident Victim: Arizona Beverages
Date:
Mar 2019
Location:
United States of America
Summary
A major U.S. beverage supplier suffered a disruptive ransomware attack that encrypted over 200 Windows systems, crippling sales operations and email services for nearly a week. The incident, linked to iEncrypt ransomware and preceded by a Dridex malware infection warned by the FBI, exploited outdated, unpatched systems. Failed backups forced manual order processing, resulting in significant daily revenue losses and requiring a complete network rebuild with substantial recovery costs. Incident responders indicated the network had likely been compromised for months prior. While Unix systems remained unaffected, the company incurred extensive expenses for new infrastructure amid prolonged operational disruptions.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The ransomware attack against Arizona Beverages began overnight on March 21, 2019, when iEncrypt ransomware (a variant related to BitPaymer) encrypted hundreds of Windows computers and servers across the company's network. This incident followed an FBI warning weeks earlier about a Dridex malware infection within Arizona's systems, which investigators believed had provided attackers with persistent network access for months prior to the ransomware deployment. Attackers left customized ransom notes naming the company and instructing victims to email them for payment instructions, as no decryption tool existed for iEncrypt. The malware crippled over 200 systems, including critical Windows-powered Exchange servers that shut down corporate email communications. While Unix systems remained unaffected, the encryption of Windows devices paralyzed sales operations entirely, forcing staff to process orders manually days into the outage. Internal posters instructed employees to surrender laptops immediately with warnings against powering on or connecting devices to networks. Forensic analysis revealed most compromised servers ran outdated, unsupported Windows operating systems that had not received security patches for years, with one source expressing surprise that an attack hadn't occurred sooner given the aging infrastructure.
Arizona Beverages discovered their backup system was improperly configured when restoration attempts failed the day after the attack, delaying data recovery until the company engaged Cisco incident responders under an expensive emergency contract five days post-outage. The IT department rebuilt the entire network from scratch, purchasing new hardware and software at costs exceeding hundreds of thousands of dollars. Sales operations remained offline for nearly a week, with company sources estimating daily revenue losses in the millions during the disruption. Incident responders traced the ransomware's initial access to the earlier Dridex infection, a malware family known since 2017 for enabling targeted ransomware operations through credential theft. The prolonged network compromise allowed attackers to move laterally before deploying the crippling ransomware payload. Recovery progressed slowly, with only approximately 60% of systems operational nearly two weeks after the attack, though the event reportedly improved organizational security awareness. Arizona Beverages did not publicly confirm whether any ransom was paid, and multiple attempts to contact company representatives via email, phone, and LinkedIn went unanswered following the incident.