The world has seen multiple data breaches in the past few years, and the problem appears to be escalating. However, there is another type of attack that starts to become one of the most prolific cyber attacks, one which forces companies, small business, and government systems to suspend their operations or even collapse – ransomware.
Last month, the famous American beverage brand Arizona Beverages has been attacked by ransomware that effectively paralyzed its operations, leaving the company in recovery mode until today. The company, famous for their iced tea drinks, is still rebuilding its compromised network two weeks after a malicious email has installed a ransomware on its server, wiping hundreds of Windows computers and servers and forcing the company to shut down sales operation for days until a team of responders is called in to fix the issue.
According to people familiar with the matter, more than 200 servers and networked computers displayed the same message: “Your network was hacked and encrypted.” The company’s name appears in the ransom note signifying that the attack was targeted towards the company and not random, as other ransomware attacks are.
Staff and employees of the company were instructed to not “power on, copy files, or connect to any network” through a company memorandum saying that their “laptop may be compromised.”
The company called in an incident response team to handle the outbreak, after which it was discovered that many of the back-end servers were running old and outdated Windows are no longer supported. Furthermore, most of these servers had not received security patches in years.
Signing a response team to mitigate the effect of ransomware can cause a hefty amount of money. The staff from Cisco, the company hired to respond to the attack, had to rebuild the entire network from scratch effectively. Since the outbreak, Arizona Beverages spent “hundreds of thousands” on new hardware, software, and other recovery costs.
“Once the backups didn’t work, they started throwing money at the problem,” a person familiar with the incident said.
According to the investigation conducted to determine the source of the attack, the ransomware infects, understood to be iEncrypt, was triggered overnight on March 21, weeks following the alert sent by the FBI to warn Arizona of an apparent Dridex malware infection. Incident responders believed that Arizona’s systems had been compromised for at least a couple of months.
No response from the FBI was yet released after asking for the details of the warning the agency sent to Arizona.
There has been a swath of ransomware attacks that have been investigated in recent months. Only last week, the social services of Albany, New York were paralyzed following apparent ransomware attacks that targeted the servers of the city.
The extent of the damage caused by the ransomware is still unknown, and officials have been working over the weekend to respond to the incident appropriately. According to a press release available on the official site of the city, all city services will be open to the public except birth certificates, death certificates, and marriage certificates.
The city also said that all employees are tasked to report during regular business hours and operations, except those identified above, will be regularly available for anyone.
“All City employees will report to work during normal business hours on Monday, and City buildings will be open to the public at noon. City Court services will operate during normal business hours,” the city announced in a press release on its official website.
Albany Mayor Kathy Sheehan said that their IT experts and the rest of the response team are determining the exact extent of the damage and will consistently update the public for any developments as soon as they become available. She tweeted:
“The City of Albany has experienced a ransomware cyber attack. We are currently determining the extent of the compromise. We are committed to keeping you informed and will provide updates as they become available.”
Norsk Hydro, one of the biggest aluminum producers worldwide, was previously forced to shut down a part of its manual operations because of a cyber attack that targeted its computer systems and internal servers. After an investigation regarding the incident, it was concluded that a LockerGoga ransomware attacked the company.
Furthermore, just last week, the parking garage computer system of the Canadian Internet Registration Authority (CIRA), a non-profit organization managing the .ca country code top-level domain (ccTLD) and represents the Canadian domains internationally, was infiltrated by a ransomware attack that allowed employees (and practically anyone) to use a parking space for free.