{
	"id": "4622dc39-2824-4849-bb47-4f9caebbfbeb",
	"created_at": "2026-04-06T03:37:52.753728Z",
	"updated_at": "2026-04-10T03:20:44.260771Z",
	"deleted_at": null,
	"sha1_hash": "2845da8cfd6aeea8a8a94fd81e2ee97a640cd5cf",
	"title": "Arizona Beverages knocked offline by ransomware attack",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 38766,
	"plain_text": "Arizona Beverages knocked offline by ransomware attack\r\nBy Zack Whittaker\r\nPublished: 2019-04-02 · Archived: 2026-04-06 03:17:50 UTC\r\nArizona Beverages, one of the largest beverage suppliers in the U.S., is recovering after a massive ransomware\r\nattack last month, TechCrunch has learned.\r\nThe company, famous for its iced tea beverages, is still rebuilding its network almost two weeks after the attack\r\nhit, wiping hundreds of Windows computers and servers and effectively shutting down sales operations for days\r\nuntil incident response was called in, according to a person familiar with the matter.\r\nMore than 200 servers and networked computers displayed the same message: “Your network was hacked and\r\nencrypted.” The company’s name was in the ransom note, indicating a targeted attack.\r\nNotices posted around the office told staff to hand in their laptops to IT staff. “Do not power on, copy files, or\r\nconnect to any network,” read the posters. “Your laptop may be compromised.”\r\nIt took the company another five days before the company brought in incident responders to handle the outbreak,\r\nthe source said. Many of the back-end servers were running old and outdated Windows operating systems that are\r\nno longer supported. Most hadn’t received security patches in years.\r\nThe source said they were “surprised” an attack hadn’t come sooner given the age of their systems.\r\nA day after the attack hit, staff found the backup system wasn’t configured properly and were unable to retrieve\r\nthe data for days until the company signed an expensive contract to bring in Cisco incident responders. A\r\nspokesperson for Cisco did not immediately comment. The company’s IT staff had to effectively rebuild the entire\r\nnetwork from scratch. Since the outbreak, the company has spent “hundreds of thousands” on new hardware,\r\nsoftware and recovery costs.\r\nTechcrunch event\r\nSan Francisco, CA | October 13-15, 2026\r\n“Once the backups didn’t work, they started throwing money at the problem,” the person said.\r\nThe ransomware infection, understood to be iEncrypt (related to BitPaymer) per a screenshot seen by TechCrunch,\r\nwas triggered overnight on March 21, weeks after the FBI contacted Arizona to warn of an apparent Dridex\r\nmalware infection. The FBI declined to comment, but the source said incident responders believed Arizona’s\r\nsystems had been compromised for at least a couple of months.\r\nThe ransom note asked to email the attacker “to get the ransom amount.” There’s no known decryption tool for\r\niEncrypt.\r\nhttps://techcrunch.com/2019/04/02/arizona-beverages-ransomware/\r\nPage 1 of 2\n\nDridex is delivered through a malicious email attachment. Once the implant installs, the attacker can gain near-unfettered access to the entire network and can steal passwords, monitor network traffic and deliver additional\r\nmalware. With help from international partners, the FBI took down the password-stealing botnet in 2015, but the\r\nmalware continues to pose a threat. More recently, Dridex has been used to deliver ransomware to victims.\r\nKaspersky said two years after the takedown that the malware is “still armed and dangerous.”\r\nIncident responders seem to believe Arizona’s earlier Dridex compromise may have led to the subsequent\r\nransomware infection.\r\n“Initially, Dridex was used to steal credentials to enable wire fraud, but since 2017 it is more commonly observed\r\nrunning more targeted and higher value operations,” said Adam Meyers, vice president of intelligence at security\r\nfirm CrowdStrike. He said the company has “observed this malware being used to deploy enterprise ransomware,\r\nwhich we call ‘Big Game Hunting.’ ”\r\nThe ransomware also infected the company’s Windows-powered Exchange server, knocking out email across the\r\nentire company. Although its Unix systems were unaffected, the ransomware outbreak left the company without\r\nany computers able to process customer orders for almost a week. Staff began processing orders manually several\r\ndays into the outage.\r\n“We were losing millions of dollars a day in sales,” the source said. “It was a complete shitshow.”\r\nThe company still has a ways to recover from the ransomware attack. The source put the figure at “about 60\r\npercent up-and-running,” but the company’s security awareness has improved.\r\nA spokesperson for Arizona Beverages did not respond to an email requesting comment. Phone lines to the\r\ncompany did not appear to be functioning. We sent several messages to senior executives via LinkedIn prior to\r\npublication but did not hear back.\r\nIt’s the latest in an uptick in high-profile ransomware events in recent weeks.\r\nLast year, German manufacturer KrausMaffei was also said to be hit on November 21 by the same iEncrypt\r\nransomware, based off a leaked screenshot of the ransom note. Similar initial ransomware infections have been\r\nconnected to later ransomware attacks. Trend Micro said in December that Dridex and other malware families like\r\nEmotet were linked. Weeks before Arizona’s outbreak, a local Georgia county was hit by a similar ransomware\r\nattack.\r\nAluminum manufacturing giant Norsk Hydro shut down by ransomware\r\nSource: https://techcrunch.com/2019/04/02/arizona-beverages-ransomware/\r\nhttps://techcrunch.com/2019/04/02/arizona-beverages-ransomware/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://techcrunch.com/2019/04/02/arizona-beverages-ransomware/"
	],
	"report_names": [
		"arizona-beverages-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775446672,
	"ts_updated_at": 1775791244,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2845da8cfd6aeea8a8a94fd81e2ee97a640cd5cf.pdf",
		"text": "https://archive.orkl.eu/2845da8cfd6aeea8a8a94fd81e2ee97a640cd5cf.txt",
		"img": "https://archive.orkl.eu/2845da8cfd6aeea8a8a94fd81e2ee97a640cd5cf.jpg"
	}
}