Disruptions to the food, beverage and agriculture sectors can cause more than just spikes in prices and production delays. They can also be a threat to public safety, precipitating the sale of tainted food, financial injury to critical companies and potential physical injury to food workers. Hackers know halting operations in food and beverage companies can be a significant pain point, which is why ransomware criminals have targeted the industry more often in recent years. In 2021 alone, threat actors hit meat giant JBS, beverage titan Molson Coors and candy maker Ferrara Pan.
In 2019, AriZona Beverages, the company behind the popular AriZona Iced Tea brand, became the target of a ransomware attack that damaged hundreds of computers and shut down sales operations for several days. It took them weeks to get the company back up and running and likely cost millions of dollars in lost sales and internal remediation.
Why food and beverage?
Attacks on the food and beverage industry are nothing new, and the escalation in the number of attacks has caught the attention of the federal government. The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI) and National Security Agency (NSA) released an alert in mid-October warning the food and agriculture sector to watch out for BlackMatter ransomware attacks, a relatively new variant that is believed to be responsible for several attacks on U.S. companies already.
“Ransomware may impact businesses across the sector, from small farms to large producers, processors and manufacturers, markets and restaurants,” the FBI stated.
A September private industry notification from the FBI’s Cyber Division detailed five major attacks — on a U.S. bakery, a beverage company, a global meat processing company, a U.S. farm, and an international food and agriculture business — that have occurred in the food sector since November 2020. These attacks resulted in lost access to computer systems, disruption to business operations and other serious harm.
“Ransomware attacks targeting the Food and Agriculture sector disrupt operations, cause financial loss, and negatively impact the food supply chain,” read the notification. “Ransomware may impact businesses across the sector, from small farms to large producers, processors and manufacturers, and markets and restaurants. Cyber-criminal threat actors exploit network vulnerabilities to exfiltrate data and encrypt systems in a sector that is increasingly reliant on smart technologies, industrial control systems, and internet-based automation systems.”
The AriZona Beverages attack
In March 2019, more than 200 servers and networked computers at AriZona Beverages, a New York-based beverage giant with more than 1,000 employees and $3 billion in revenue, began displaying a message stating their “network was hacked and encrypted,” according to TechCrunch.
The company posted notices around the office requesting staff hand in their laptops to the information technology (IT) department because their computers might be compromised. According to TechCrunch, it took the company five days before they brought in a professional incident response team to manage the ransomware attack.
“Many of the back-end servers were running old and outdated Windows operating systems that are no longer supported. Most hadn’t received security patches in years. The source said they were ‘surprised’ an attack hadn’t come sooner given the age of their systems,” TechCrunch reported.
Shortly after the attack, which wiped out hundreds of Windows computers and servers and halted sales operations, AriZona Beverages staff determined the backup system was improperly configured, making it nearly impossible to retrieve necessary data. They ultimately called in an incident response team to help at great cost to the company.
“The company’s IT staff had to effectively rebuild the entire network from scratch,” TechCrunch wrote. “Since the outbreak, the company has spent ‘hundreds of thousands’ on new hardware, software and recovery costs.”
The ransomware that impacted AriZona Beverages was believed to be a targeted version known as iEncrypt. As in many previous ransomware attacks, the company’s business operations were seriously hobbled — email was down, computers went dark and orders were unable to be processed. AriZona ultimately resorted to taking orders manually, with pen and paper.
A few weeks prior to this attack, the FBI had warned the company their systems had already been compromised by Dridex malware, a Trojan virus that targets Windows computers and is typically delivered via spam email. It’s possible this infection was the entryway for the iEncrypt attack. Once a threat actor has gained entry into a system via Dridex, they typically have access to the entire network, allowing them to steal passwords, inflict widespread damage and install other malware programs.
The AriZona fallout
Because AriZona Beverages is a privately held company, they never disclosed the total cost of the 2019 breach, but it did take the company a significant amount of time and capital to get operations back up and running. The company lost millions of dollars in sales due to the outage, but they also spent hundreds of thousands on incident response.
These sorts of sophisticated, targeted ransomware attacks are becoming increasingly common, as threat actors get savvier and the barrier to entry is lowered by products like ransomware-as-a-service (RaaS). Ultimately, the AriZona Beverages hit is a perfect example of why it’s essential for companies to have strong cyber hygiene. It’s difficult to stop a motivated attacker from breaching systems, but there’s no reason to leave to front gate open and the door unlocked.
Doing proper risk assessments, running patches, updating software and hardware, and having workable backups can help ease the pain from attacks like these, and ensure operations can remain functional even in the case of a targeted ransomware strike. AriZona Beverages is a massive company that survived the hit, but most small to midsize companies wouldn’t have been so lucky because they don’t have the resources to recover from a breach like that.