Scottish Brewery Recovered from Ransomware Attack

It’s a new week, and the folks at Arran Brewery in Scotland are likely drinking to that after last week’s ransomware attack took their computer systems offline. The brewery has reportedly recovered from what managing director Gerald Michaluk believes was a targeted Dharma Bip ransomware attack.

Arran staff received what they thought was a cover letter as part of a job application, but the email attachment contained malware, according to the BBC. Why the application was submitted in the first place is what seems suspicious.

In the aftermath of a legitimate job posting, the position had been filled, yet the listing reportedly reappeared on multiple recruitment sites. Apparently the position was quite desirable, because the fraudulent post resulted in an influx of applications from candidates around the world, creating a bit of email chaos. Hackers leveraged the surge in emails and sent an infected message containing the ransomware payload within a PDF.

Once the malicious email was opened, the systems became infected, at which point the attackers demanded two Bitcoins to have the system files restored. Knowing that it would lose three months of sales records, Arran reportedly decided not to pay and instead brought in external experts to enhance its cybersecurity strategies, according to The Scottish Sun.

“To pay or not to pay, that is the seemingly million-dollar question when it comes to ransomware,” said Barry Shteiman, VP of research and innovation at Exabeam. “While many security experts warn about paying ransoms or entering into negotiations, the answer, in reality, comes down to simple economics.”

One reason many companies choose to pay the ransom is the losses incurred during downtime when data is unavailable. In other cases, restoring backups may be more expensive than paying the ransom.

“If giving up on the encrypted data has a higher cost in lost revenue or intellectual property than remediation, then you can also see why an organization would pay the ransom. Of course, this is a last resort, if all other options have been exhausted,” Shteiman said.

Arran opted not to pay. “We chose to bring in an expert who having identified the problem was able to eliminate the virus and restore part of our system, and is confident in due course when the key is cracked will be able to restore the lost data,” Michaluk told The Scottish Sun.

“I hope if anyone finds themselves in a similar position they can recognize the MO of these bandits and not have the same issues we have had.”

Article from: infosecurity-magazine.com

Scottish Brewery Encounters Ransomware Assault

Arran Brewery of Scotland, of late, encountered a ransomware attack targeted at its top executives. The officials state they suffered extremely because the cyber assault disrupted their business. They brought in security experts so work in the company could be reinstated.

The brewery said it could not access the PCs in its office following an incident of trickery against its higher officers who unwittingly clicked a file attached to an e-mail which carried virus.

Gerald Michaluk Managing Director of Arran Brewery commented the assault was extremely tricky. He explained that a job vacancy in his company for an assistant for finance and credit control was advertised on its website. From nowhere applicants began approaching online from across Scotland and the globe, which was because as realized later the cyber criminals exploited the situation and posted the job vacancy taken from Arran’s website onto an international recruitment website.

Additionally Mr. Michaluk explained the majority of e-mails coming in daily contained CVs attached. Those job hunters who were genuine, in their e-mails only the virus existed and it became active the moment their CVs were viewed. As a matter of fact, the particular virus was very new, so the company’s anti-virus program couldn’t detect the malware. The virus subsequently began encrypting the company’s databases such as backup files then other files on its systems followed with the central server.

Here as per Arran Brewery, the crooks after this demanded a ransom of 2 bitcoins valuing 9,600 pounds in exchange for restoring the company’s computers as well as decrypting the locked files. But the company decided not to pay. This was even as it lost considerable sales data of 3 months that was on the server.

Ever since Arran Brewery hired a specialist for identifying the problem while the specialist cleared off the virus too that helped restore the system partially. He also asserted once the key could be deciphered, all lost data could be regained.

Michaluk hoped anybody else in a likewise situation would be able to recognize the criminals via their MO while manage avoiding the same problems Arran Brewery suffered.

» SPAMfighter News – 24-09-2018

Article from: spamfighter.com

Brewery became victim of targeted ransomware attack via job vacancy ad

Hackers took a job ad on the Arran Brewery website and posted it on international recruitment sites. One of the resumes submitted as a result had a Dharma Bip ransomware payload.

You may not need a cautionary tale about opening email attachments, but this story is a reminder that you don’t have to be the biggest and most well-known company to become the victim of a targeted ransomware attack. Just look at what happened to a small Scottish brewery.

Arran Brewery in Scotland advertised job vacancies on its site, yet after the company filled the most current vacancy for a credit control and finance assistant, resumes from around the world started pouring in.

The brewery’s managing director, Gerald Michaluk, told the BBC, “Out of the blue we started getting applicants for the post from all over the country and the world. I assumed one of my colleagues had advertised the post. However, this was not the case. The attackers had taken our website vacancy and posted it on some international jobs site.”

Michaluk called the attack “very devious” as the company was “getting three of four emails a day, all with attached CVs. The virus was in amongst the genuine job seekers, and when the CV was opened it took effect.”

One of the resumes contained a Dharma Bip ransomware variant, so when the email attachment was opened, the ransomware payload in the PDF started encrypting files. The company was locked out of its computers systems. The attackers demanded a two-bitcoin ransom, which was worth about $13,000.

Michaluk went from “vaguely” knowing about ransomware to knowing more than he probably wanted to know.

He told Security Media Group: “The attack was especially damaging because it first infected the office’s Windows domain controller, which is used to authenticate corporate users and provide them with access to resources. ‘It had access to drives on other file servers which it encrypted, without those other machines becoming infected.’”

In the end, the Scottish brewery opted not to pay the ransom. The ransom demand “was beyond the value of the data lost — also paying it would not guarantee restoration of the files — so we restored from backups,” Michaluk said.

But the backups did not have the most recent data. Michaluk explained that “the ransomware had encrypted all attached file shares, including those that recent online backups had been saved to, so it was only offsite backups which were available, the most recent of which was some three months old.”

The company still has the encrypted files, hoping Kaspersky Lab will issue an update for its Dharma decryption tool so it works on this variant.

Although “don’t cave to extortion and pay” is the most commonly uttered advice, Barry Shteiman, Exabeam’s vice president of research and innovation, told The Register,  “While many security experts warn about paying ransoms or entering into negotiations, the answer in reality comes down to simple economics. If the downtime caused by data being unavailable, or by the backup restoration process, is more expensive than paying the ransom, then organizations should pay.”

How old are your offsite backups?

Michaluk told the BBC, “I hope if anyone finds themselves in a similar position they can recognize the MO of these bandits and not have the same issues we have had.”

Article from: csoonline.com

Brewery breach: Not even beer is safe from ransomware

Beer spilled over computer keyboard on a gray concrete table

News emerged this week of a Scottish Brewery that had fallen victim to a ransomware attack.

Arran Brewery was locked out of its own computer system after being lured into opening an email attachment that had malicious intent.

Once the system had been hacked, the cybercriminal/s demanded two bitcoins (approx. £9,600) as a ransom to unlock the system – or face losing more than three months of sales data from one of its servers.

It’s interesting to note just how the cybercrimnal/s did it, as this was not just a mass phishing attack but rather a very studied and targeted one. Arran Brewery had been advertising for a genuine job position on various sites.

In light of this, the attacker/s took this ad and disseminated it around the world on other sites to increase the volume of emails with legitimate CV attachments, which they then used as an effective Trojan horse to hide their email with its malicious attachment.

Arran Brewery has come forward to the press and revealed the company declined to make the payment and in doing so lost the aforementioned data. They are now working with an IT consultant to not only eliminate any traces of the virus but also to attempt to restore the lost data.

Exabeam research and innovation VP Barry Shteiman says this kind of attack was inevitable.

“To pay or not to pay, that is the seemingly million-dollar question when it comes to ransomware. The Brewery bravely chose not to pay. While many security experts warn about paying ransoms or entering into negotiations, the answer in reality comes down to simple economics,” says Shteiman.

“If the downtime caused by data being unavailable, or by the backup restoration process is more expensive than paying the ransom, then organisations should pay.  Equally, if giving up on the encrypted data has a higher cost in lost revenue or intellectual property than remediation, then you can also see why an organisation would pay the ransom.  Of course, this is a last resort, if all other options have been exhausted.”

Shteiman says organisations need to work to become more clued up about ransomware attacks.

“In order for cybersecurity teams to detect ransomware early enough in the ransomware lifecycle to stop it, they need to understand the business models used by ransomware network operators, the kill chain of a ransomware attack and how to detect and disrupt ransomware in corporate environments,” says Shteiman.

“Armed with this information, analysts should be able to react faster in the event their organisation is hit with a ransomware infection.”

Zerto product marketing director Caroline Seymour holds similar sentiments, asserting this breach proves that nobody is truly safe from ransomware as almost all organisations today rely on their data.

“A recent analyst study determined that 50% of surveyed organisations have suffered an unrecoverable data event in the last three years. For most companies, customer loyalty, company brand and reputation are at risk.  Regrettably, prevention of these attacks is not always possible, but diminishing the threat is,” says Seymour.

“For an industry that reaches as many customers as the beer industry does, it’s critical to take a more dynamic, modern approach to business continuity and disaster recovery (DR). Solutions utilising Continuous Data Protection and hybrid cloud DR can help organisations like Arran Brewery better manage their IT infrastructures and achieve IT Resilience – so that downtime of more than mere seconds becomes a thing of the past and everyone can still enjoy a pint.”

Article from: SecurityBrief.eu

ARRAN BREWERY VICTIM OF ‘VERY DEVIOUS’ CYBER ATTACK

A brewery on the Scottish island of Arran has suffered a ransomware attack after opening an email attachment which contained a virus, with the cyber attackers demanding two bitcoins worth £9,600 as ‘ransom’.

As reported by the BBC, the Scottish brewery suffered an attack after advertising for a job vacancy.

The virus, contained in an email attachment, caused the company to loose three months’ worth of sales records from one of its servers.

The brewery told the BBC that it contacted an IT consultant who removed the virus and it is now working to restore the lost data.

Arran Brewery managing director Gerald Michaluk explained that the company had advertised for a credit control and finance assistant post which had led to the “very devious” cyber attack.

“Out of the blue we started getting applicants for the post from all over the country and the world.

“I assumed one of my colleagues had advertised the post. However, this was not the case; the attackers had taken our website vacancy and posted it on some international jobs site.

“We were getting three of four emails a day, all with attached CVs. The virus was in amongst the genuine job seekers, and when the CV was opened it took effect.”

“I hope if anyone finds themselves in a similar position they can recognise the MO of these bandits and not have the same issues we have had,” he added.

If a company finds itself the victim of a ransomware attack, they should contact the police to report the incident. It is also advised that businesses should regularly back up data to cloud or other devices while employees should be vary of unsolicited emails, especially those containing attachments.

Arran Brewery has also suffered a number of physical attacks, with vandals repeatedly targeting its Dreghorn site, most recently in April this year. The brewery’s lorry had its windscreen and driver’s window smashed in while a number of bottles were also damaged in the incident.

Article from: TheDrinksBusiness.com

Arran Brewery hit by ransomware attack

A Scottish brewery has warned other firms to stay alert after it fell victim to a ransomware attack.

Arran Brewery said it was locked out of its own computer system after being duped into opening an email attachment that contained a virus.

According to the firm, the culprits then demanded two bitcoins, worth a total of £9,600, to restore its system.

Arran said it declined to pay, despite losing three months’ worth of sales data from one server.

The company added that it had since used an IT consultant to eliminate the virus, and it was working on restoring the lost data.


What is ransomware?

Ransomware involves computer viruses that threaten to delete your files unless you pay a ransom.

Like other viruses, it usually finds its way onto a device by exploiting a security hole in vulnerable software or by tricking somebody into installing it.


Arran Brewery managing director Gerald Michaluk described the attack as “very devious”.

He said: “We advertise job vacancies on our website. One such job vacancy was for a credit control and finance assistant post, now filled.

“Out of the blue we started getting applicants for the post from all over the country and the world.

“I assumed one of my colleagues had advertised the post. However, this was not the case; the attackers had taken our website vacancy and posted it on some international jobs site.

“We were getting three of four emails a day, all with attached CVs. The virus was in amongst the genuine job seekers, and when the CV was opened it took effect.”

He added: “I hope if anyone finds themselves in a similar position they can recognise the MO of these bandits and not have the same issues we have had.”

‘Don’t pay ransom’

Gerry Grant, chief ethical hacker at the Scottish Business Resilience Centre, said ransomware remained a popular “attack vector” for criminals.

He said: “It can be very difficult to verify every single email that comes in but you should be suspicious about attachments from people you don’t know or are not expecting.

“My advice to people is that they should not pay any ransom because there is no guarantee that those responsible won’t ask you for more money even if you pay up.

“The best course of action is to contact the police and alert them to an attack.

“Firms should also make sure they have a plan in place if it happens so they don’t run about in a panic.”

‘Potentially devastating’

Ch Insp Scott Tees, of Police Scotland’s cyber crime prevention team, said: “Ransomware attacks can be very sophisticated and potentially devastating for individuals and small businesses.

“We would advise every computer user to ensure they’re running the latest versions of security software, have their data backed up regularly to cloud services or devices not connected to their computer.

“Be extremely vigilant about opening any unsolicited email and visiting websites you are not familiar with.

“There is a lot of help available online including Police Scotland’s website and www.getsafeonline.org.”

Article from: BBC.co.uk

‘PAY UP’ Arran Brewery blackmailed by hackers as Scottish beer firm becomes latest victim of sophisticated Ransomware attack

The attack caused severe disruption to the business and the loss of three months data from one sever

A TINY Scots brewery has been blackmailed by cyber hackers as part of a sophisticated Ransomware attack.

Bosses at The Arran Brewery were targeted by the online crooks before bringing in experts to beef up their security.

And they say that the attack caused severe disruption to the business and the loss of three months data from one sever.

Managing Director Gerald Michaluk explained that he felt the company was “targeted” by the “devious” scheme.

He said that hackers demanded cash from the brewery in the attack.

He said: “The virus was introduced in an email but how this happened is very devious and it is clear we were targeted. We advertise job vacancies on our website, one such job vacancy was for a credit control and finance assistant post, now filled.

“Out of the blue we started getting applicants for the post from all over the country and the world.

“I assumed one of my colleagues had advertised the post. However, this was not the case; the attackers had taken our website vacancy and posted it on some international jobs site.

“We were getting three of four emails a day all with attached CVs in amongst there genuine job seekers was the virus and when the CV was opened it took effect, being so new a virus our virus protection software did not pick up the attack.

“The software then started to encrypt our system starting with our backups and working I was through the files on our computers and then central server.

“We were then faced with a ransom demand. Pay up for a key to unencrypted the files or do without the data.

We chose to bring in an expert who having identified the problem was able to eliminate the virus and restore part of our system, and is confident in due course when the key is cracked will be able to restore the lost data.

“I hope if anyone finds themselves in a similar position they can recognise the MO of these bandits and not have the same issues we have had”.

Bosses at the brewery said they were back up and running – but lost a lot of data.

Article from: TheScottishSun.co.uk

Scottish brewery recovers from ransomware attack

Trouble ferments after hackers lock system and Arran with it

Updated Staff at Arran Brewery were locked out of its computer systems this week following a ransomware attack.

The attack against the Isle of Arran-based Scottish beer maker appears to have been a targeted strike. Prior to the infection, adverts for an already filled finance post at the brewery were placed on recruitment sites worldwide. This, in turn, resulted in an influx of CVs.

Amidst this, hackers appear to have sent a booby-trapped email message featuring a ransomware payload carried within a PDF file. When an Arran Brewery staffer opened this contaminated email, its systems were infected.

Cybercriminals demanded 2 bitcoin (£10,227/$13,448 at the time of publication) to hand over the encryption keys needed to recover data. The Scots firm declined to cave into extortion, even though the decision meant accepting the loss of three months worth of sales data from one infected server, the BBC reported.

The brewery has drafted in an external IT consultant to help to clean up its network and, where possible, restore data.

The Scottish Sun added that the brewery is back up and running.

A worker at the brewery confirmed the attack to The Reg while asking us to put follow-up questions to its managing director by email. We’ll update this story as more information comes to hand.

Barry Shteiman, VP of research and innovation at Exabeam, said that businesses hit by ransomware are faced with a difficult choice.

“While many security experts warn about paying ransoms or entering into negotiations, the answer in reality comes down to simple economics. If the downtime caused by data being unavailable, or by the backup restoration process, is more expensive than paying the ransom, then organisations should pay.

“Equally, if giving up on the encrypted data has a higher cost in lost revenue or intellectual property than remediation, then you can also see why an organisation would pay the ransom. Of course, this is a last resort, if all other options have been exhausted,” he added. ®

Updated to add at 0708 UTC on 24 September

Arran Brewery told The Register it had been hit with a variant of the Dharma ransomware.

Gerald Michaluk, managing director of Arran Brewery, gave El Reg an explanation of what happened and the brewery’s disaster recovery process.

“The office domain controller was infected, however it had access to drives on other file servers which it encrypted without those other machines becoming infected,” Michaluk explained.

“The cost asked for was beyond the value of the data lost (also paying it would not guarantee restoration of the files), so we restored from backups. However the ransomware had encrypted all attached file shares, including those that recent online backups had been saved to, so it was only offsite backups which were available. The most recent of [these] was some three months old. We’ve kept a backup of all the encrypted files as Kaspersky has issued a decryption tool for earlier releases of Dharma,” he added.

Article from: TheRegister.co.uk

Scotland’s Arran Brewery Slammed by Dharma Bip Ransomware

Ransomware Crypto-Locked via Domain Controller, Complicating Restoration

A Scottish brewery was locked out of its computer systems after refusing to pay attackers a two bitcoin ransom worth more than $13,000.

Arran Brewery, based on the Isle of Arran – a Scottish island located off the west coast of the country – lost three months’ worth of sales data after the attack, which it believes traces to fake job application emails that carried malware-laden attachments, the BBC first reported.

Gerald Michaluk, Arran Brewery’s managing director, tells Information Security Media Group that the brewery was hit by the Dharma Bip ransomware variant, which crypto-locked and renamed the files on all affected systems, adding a “.bip” extension.

Michaluk says the attack was especially damaging because it first infected the office’s Windows domain controller, which is used to authenticate corporate users and provide them with access to resources. “It had access to drives on other file servers which it encrypted, without those other machines becoming infected,” he says.

Michaluk was aware of ransomware before the attack “in a vague way,” he says. “I thought it would only be used in major firms and that our anti-virus software would prevent infection.”

After the attack, the brewery, which sells beers such as Arran Blonde and Arran Red Squirrel, hired an IT consultant to overhaul its information security practices, and who also helped restore affected systems.

Crypto-Locked: Recent Backups

Unfortunately, some of the crypto-locked systems included the company’s backups, including 90 days’ worth of sales data.

“The cost asked for was beyond the value of the data lost – also paying it would not guarantee restoration of the files – so we restored from backups,” Michaluk says. “However the ransomware had encrypted all attached file shares, including those that recent online backups had been saved to, so it was only offsite backups which were available, the most recent of which was some three months old.”

The brewery hopes that one day it will be able to restore the lost sales data. “We’ve kept a backup of all the encrypted files as Kaspersky Lab has issued a decryption tool for earlier releases of Dharma, so we are hoping for an update so we can decrypt the files,” Michaluk says.

Phishing Emails Suspected

The brewery doesn’t know for certain how attackers gained access to its domain controller, but strongly suspects that it fell victim to a phishing attack (see Cybercrime Markets Sell Access to Hacked Sites, Databases).

“We cannot be 100 percent sure that this was the vector that infection occurred through, but the timing seems to be more than coincidental,” Michaluk says.

That’s because the attack appeared to have exploited the company’s hiring channels.

“We advertise job vacancies on our website. One such job vacancy was for a credit control and finance assistant post, now filled,” Michaluk told the BBC. “Out of the blue we started getting applicants for the post from all over the country and the world. I assumed one of my colleagues had advertised the post. However, this was not the case; the attackers had taken our website vacancy and posted it on some international jobs site. We were getting three of four emails a day, all with attached CVs. The virus was in amongst the genuine job seekers, and when the CV was opened it took effect.”

Dharma Bip Variant

In May, a number of security experts, including Michael Gillespie, who runs ransomware file-identification service ID Ransomware, warned that they’d spotted the new Dharma Bip ransomware variant.

Bleeping Computer reported that it not only crypto-locked files – and all “mapped network drives, shared virtual machine host drives and unmapped network shares” attached to a system – but also attempted to delete Shadow Volume Copies in Windows to make it more difficult to recover the data.

Small Business Alert

While law enforcement agencies have been tracking a rise in attacks designed to mine for cryptocurrency, they warn that ransomware attacks remain extremely common.

“Ransomware remains the key malware threat in both law enforcement and industry reporting,” Europol, the EU’s law enforcement intelligence agency, says in its latest Internet Organized Crime Threat Assessment (see Cybercrime: 15 Top Threats and Trends).

Law enforcement agencies continue to recommend that all businesses ensure they have adequate ransomware defenses in place.

“Ransomware attacks can be very sophisticated and potentially devastating for individuals and small businesses,” Chief Inspector Scott Tees of Police Scotland’s Cyber Crime Prevention Team tells ISMG. “We would advise every computer user to ensure they’re running the latest versions of security software, have their data backed up regularly to cloud services or devices not connected to their computer. Be extremely vigilant about opening any unsolicited email and visiting websites you are not familiar with.”

For both businesses and consumers, Tees recommends visiting both Police Scotland’s website as well as www.getsafeonline.org.

Beware Attachments

Security experts continue to warn organizations to beware of attachments. “It can be very difficult to verify every single email that comes in but you should be suspicious about attachments from people you don’t know or are not expecting,” Gerry Grant, chief ethical hacker at the Scottish Business Resilience Center, told the BBC.

Unfortunately, for organizations such as Arran Brewery, the role of sales and human resources departments is not only to solicit but to review attachments from unknown senders.

Gary Warner, director of research in computer science at the University of Alabama at Birmingham, says that makes people who work in these job roles regular phishing targets (see The Art of the Steal: FIN7’s Highly Effective Phishing).

Imagine, for example, that a hotel restaurant’s sales director receives an email saying it’s got a big lunch order attached. “What sales person is not going to open that attachment?” Warner asks. “Right: Every single one will do so.”

Arran Brewery’s Michaluk, for one, warns other businesses not to do so. “Don’t open attachments you are not absolutely sure of the source of and are expecting,” he says (see Anti-Virus: Don’t Stop Believing). “It looks like an arms race – organized criminals against the anti-virus providers, each just getting ahead of the other only to be outdone in the next round. It is clear relying on anti-virus software alone is not enough.”

Plan, Prevent, Respond

Security experts recommend not only having ransomware defenses in place, but also a response plan created and tested in advance, including identifying which law enforcement agency and incident response firm the organization should contact to help investigate and remediate the breach as quickly as possible.

“The general advice is that the ransom demanded from these types of attacks not be paid. It is important that all businesses have an effective and tested backup procedure in place to mitigate this type of attack,” the Scottish Business Resilience Center’s Grant tells ISMG (see Please Don’t Pay Ransoms, FBI Urges).

“Businesses should prepare for cyberattacks and have an incident response plan in place so that if they become the victim of an attack, they have a plan in place to minimize the impact and get their systems up and running again as quickly as possible,” he says.

Article from: BankInfoSecurity.com