Brewery became victim of targeted ransomware attack via job vacancy ad

Hackers took a job ad on the Arran Brewery website and posted it on international recruitment sites. One of the resumes submitted as a result had a Dharma Bip ransomware payload.

You may not need a cautionary tale about opening email attachments, but this story is a reminder that you don’t have to be the biggest and most well-known company to become the victim of a targeted ransomware attack. Just look at what happened to a small Scottish brewery.

Arran Brewery in Scotland advertised job vacancies on its site, yet after the company filled the most current vacancy for a credit control and finance assistant, resumes from around the world started pouring in.

The brewery’s managing director, Gerald Michaluk, told the BBC, “Out of the blue we started getting applicants for the post from all over the country and the world. I assumed one of my colleagues had advertised the post. However, this was not the case. The attackers had taken our website vacancy and posted it on some international jobs site.”

Michaluk called the attack “very devious” as the company was “getting three of four emails a day, all with attached CVs. The virus was in amongst the genuine job seekers, and when the CV was opened it took effect.”

One of the resumes contained a Dharma Bip ransomware variant, so when the email attachment was opened, the ransomware payload in the PDF started encrypting files. The company was locked out of its computers systems. The attackers demanded a two-bitcoin ransom, which was worth about $13,000.

Michaluk went from “vaguely” knowing about ransomware to knowing more than he probably wanted to know.

He told Security Media Group: “The attack was especially damaging because it first infected the office's Windows domain controller, which is used to authenticate corporate users and provide them with access to resources. ‘It had access to drives on other file servers which it encrypted, without those other machines becoming infected.’”

In the end, the Scottish brewery opted not to pay the ransom. The ransom demand “was beyond the value of the data lost — also paying it would not guarantee restoration of the files — so we restored from backups,” Michaluk said.

But the backups did not have the most recent data. Michaluk explained that “the ransomware had encrypted all attached file shares, including those that recent online backups had been saved to, so it was only offsite backups which were available, the most recent of which was some three months old.”

The company still has the encrypted files, hoping Kaspersky Lab will issue an update for its Dharma decryption tool so it works on this variant.

Although "don’t cave to extortion and pay" is the most commonly uttered advice, Barry Shteiman, Exabeam’s vice president of research and innovation, told The Register,  “While many security experts warn about paying ransoms or entering into negotiations, the answer in reality comes down to simple economics. If the downtime caused by data being unavailable, or by the backup restoration process, is more expensive than paying the ransom, then organizations should pay.”

How old are your offsite backups?

Michaluk told the BBC, “I hope if anyone finds themselves in a similar position they can recognize the MO of these bandits and not have the same issues we have had.”

Related:
SUBSCRIBE! Get the best of CSO delivered to your email inbox.