[BreachExchange] Scotland's Arran Brewery Slammed by Dharma Bip Ransomware

[Destry Winant]

Michaluk was aware of ransomware before the attack "in a vague way,"
he says. "I thought it would only be used in major firms and that our
anti-virus software would prevent infection."

After the attack, the brewery, which sells beers such as Arran Blonde
and Arran Red Squirrel, hired an IT consultant to overhaul its
information security practices, and who also helped restore affected
systems.

Crypto-Locked: Recent Backups

Unfortunately, some of the crypto-locked systems included the
company's backups, including 90 days' worth of sales data.

"The cost asked for was beyond the value of the data lost - also
paying it would not guarantee restoration of the files - so we
restored from backups," Michaluk says. "However the ransomware had
encrypted all attached file shares, including those that recent online
backups had been saved to, so it was only offsite backups which were
available, the most recent of which was some three months old."

The brewery hopes that one day it will be able to restore the lost
sales data. "We've kept a backup of all the encrypted files as
Kaspersky Lab has issued a decryption tool for earlier releases of
Dharma, so we are hoping for an update so we can decrypt the files,"
Michaluk says.

Phishing Emails Suspected

The brewery doesn't know for certain how attackers gained access to
its domain controller, but strongly suspects that it fell victim to a
phishing attack (see Cybercrime Markets Sell Access to Hacked Sites,
Databases).

"We cannot be 100 percent sure that this was the vector that infection
occurred through, but the timing seems to be more than coincidental,"
Michaluk says.


https://www.databreachtoday.com/scotlands-arran-brewery-slammed-by-dharma-bip-ransomware-a-11537

A Scottish brewery was locked out of its computer systems after
refusing to pay attackers a two bitcoin ransom worth more than
$13,000.

Arran Brewery, based on the Isle of Arran - a Scottish island located
off the west coast of the country - lost three months' worth of sales
data after the attack, which it believes traces to fake job
application emails that carried malware-laden attachments, the BBC
first reported.

Gerald Michaluk, Arran Brewery's managing director, tells Information
Security Media Group that the brewery was hit by the Dharma Bip
ransomware variant, which crypto-locked and renamed the files on all
affected systems, adding a ".bip" extension.

Michaluk says the attack was especially damaging because it first
infected the office's Windows domain controller, which is used to
authenticate corporate users and provide them with access to
resources. "It had access to drives on other file servers which it
encrypted, without those other machines becoming infected," he says.

That's because the attack appeared to have exploited the company's
hiring channels.

"We advertise job vacancies on our website. One such job vacancy was
for a credit control and finance assistant post, now filled," Michaluk
told the BBC. "Out of the blue we started getting applicants for the
post from all over the country and the world. I assumed one of my
colleagues had advertised the post. However, this was not the case;
the attackers had taken our website vacancy and posted it on some
international jobs site. We were getting three of four emails a day,
all with attached CVs. The virus was in amongst the genuine job
seekers, and when the CV was opened it took effect."

Dharma Bip Variant

In May, a number of security experts, including Michael Gillespie, who
runs ransomware file-identification service ID Ransomware, warned that
they'd spotted the new Dharma Bip ransomware variant.

Bleeping Computer reported that it not only crypto-locked files - and
all "mapped network drives, shared virtual machine host drives and
unmapped network shares" attached to a system - but also attempted to
delete Shadow Volume Copies in Windows to make it more difficult to
recover the data.

Small Business Alert

While law enforcement agencies have been tracking a rise in attacks
designed to mine for cryptocurrency, they warn that ransomware attacks
remain extremely common.

"Ransomware remains the key malware threat in both law enforcement and
industry reporting," Europol, the EU's law enforcement intelligence
agency, says in its latest Internet Organized Crime Threat Assessment
(see Cybercrime: 15 Top Threats and Trends).

Law enforcement agencies continue to recommend that all businesses
ensure they have adequate ransomware defenses in place.

"Ransomware attacks can be very sophisticated and potentially
devastating for individuals and small businesses," Chief Inspector
Scott Tees of Police Scotland's Cyber Crime Prevention Team tells
ISMG. "We would advise every computer user to ensure they're running
the latest versions of security software, have their data backed up
regularly to cloud services or devices not connected to their
computer. Be extremely vigilant about opening any unsolicited email
and visiting websites you are not familiar with."

For both businesses and consumers, Tees recommends visiting both
Police Scotland's website as well as www.getsafeonline.org.

Beware Attachments

Security experts continue to warn organizations to beware of
attachments. "It can be very difficult to verify every single email
that comes in but you should be suspicious about attachments from
people you don't know or are not expecting," Gerry Grant, chief
ethical hacker at the Scottish Business Resilience Center, told the
BBC.

Unfortunately, for organizations such as Arran Brewery, the role of
sales and human resources departments is not only to solicit but to
review attachments from unknown senders.

Gary Warner, director of research in computer science at the
University of Alabama at Birmingham, says that makes people who work
in these job roles regular phishing targets (see The Art of the Steal:
FIN7's Highly Effective Phishing).

Imagine, for example, that a hotel restaurant's sales director
receives an email saying it's got a big lunch order attached. "What
sales person is not going to open that attachment?" Warner asks.
"Right: Every single one will do so."

Arran Brewery's Michaluk, for one, warns other businesses not to do
so. "Don't open attachments you are not absolutely sure of the source
of and are expecting," he says (see Anti-Virus: Don't Stop Believing).
"It looks like an arms race - organized criminals against the
anti-virus providers, each just getting ahead of the other only to be
outdone in the next round. It is clear relying on anti-virus software
alone is not enough."

Plan, Prevent, Respond

Security experts recommend not only having ransomware defenses in
place, but also a response plan created and tested in advance,
including identifying which law enforcement agency and incident
response firm the organization should contact to help investigate and
remediate the breach as quickly as possible.

"The general advice is that the ransom demanded from these types of
attacks not be paid. It is important that all businesses have an
effective and tested backup procedure in place to mitigate this type
of attack," the Scottish Business Resilience Center's Grant tells ISMG
(see Please Don't Pay Ransoms, FBI Urges).

"Businesses should prepare for cyberattacks and have an incident
response plan in place so that if they become the victim of an attack,
they have a plan in place to minimize the impact and get their systems
up and running again as quickly as possible," he says.