Business Continuity Management / Disaster Recovery , Data Loss Prevention (DLP) , Fraud Management & Cybercrime
Scotland's Arran Brewery Slammed by Dharma Bip RansomwareRansomware Crypto-Locked via Domain Controller, Complicating Restoration
A Scottish brewery was locked out of its computer systems after refusing to pay attackers a two bitcoin ransom worth more than $13,000.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
Arran Brewery, based on the Isle of Arran - a Scottish island located off the west coast of the country - lost three months' worth of sales data after the attack, which it believes traces to fake job application emails that carried malware-laden attachments, the BBC first reported.
Gerald Michaluk, Arran Brewery's managing director, tells Information Security Media Group that the brewery was hit by the Dharma Bip ransomware variant, which crypto-locked and renamed the files on all affected systems, adding a ".bip" extension.
Michaluk says the attack was especially damaging because it first infected the office's Windows domain controller, which is used to authenticate corporate users and provide them with access to resources. "It had access to drives on other file servers which it encrypted, without those other machines becoming infected," he says.
Michaluk was aware of ransomware before the attack "in a vague way," he says. "I thought it would only be used in major firms and that our anti-virus software would prevent infection."
After the attack, the brewery, which sells beers such as Arran Blonde and Arran Red Squirrel, hired an IT consultant to overhaul its information security practices, and who also helped restore affected systems.
Crypto-Locked: Recent Backups
Unfortunately, some of the crypto-locked systems included the company's backups, including 90 days' worth of sales data.
"The cost asked for was beyond the value of the data lost - also paying it would not guarantee restoration of the files - so we restored from backups," Michaluk says. "However the ransomware had encrypted all attached file shares, including those that recent online backups had been saved to, so it was only offsite backups which were available, the most recent of which was some three months old."
The brewery hopes that one day it will be able to restore the lost sales data. "We've kept a backup of all the encrypted files as Kaspersky Lab has issued a decryption tool for earlier releases of Dharma, so we are hoping for an update so we can decrypt the files," Michaluk says.
Phishing Emails Suspected
The brewery doesn't know for certain how attackers gained access to its domain controller, but strongly suspects that it fell victim to a phishing attack (see Cybercrime Markets Sell Access to Hacked Sites, Databases).
"We cannot be 100 percent sure that this was the vector that infection occurred through, but the timing seems to be more than coincidental," Michaluk says.
That's because the attack appeared to have exploited the company's hiring channels.
"We advertise job vacancies on our website. One such job vacancy was for a credit control and finance assistant post, now filled," Michaluk told the BBC. "Out of the blue we started getting applicants for the post from all over the country and the world. I assumed one of my colleagues had advertised the post. However, this was not the case; the attackers had taken our website vacancy and posted it on some international jobs site. We were getting three of four emails a day, all with attached CVs. The virus was in amongst the genuine job seekers, and when the CV was opened it took effect."
Dharma Bip Variant
In May, a number of security experts, including Michael Gillespie, who runs ransomware file-identification service ID Ransomware, warned that they'd spotted the new Dharma Bip ransomware variant.
Looks like there's a new extension ".bip" for #Dharma #Ransomware. ID Ransomware still picked up on it by the filemarkers. pic.twitter.com/Rt7IF3N8G7— Michael Gillespie (@demonslay335) May 15, 2018
Bleeping Computer reported that it not only crypto-locked files - and all "mapped network drives, shared virtual machine host drives and unmapped network shares" attached to a system - but also attempted to delete Shadow Volume Copies in Windows to make it more difficult to recover the data.
Small Business Alert
While law enforcement agencies have been tracking a rise in attacks designed to mine for cryptocurrency, they warn that ransomware attacks remain extremely common.
"Ransomware remains the key malware threat in both law enforcement and industry reporting," Europol, the EU's law enforcement intelligence agency, says in its latest Internet Organized Crime Threat Assessment (see Cybercrime: 15 Top Threats and Trends).
Law enforcement agencies continue to recommend that all businesses ensure they have adequate ransomware defenses in place.
"Ransomware attacks can be very sophisticated and potentially devastating for individuals and small businesses," Chief Inspector Scott Tees of Police Scotland's Cyber Crime Prevention Team tells ISMG. "We would advise every computer user to ensure they're running the latest versions of security software, have their data backed up regularly to cloud services or devices not connected to their computer. Be extremely vigilant about opening any unsolicited email and visiting websites you are not familiar with."
For both businesses and consumers, Tees recommends visiting both Police Scotland's website as well as www.getsafeonline.org.
Security experts continue to warn organizations to beware of attachments. "It can be very difficult to verify every single email that comes in but you should be suspicious about attachments from people you don't know or are not expecting," Gerry Grant, chief ethical hacker at the Scottish Business Resilience Center, told the BBC.
Unfortunately, for organizations such as Arran Brewery, the role of sales and human resources departments is not only to solicit but to review attachments from unknown senders.
Gary Warner, director of research in computer science at the University of Alabama at Birmingham, says that makes people who work in these job roles regular phishing targets (see The Art of the Steal: FIN7's Highly Effective Phishing).
Imagine, for example, that a hotel restaurant's sales director receives an email saying it's got a big lunch order attached. "What sales person is not going to open that attachment?" Warner asks. "Right: Every single one will do so."
Arran Brewery's Michaluk, for one, warns other businesses not to do so. "Don't open attachments you are not absolutely sure of the source of and are expecting," he says (see Anti-Virus: Don't Stop Believing). "It looks like an arms race - organized criminals against the anti-virus providers, each just getting ahead of the other only to be outdone in the next round. It is clear relying on anti-virus software alone is not enough."
Plan, Prevent, Respond
Security experts recommend not only having ransomware defenses in place, but also a response plan created and tested in advance, including identifying which law enforcement agency and incident response firm the organization should contact to help investigate and remediate the breach as quickly as possible.
"The general advice is that the ransom demanded from these types of attacks not be paid. It is important that all businesses have an effective and tested backup procedure in place to mitigate this type of attack," the Scottish Business Resilience Center's Grant tells ISMG (see Please Don't Pay Ransoms, FBI Urges).
"Businesses should prepare for cyberattacks and have an incident response plan in place so that if they become the victim of an attack, they have a plan in place to minimize the impact and get their systems up and running again as quickly as possible," he says.
This story has been updated with additional comment from Gerry Grant at the Scottish Business Resilience Center.