Scottish brewery recovers from ransomware attack

Trouble ferments after hackers lock system and Arran with it

Updated Staff at Arran Brewery were locked out of its computer systems this week following a ransomware attack.

The attack against the Isle of Arran-based Scottish beer maker appears to have been a targeted strike. Prior to the infection, adverts for an already filled finance post at the brewery were placed on recruitment sites worldwide. This, in turn, resulted in an influx of CVs.

Amidst this, hackers appear to have sent a booby-trapped email message featuring a ransomware payload carried within a PDF file. When an Arran Brewery staffer opened this contaminated email, its systems were infected.

Cybercriminals demanded 2 bitcoin (£10,227/$13,448 at the time of publication) to hand over the encryption keys needed to recover data. The Scots firm declined to cave into extortion, even though the decision meant accepting the loss of three months worth of sales data from one infected server, the BBC reported.

The brewery has drafted in an external IT consultant to help to clean up its network and, where possible, restore data.

The Scottish Sun added that the brewery is back up and running.

A worker at the brewery confirmed the attack to The Reg while asking us to put follow-up questions to its managing director by email. We'll update this story as more information comes to hand.

Barry Shteiman, VP of research and innovation at Exabeam, said that businesses hit by ransomware are faced with a difficult choice.

"While many security experts warn about paying ransoms or entering into negotiations, the answer in reality comes down to simple economics. If the downtime caused by data being unavailable, or by the backup restoration process, is more expensive than paying the ransom, then organisations should pay.

"Equally, if giving up on the encrypted data has a higher cost in lost revenue or intellectual property than remediation, then you can also see why an organisation would pay the ransom. Of course, this is a last resort, if all other options have been exhausted," he added. ®

Updated to add at 0708 UTC on 24 September

Arran Brewery told The Register it had been hit with a variant of the Dharma ransomware.

Gerald Michaluk, managing director of Arran Brewery, gave El Reg an explanation of what happened and the brewery’s disaster recovery process.

"The office domain controller was infected, however it had access to drives on other file servers which it encrypted without those other machines becoming infected," Michaluk explained.

"The cost asked for was beyond the value of the data lost (also paying it would not guarantee restoration of the files), so we restored from backups. However the ransomware had encrypted all attached file shares, including those that recent online backups had been saved to, so it was only offsite backups which were available. The most recent of [these] was some three months old. We’ve kept a backup of all the encrypted files as Kaspersky has issued a decryption tool for earlier releases of Dharma," he added.




Biting the hand that feeds IT © 1998–2018