Cyber Incident Victim: Arran Brewery
Date:
Sep 2018
Location:
United Kingdom
Summary
A Scottish brewery fell victim to a ransomware attack after attackers exploited its job vacancy posting by distributing the listing internationally and embedding malicious code within fake CV attachments sent to applicants. The malware locked the company out of its systems, with perpetrators demanding payment equivalent to £9,600 in bitcoin to restore access. The firm refused to pay, resulting in permanent loss of three months' sales data from one server, though it engaged an IT consultant to eradicate the virus and recover remaining systems. Attackers strategically weaponized the brewery's legitimate hiring process to deliver the ransomware, overwhelming staff with fraudulent applications containing the infected attachments.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The ransomware attack on Arran Brewery occurred in September 2018 after the company’s staff opened a malicious email attachment disguised as a curriculum vitae (CV). Attackers had reposted a legitimate job vacancy advertisement from the brewery’s website—for a credit control and finance assistant position—on international job boards, generating a surge of fraudulent applications. Between three and four emails containing CV attachments arrived daily, blending with genuine inquiries. One of these attachments deployed ransomware when opened, locking the brewery out of its computer systems. The perpetrators demanded a ransom of two bitcoins, equivalent to £9,600 at the time, to restore system access. Arran Brewery declined payment despite losing three months of sales data stored on a compromised server. The company engaged an IT consultant to eradicate the virus and initiated efforts to recover the lost data from backups. Managing Director Gerald Michaluk characterized the attack as "very devious," noting the attackers exploited the company’s recruitment process to deliver the malware.
The incident resulted in operational disruption and data loss but did not halt business activities entirely. Police Scotland’s cyber crime prevention team emphasized the sophistication of such attacks, urging businesses to maintain updated security software, back up data regularly to disconnected or cloud storage, and exercise caution with unsolicited emails. The Scottish Business Resilience Centre’s chief ethical hacker, Gerry Grant, advised against paying ransoms due to the risk of repeated extortion attempts and recommended reporting incidents to law enforcement. Arran Brewery publicly shared details of the attack to raise awareness of the attackers’ methods, particularly their use of hijacked job postings to distribute malicious attachments. No further technical specifics regarding the ransomware variant, network vulnerabilities, or full scope of affected systems were disclosed in available reports.