Towards the end of the holiday season Portland, Oregon-based brewery McMenamins confirmed it had suffered a ransomware attack dating back to December 12, 2021. On December 16, 2021, Bleeping Computer reported that the Brewery has suffered a ransomware incident.
The brewery did confirm that it had suffered an incident stating,
“McMenamins today announced it has been the victim of a ransomware attack, which was identified and blocked on Dec.12. At this time, it appears that no customer payment data was impacted when cybercriminals deployed malicious software that locked the company’s systems and prevented access to critical information. The family-owned company has reported the incident to the FBI and is also working with a cybersecurity firm to identify the source and full scope of the attack.
It is possible that internal employee data may have been compromised, although it is not currently known whether that is the case. The following categories of employee information were potentially affected: names, addresses, email addresses, telephone numbers, dates of birth, Social Security numbers, direct deposit bank account information, and benefits records. To provide employees with peace of mind, McMenamins will be offering employees identity and credit protection services, as well as a dedicated helpline through Experian. Managers will provide this information to employees directly."
The brewery only confirmed the extent of that data was compromised in the attack on December 30.
This is not as egregious as some would think as often complete audits of data and IT infrastructure that were compromised need to be conducted which takes time.
All in all the Brewery responded as well as can be expected following such a devastating incident. In the statement the brewery said,
“McMenamins confirmed internal employee data dating back to January 1, 1998, was compromised in the malicious ransomware attack it blocked Dec. 12. McMenamins is offering past and current employees identity and credit protection services, as well as a dedicated call center to answer questions about the attack…Letters detailing the personal information stolen and how individuals can protect their identity and credit were sent to all individuals employed by the company between July 1, 2010 and December 12, 2021. Past employees between January 1, 1998 and June 30, 2010 are urged to visit the company’s website for support and detailed instructions on how to protect their data. A hotline has been established for additional questions: (888) 401-0552.”
It is important to note that both statements confirmed that no customer data had been compromised. The data that was compromised was over 20 years of employee-related data for past and present employees. An estimated 30,000 employee records may have been compromised as a result of the attack.
The second statement also confirmed that types of data compromised may include names, addresses, telephone numbers, email addresses, dates of birth, race, ethnicity, gender, disability status, medical notes, performance and disciplinary notes, Social Security numbers, health insurance plan elections, income amounts, and retirement contribution amounts.
For fraudsters, such a trove of personally identifiable information makes committing identity fraud a far easier prospect.
As to how a brewery had so much information on hand, it is important to note that the brewery has spread out to include restaurants, pubs, and hotels within its portfolio following the success of its brewery.
Questions also need to be asked about how the company’s IT infrastructure was breached and who the attacker was. While nothing definite has been released to the public Bleeping Computer with the help of trusted sources believes that the Conti gang was involved.
The Attacker and the Breach
The belief that it was Conti has some basis in current trends. Back in September 2021, this publication covered how US law enforcement agencies warned the US public and the broader international community that approximately 400 attacks had been seen conducted by the Conti gang.
The warning also includes several key tactics and techniques used by the believed to be Russian-based ransomware gang that should be seen as required reading for any IT professional.
In recent Conti attacks breaching of IT infrastructure has partnered with other cybercriminal organizations to handle the initial compromise. Such organizations include those infamous for distributing TrickBot and BazarLoader with both malware strains capable of creating a backdoor on the compromised machine that can allow ransomware strains to be later dropped onto the compromised machine.
In the past TrickBot, was primarily a piece of information-stealing malware that would initially be dropped by the Emotet botnet which would handle the initial compromise. With Emotet’s recent resurgence it looks like TrickBot has been cut out of the picture as researchers discovered the botnet deploying Cobalt Strike Beacons which have been used to facilitate ransomware infections.
TrickBot is not reliant on other malware for infection and has been distributed in several other ways including spam emails containing malicious documents in the past, so even with one avenue of infection closed, TrickBot is still incredibly dangerous. BazarLoader has seemingly always been associated with ransomware infections previously well-known for helping distribute the Ryuk strain.
While much uncertainty remains as to the attacker, the effects of the ransomware on the brewery and its affiliated companies should be seen as a dire warning to other organizations.
One attack resulted in the potential breach of 30,000 employment records, with each record containing a wealth of information that can be used for either fraud or identity theft.
This had prompted the company to spend more on remediation costs as they are obliged to know pay for anti-fraud protection for those employees past and present.