Contents:
There is something to be learned from any cybersecurity incident, and Garmin ransomware makes no exception. Read on to find out more about the ransomware strain behind the Garmin attack and how you can stay safe!
In general, ransomware is defined as
a type of malware (malicious software) which encrypts all the data on a PC or mobile device, blocking the data owner’s access to it. After the infection happens, the victim receives a message that tells him/her that a certain amount of money must be paid (usually in Bitcoins) in order to get the decryption key. Usually, there is also a time limit for the ransom to be paid. There is no guarantee that, if the victim pays the ransom, he/she will get the decryption key.
But what about Garmin Ransomware? Let us have a closer look!
Garmin Ransomware: What Happened?
On the 23rd of July 2020, the GPS and fitness wearable giant fell victim to a ransomware attack. Their internal systems got encrypted and their customers were not able to access their online services anymore for a couple of days.
Source: Unsplash
It is known that the value of the ransom that was demanded is $10 million, but it’s not sure whether Garmin paid it or not. What’s certain is that within four days Garmin restored its services and sent a press release on the 27th of July saying they
have no indication that any customer data, including payment information from Garmin Pay™, was accessed, lost, or stolen. Additionally, the functionality of Garmin products was not affected, other than the ability to access online services.
Garmin also added that they “expect to return to normal operations over the few next days”.
It is believed that the ransomware strain behind the attack was WastedLocker.
WastedLocker History
As CSO notes,
WastedLocker is a ransomware program that started hitting businesses and other organizations in May 2020 and is known for its high ransom demands reaching millions of dollars per victim. It is the creation of a group of highly skilled cybercriminals that have been operating for over a decade despite being criminally indicted in the US.
Evil Corp, the group behind WastedLocker, was previously associated with Dridex malware, which was specialized in stealing bank credentials using macros from Microsoft Word.
WastedLocker M.O.
It would appear that the WastedLocker infection
starts with a JavaScript-based attack framework called SocGholish that is distributed as a fake browser update by alerts displayed on legitimate but compromised websites. Hacked news websites are a common vector. The SocGholish framework is delivered as a ZIP file and, if opened and run, it starts an attack chain that involves downloading and executing PowerShell scripts and the Cobalt Strike backdoor. […]
Once the hackers gain access to a computer on the network of an organization they perform reconnaissance and start deploying various living-off-the-land tools to steal credentials, escalate privileges and move laterally to other machines. The attackers’ goal is to identify and gain access to high-value systems such as file servers, database servers, and even virtual machines running in the cloud before deploying a victim-tailored WastedLocker binary on them.
Other WastedLocker Victims
According to MSSP Alert, at least 31 US corporations have been affected by the WastedLocker ransomware until the end of June 2020: “all but one are located in the U.S. and most are major, recognizable corporations.”
The most affected sectors were manufacturing, information technology, media, and telecommunications, but also energy, transport, healthcare, consulting, aerospace, and (local) government institutions.
Garmin Ransomware: Lessons Learned
What lessons can we draw from the events involving WastedLocker and Garmin Ransomware?
It can happen (especially) to high players
As we have seen, most of the WastedLocker victims are high profile, some even included in the Fortune 500 top. Unfortunately, both small and large companies can, at any time, become the targets of ransomware attacks.
Once encrypted, files may not be (easily) decrypted
Cybercriminals are getting more and more creative with developing advanced malware, so decrypting files after a ransomware attack can be extremely challenging. In some cases, paying the ransom might be the only way to gain access to your files again, even if there is no guarantee that hackers will give you the decryption key – but we’ll talk more about this below.
All it takes is a (tiny) human error
As I have mentioned in a previous article, human error can be skill-based or decision-based, and can appear because people are tired, not paying enough attention, or are somehow distracted, but also because there is a lack of awareness or because of the environment.
To get infected with WastedLocker, for example, it’s enough for a user to download a malicious software update from a website or click on a fake link.
Ransomware can seriously damage your reputation
Apart from workflow disruption and money and time loss, a ransomware incident can also bring regulatory fines to the victim and maybe even legal suits for not complaining to GDPR. Even if it will not go so far, your customers and partners may start to have second thoughts when it comes to working with your company.
Paying the ransom can create a dangerous precedent
It might seem that paying the ransom is the easiest (and sometimes the only one) option to get your files back and get back on track, but this act will only encourage cybercriminals to proceed with their criminal operations.
As the FBI says,
In some cases, victims who paid a ransom were never provided with decryption keys. In addition, due to flaws in the encryption algorithms of certain malware variants, victims may not be able to recover some or all of their data even with a valid decryption key. Paying ransoms emboldens criminals to target other organizations and provides an alluring and lucrative enterprise to other criminals. However, the FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers. Regardless of whether you or your organization have decided to pay the ransom, the FBI urges you to report ransomware incidents to law enforcement. Doing so provides investigators with the critical information they need to track ransomware attackers, hold them accountable […], and prevent future attacks.
Garmin Ransomware: Prevention Methods
Although very dangerous, WastedLocker/Garmin ransomware attacks can be prevented if any company respects a few simple rules. Here’s what you need to do to keep your company safe:
Train your employees!
As we have seen, all it takes is a tiny human error for a ransomware attack to begin. Make sure all your employees have basic cybersecurity knowledge and know what they should and shouldn’t do to avoid a system compromise.
Manage admin rights!
With privileged access, regular users can modify network configurations, install or remove software and access restricted files. It’s very important to limit user privileges and have strict control over what is allowed and not allowed to be executed on an endpoint.
Heimdal® Privileged Access
Management
Backup, backup, backup!
The importance of backing up your data is crucial. Since anyone can become the victim of a ransomware attack, try to have a secure backup option that cannot be compromised in case there is a ransomware infection.
Keep everything up to date!
It’s not uncommon for ransomware strains to use unpatched software vulnerabilities to encrypt victims’ files. Using an automated patch management solution will help your IT team save time and will eliminate cybercriminals’ entry points into your systems.
Heimdal® Patch & Asset Management Software
To help you combat ransomware in a more efficient matter we have also created the Ransomware Encryption Protection module. It is compatible with any antivirus solution and will continuously monitor every process running on your machine searching for changes associated with malicious encryption attempts.
Ransomware Encryption Protection’s advanced reporting features will derive invaluable digital forensics data such as process attack pathing, represented via bidimensional tree diagrams with stunning graphs, attacker’s origins, file connections, attempted kernel-level I\O, read\write operations, directory executions and file enumerations, CVE classification, impact severity, and much more.
Heimdal™ Ransomware Encryption Protection
Garmin Ransomware: Wrapping Up
Garmin ransomware showed us – once again – that no one is safe from cybercriminals and that all it takes is a tiny human error to jumpstart an unfortunate chain of events. For this reason, prevention is (always, in our opinion) the best defense and attack.
However you choose to proceed, please remember that Heimdal™ Security always has your back and that our team is here to help you protect your home and your company and to create a cybersecurity culture to the benefit of anyone who wants to learn more about it.
Drop a line below if you have any comments, questions, or suggestions related to the topic of the Garmin ransomware – we are all ears and can’t wait to hear your opinion!
Elena Georgescu is a cybersecurity specialist within Heimdal™ and her main interests are mobile security, social engineering, and artificial intelligence. In her free time, she studies Psychology and Marketing. Some of her guest posts on other websites include: cybersecurity-magazine.com, cybersecuritymagazine.com, techpatio.com
