Garmin ransomware attack

Posted on by Toshendra Sharma

Fitness brand Garmin spent millions of dollars in ransom after an attack took many of its products and services offline last month. The amount was reportedly made through a ransomware negotiating company called Arete I.R., so that as a result of the attack, Garmin could recover data held hostage.

Last week, it was reported by cybersecurity experts  that Garmin had received a decryption key to access virus-encrypted data and that the initial ransom demand was for $10 million. The dearth of precise information has left everybody wildly theorizing. This article includes what happened, a detailed technical malware analysis, and the main findings.

 

Table of Contents

  • The Incident
  • WastedLocker ransomware
  • How’s Garmin doing?
  • How to protect against ransomware attacks?
  • Conclusion

 

Cybersecurity professionals are high in demand due to the increase in the number of attacks. What are you waiting for? Enroll for cybersecurity engineer certifications and start your cybersecurity professional training. Let’s have a look at the high profile attack on Garmin and the damage it caused.

 

The Incident

The attack itself began on July 23rd, putting offline for several days Garmin’s wearables, apps, website, and even its call centers. Garmin confirmed that it was the victim of a cyber-attack on July 27th, as many of his services were beginning to return online. The statement did not mention whether the attack had paid a ransom but noted that no customer data was accessed, lost, or stolen. Early on, reports suggested that a strain of ransomware named WastedLocker had hit the fitness brand, which is assumed to have been developed by individuals linked to a hacking group based in Russia.

Last December, the group, known as Evil Corp, was placed under U.S. Treasury sanctions, and it reported that one ransomware negotiating company declined to work with Garmin to resolve the incident due to fears of breaking those sanctions. Arete I.R. declined to confirm that it had worked with Garmin to respond to the incident citing “contractual obligations of confidentiality for all clients.” The firm cited that it “follows all recommended and required screenings to ensure compliance with U.S. trade sanctions laws.” 

On July 24th, Arete I.R. tweeted a white paper disputing reports of a link between WastedLocker and Evil Corp. 

It is believed that Garmin must have paid the ransom because of the lack of known weaknesses in the WastedLocker virus. Code from a Garmin-developed executable reviewed suggests the company paid the ransom on either July 24th or July 25th, and a publication confirmed that the executable was able to decrypt sample files encrypted by WastedLocker.

 

WastedLocker ransomware

WastedLocker ransomware was first emerged in May and has already developed notoriety as a potent malware threat to organizations by encrypting networks and demanding a ransom of millions of dollars in bitcoin for the decryption key. WastedLocker is an example of targeted ransomware-tweaked malware to attack a particular company. The ransom message referred by name to the victim, and all encrypted files got the .garminwasted extension. The cryptographic scheme of cybercrimes points to the same conclusion. Files were encrypted using the algorithms AES and RSA, which are often used in combination with ransomware creators. However, for each infection, a public RSA key is used to encrypt files, rather than one generated uniquely. If this modification of ransomware were used against multiple targets, it would be a general-purpose for the data-decryption program, because there would also have to be one private key. Moreover, the ransomware shows the following curious features:

 

  • Prioritization of data encryption, meaning that cybercriminals may first specify a particular file directory to encrypt. That maximizes damage if security mechanisms stop data encryption before it is complete;
  • Support for encryption of files on resources from a remote network;
  • Privilege checking and use of DLL hijacking for privilege elevation.

 

How’s Garmin doing?

Services are up and running again, though data synchronization may be slow and is still limited in some individual cases, according to the company’s updated statement. This is understandable: Devices that have been unable to synchronize with their cloud services for several days now contact company servers, increasing the load. Garmin reports that, during the incident, no evidence exists that anyone gained unauthorized access to user data.

 

How to protect against ransomware attacks?

Targeted attacks on companies regarding ransomware are here to stay. That being the case, the advice to guard against them is fairly standard:

  1. Suspicious or irrelevant emails must not be opened, especially any attachments or links present in them – as that can result in a high-risk infection
  2. It is recommended to only use official and verified download channels
  3. Additionally, all products must be activated and updated with tools/functions provided by genuine developers.
  4. Illegal activation (“cracking”) tools and third-party updaters are advised against use, due to them being often employed to proliferate malware
  5. Always keep up-to-date software, particularly the operating system — most Trojans exploit known vulnerabilities
  6. Use RDP to deny public access to enterprise systems (or use a VPN where necessary);
  7. Train employees on cybersecurity basics. Most often, it is employee social engineering that allows Trojans to infect corporate networks with ransomware
  8. Use cutting-edge security solutions with advanced anti-ransomware technologies

 

Conclusion

The WastedLocker ransomware is not going to leave anytime soon. Organizations can go a long way to protect themselves from falling victim to WastedLocker and other ransomware attacks by making use of simple security procedures like not using default passwords for remote login portals and multi-factor authentication provide an extra barrier to hackers attempting to gain control of accounts and systems. Making sure that security patches are applied as soon as possible can also help stop organizations falling victim to malware attacks, a lot of which take advantage of long-known vulnerabilities to achieve a foothold into networks.

By applying these security practices and hiring a dedicated team of cybersecurity professionals to seal the probabilities of a future attack, organizations can help stay protected against WastedLocker and other threats – but until these security protocols are applied across the board, ransomware will remain a significant threat.