Last month Garmin has been the target of a successful ransomware attack that temporarily took offline most of the company servers. Hence, most of the services it offers have been unavailable. It later claimed it was the victim of a cyberattack without offering specifics about what caused it. Reports and further indicators suggested ransomware was involved.
According to Sky News, Garmin paid a “multi-million dollar ransom” via a third-party company called Arete Incident Response to regain access to its files and systems. Engadget has contacted Garmin for comment.
It has not been revealed who was behind the attack nor to whom a ransom(if any) was paid. Some security researchers believe the cause of the outage was the WastedLocker ransomware. According to MalwareBytes, the attacks performed using WastedLocker are highly targeted at very specific organizations. It is suspected that an assessment of active defenses occurs during a first penetration attempt. Then, the next attempt is tailored to circumvent the active security software and other perimeter protection. The ransomware name derives from the filename it creates which includes an abbreviation of the victim’s name and the string “wasted”. For each encrypted file, the malware creates a distinct file that contains the ransomware note. The ransom note has the same name as the associated file with the addition of “_info”. The WastedLocker ransomware encrypts files using the AES algorithm. The ransom demands also appear to be related to the amount of research the operators have done based on what they believe the victims can afford to pay. The demands are steep, ranging from $500,000 to over $10 million in Bitcoin. WastedLocker has been actively deployed since May 2020.
This poses some new and critical problems because WastedLocker is linked to a Russia-based group of cybercriminals known as Evil Corp. The link is due to the similarities between WastedLocker and other malware the group has developed. Evil Corp has historically been very focused on how it picks and attacks its targets. Rather than going after end users and small businesses, who may be easy to trick into opening a malicious email attachment but unlikely to pay significant ransoms for their data, the organization has instead deployed a mixture of technical prowess and social engineering to attack sizeable targets such as banks, media organizations and now technology companies. While it is not yet known how Garmin fell prey to the ransomware in early July, Symantec cybersecurity researchers identified hijacked newspaper websites as a possible route. Although Garmin did not confirm the level of the requested ransom, it is believed to be around $10m.
The US Treasury sanctioned that organization last year, accusing it of being responsible for developing and distributing another form of malware called Dridex. The sanction “generally prohibited” US persons from “engaging in transactions” with specific companies and people linked to Evil Corp. Hence, paying the ransomware results in a violation of US laws.
A final observation is that this attack shows that ransomware is more and more used for target attacks and not only for mass one. Hence, maybe the term fully automated attack would be more appropriate.