GARMIN the GPS titan is still recovering from ransomware attack that hit its website, customer support and apps causing it to pause communication since late July 2020
Days have gone by and they have only gave brief Twitter statements with regards to the crisis last Monday. They finally acknowledged that they got hit by a “cyberattack that encrypted” some of its systems.
Employees of the company around the world took to social media to admit what the company would not: They just went out telling that they got hit by a ransomware. It basically locked them out of their own system globally. They became more controversial when they have have said that they were able to somehow obtain “the decryption key to recover its computer files.” This sounds a bit dodgy to me, which makes me think they have paid the ransomware developers.
As per security analysts, the ransomware most likely was launched by a Russia-based organization named the Evil Corp due to the use of the WastedLocker strain of malware.
US Treasury Department has even filed charges and sanctions against them last December. Most likely that Garmin paid the ransom to free their systems and they would be in violation of these sanctions and face penalties.
As long as there are people and organizations that fall prey and continue to pay their ransomware demands, the cybercriminals will still see it as a source of income.
This detrimentally affects any person, business, and organization in terms of finances, daily operations, reputation and a whole lot more.
In the case of Garmin, there are a lot more in stake. The company collects, stores, processes, and uses users personal information like names, addresses, phone numbers, email addresses, payment account information, height, weight, age, gender, heart rates, sleeping patterns, GPS-based location, and activity patterns.
According to them “If our security measures or applications are breached, are disrupted or fail, unauthorized persons may be able to obtain access to user data,”
“If we or our third-party service providers, business partners, or third-party apps with which our users choose to share their Garmin data were to experience a breach, disruption or failure of systems compromising our users’ data or the media suggested that our security measures or those of our third-party service providers were insufficient, our brand and reputation could be adversely affected, use of our products and services could decrease, and we could be exposed to a risk of loss, litigation, and regulatory proceedings.”
The document also notes that in the event of a breach, the company may have no choice but to “provide some form of remedy for the individuals affected by the incident.”
The WastedLocker ransomware that had hit Garmin has been around for a while and mostly targets high-end corporations. It was even published and highlighted by MalwareBytes less than two weeks before the Garmin attack. They have warned about the Evil Corp cybercriminals were using it in addition to other malware like Dridex and BitPaymer to spread at hit more targets.
The attackers have demanded ransoms ranging from $500K to $10Million in bitcoins for major corporations.
It is not surprising that the attacks are target-based, and is customized for each and every target. They are more patient and have never leaked any information about the compromised data they possess, nor sell them on the dark web when companies fail to pay the ransom. They focus on compromising employee accounts, systematically assessing security capabilities and exposures, and then disabling capabilities like malware protection before exploiting vulnerabilities to deliver and widely propagate the ransomware attack through the environment.
Much of the things that the public knows about what happened to Garmin came from employees’ photos and other sources.
Other ransomware also do the similar schemes, “The encryption algorithms in use are nothing special for ransomware—modern and strong. It’s pretty obvious they know for whom they came after. We monitor dozens of web domains related to this malware family. On many of these domains, we registered the server as part of CobaltStrike—a legitimate commercial penetration testing platform widely used by malefactors as well,” as per Legezo who is a security researcher from Kaspersky.
“This and other techniques used by attack operators are quite similar to more classical targeted attacks, which come for data. But in WastedLocker’s case, so far, there are no signs of anything besides encryption and request for ransom payment.”
Last year, an Emsisoft report said that there were at least 966 US government, healthcare providers and educational establishments hit by ransomware and cost around $7.5 billion.
With the Coronavirus pandemic, other businesses sectors have slowed down or stopped operation except for healthcare which have increased in number and severity of ransomware attacks.
Security awareness programs educating employees on how ransomware operates and how to avoid phishing attacks can help a company/organization avoid getting infected in the first place. Having antivirus and anti-malware software with the latest patches and updates together with regular scans is a must nowadays.
Application whitelisting and disabling macros is another good way of preventing ransomware and other infections from running. Bundle it up with a multi-backup solution which includes regular offline-backups and limiting access data, infrastructure and critical systems.
There is always downtime when these things happen, but it all depends on how fast you can get your systems back up and running. Average downtimes cost you around 3 days of man-hours but can lead to the failure of the entire business if not handled properly.
The WastedLocker ransomware often penetrates systems multiple times before it unleashes a full attack. And in this case, the amount of data that a single person can lose besides his/her location but also includes personal health data as well. These kind of information should be secure at all cost.
Offline-backups and fallback email and archives need to become a security norm to be able to easily mitigate ransomware threats. Regular users should also be aware of potentially unsafe attachments since cybercriminals use URL links instead of files nowadays.
As more work from home jobs are becoming normal, VPNs and remote servers requires patching. Windows Remote Desktop Protocols and exploits are being used to initiate compromise.
Although Garmin claims no data was exfiltrated during the ransomware attack, this should serve as a wake-up call to strengthen computer security everywhere.