GPS device and service provider Garmin confirmed on Monday that the worldwide outage, in which the vast majority of its offerings were suspended for five days, was caused by a ransomware attack.
"Garmin Ltd. was the victim of a cyber attack that encrypted some of our systems on July 23, 2020," the company wrote in a Monday morning post. “As a result, many of our online services have been interrupted, including website features, customer support, customer-centric applications and corporate communications. We immediately started assessing the nature of the attack and starting to remediate it. “The company did not believe that personal data was collected from users.
Garmin's problems started late Wednesday or early Thursday morning when customers reported that they couldn't use a variety of services. Later on Thursday, the company announced that Garmin Connect, FlyGarmin, customer service centers, and other services had failed. Due to the service error, millions of customers were unable to connect their smartwatches, fitness trackers, and other devices to servers that provided location-specific data that was necessary for their work. Monday's mail was the first time that the company was a reason for the worldwide outage.
Some company employees soon went to social media sites to report that Garmin was killed by a ransomware attack that exploits vulnerabilities or misconfigurations to dig into a company's network. Ransomware operators often spend days or weeks inside, steal passwords in secret and assign network topologies. Finally, the attackers encrypt all data and demand a ransom, which is paid by the cryptocurrency in return for the decryption key.
The aptly named Evil Corp.
Screenshots and other data released by employees suggested that the ransomware is a relatively new strain called WastedLocker. A person with direct knowledge of Garmin's weekend response confirmed that WastedLocker was the ransomware used. The person spoke on condition of anonymity to discuss a confidential matter.
WastedLocker first became public on July 10 when the antimalware provider Malwarebytes published this short profile. WastedLocker attacks are said to be highly targeted at preselected organizations. During the first intrusion, the malware performs a detailed analysis of the active network defense so that subsequent penetrations can better circumvent it.
Malwarebytes researcher Pieter Arntz wrote:
In general, we can say that once it has found access to your network, it is impossible to prevent this gang from encrypting at least part of your files. The only thing that can help you save your files in such a case is if you have either rollback technology or some form of offline backup. With online or other related backups, there is a possibility that your backup files will also be encrypted, which makes sense to question them. Please note that rollback technologies depend on the activity of the processes that monitor your systems. And there is a risk that these processes are on the target list of the ransomware gang. This means that these processes will be shut down as soon as they gain access to your network.
Once WastedLocker has established itself in a network, the requirements are usually between $ 500,000 and $ 10 million. The ransomware name is derived from the "wasted" extension, which is appended to encrypted file names and contains an abbreviation for the victim's name. Each encrypted file comes with its own file that contains a ransom note that is customized for the destination.
The words "ransomware" or "WastedLocker" were not used in Garmin's Monday announcement. However, the description "cyber attack that encrypted some of our systems" almost almost definitely confirmed that ransomware of one kind or another was the cause.
According to Malwarebytes and other research institutions, the similarities between WastedLocker and a previous malware called Dridex have tied the ransomware to a group of organized crime from Russia called Evil Corp. is known.
At the end of last year, prosecutors accused Evil Corp.'s alleged Kingpin Maksim V. Yakubets of using Dridex to withdraw more than $ 70 million from bank accounts in the United States, the United Kingdom, and other countries. On the same day the state attorney filed her 10-point charge, the US Treasury Department sanctioned Evil Corp. as part of a coordinated action to disrupt the Russian-based hacker group, which the department said had withdrawn $ 100 million from organizations in 40 countries.
Citing an undisclosed number of security sources, Sky News reported that Garmin had received the decryption key. The report was consistent with what the person with direct knowledge Ars said. Sky News said Garmin "didn't make a payment to the hackers directly," but didn't go into detail. Garmin representatives declined to confirm that the malware was WastedLocker and whether the company paid a ransom. The Treasury’s actions could add to the already difficult position of Garmin and other victims of Evil Corp. complicate by remaining open to legal action when paying the criminal gang to return the encrypted data.
The sun also rises
On Monday, Garmin began slowly to restore location-based services. At the time of this Ars post, this page showed that Garmin Connect had returned with limited functionality for features such as challenges and connections, courses, daily summary, Garmin Coach, Strava, third-party synchronization, wellness synchronization, and workouts. Garmin Drive, Live Track, activity details and uploads have been completely restored. FlyGarmin and Garmin Pilot, which offer pilots navigation and other services, were also back online.
The failure of Garmin highlights the great scourge that ransomware has become since its launch in 2013, primarily as a malware novelty. Ransomware not only cost $ 7.5 billion to U.S. governments, healthcare providers, and educational institutions last year, the resulting disruptions can cause hospitals to reject patients seeking emergency care, dangerous interference in critical infrastructure, and trouble for millions from end users. The attack Garmin has had little to do with the assumption that law enforcement and the security industry come close to this growing threat.
Updated post to add details to the Sky News report.