GPS device and service provider Garmin confirmed Monday that the global outage that wiped out the vast majority of its offerings for five days was caused by a ransomware attack.
“Garmin Ltd. was the victim of a cyber attack that encrypted some of our systems on July 23, 2020,” the company wrote in an email Monday morning. “As a result, many of our online services were disrupted, including website functions, customer support, customer-facing applications, and company communications. We immediately began to assess the nature of the attack and began to remedy it. ” The company said it did not believe users’ personal information was taken.
Garmin’s problems started late Wednesday or early Thursday morning as customers reported that they were unable to use a variety of services. Later Thursday, the company said it was experiencing an outage from Garmin Connect, FlyGarmin, customer service centers, and other services. The failure of the service left millions of customers unable to connect their smart watches, fitness trackers, and other devices to servers that provided the location-based data necessary for them to work. Monday’s publication was the first time the company provided a cause of the global outage.
Some company employees soon turned to social media to report that Garmin was brought down by a ransomware attack, which exploits vulnerabilities or misconfigurations to dig into a company’s network. Ransomware operators often spend days or weeks inside, covertly stealing passwords and mapping network topologies. Finally, the attackers encrypt all the data and demand a ransom paid for the cryptocurrency in exchange for the decryption key.
The aptly named Evil Corp.
Screenshots and other data released by employees suggested that ransomware was a relatively new strain called WastedLocker. A person with direct knowledge of Garmin’s response over the weekend confirmed that WastedLocker was the ransomware used. The person spoke on condition of anonymity to discuss a confidential matter.
WastedLocker first came to public attention on July 10, when antimalware vendor Malwarebytes released this short profile. He said the WastedLocker attacks are highly directed against pre-chosen organizations. During the initial intrusion, the malware performs a detailed analysis of the active defenses of the network so that subsequent penetrations can better circumvent them.
Malwarebytes researcher Pieter Arntz wrote:
In general, we can affirm that if this gang has found an entry in their network, it will be impossible to prevent them from encrypting at least part of their files. The only thing that can help you save your files in such case is if you have rollback technology or offline backup form. With online or otherwise connected backups, you have the possibility that your backup files are also encrypted, making it debatable. Keep in mind that rollback technologies depend on the activity of the processes that monitor your systems. And there is a danger that these processes are on the target list of the ransomware gang. This means that these processes will be closed once they gain access to your network.
Once WastedLocker is established on a network, lawsuits typically range from $ 500,000 to $ 10 million. The name of the ransomware is derived from the “wasted” extension that is added to encrypted file names, which includes an abbreviation of the victim’s name. Each encrypted file comes with its own separate file that contains a ransom note customized for the specific purpose.
Garmin’s announcement on Monday did not use the words ransomware or WastedLocker. However, the description “cyber attack that encrypted some of our systems” definitively confirmed that ransomware of one kind or another was the cause.
According to Malwarebytes and other investigative organizations, the similarities between WastedLocker and an earlier piece of malware known as Dridex linked the ransomware to a Russian organized crime group known as the Evil Corp.
Late last year, federal prosecutors accused alleged Evil Corp. chief Maksim V. Yakubets of using Dridex to drain more than $ 70 million of bank accounts in the United States, the United Kingdom, and other countries. The same day that prosecutors filed their 10-count indictment, the United States Treasury Department sanctioned Evil Corp. as part of a coordinated action aimed at disorganizing the Russian-based hacker group, which the department said was it had taken $ 100 million from organizations in 40 countries. .
Citing an unidentified number from security sources, Sky News reported that Garmin obtained the decryption key. The report aligned with what the person with direct knowledge told Ars. Sky News said Garmin “did not make a direct payment to hackers,” but did not elaborate. Garmin representatives declined to provide confirmation that the malware was WastedLocker and whether the company paid any ransom. Treasury action could complicate the already difficult position of Garmin and other Evil Corp. victims by leaving them open to legal action if they pay the criminal gang for the return of the encrypted data.
The sun also rises
On Monday, Garmin began slowly restoring location-based services. At the time this post was published on Ars, this page showed that Garmin Connect had returned with limited capabilities for features including challenges and connections, courses, daily digest, Garmin Trainer, Strava, third-party sync, wellness sync, and training. Garmin Drive, Live Track, Activity Details and Uploads have been fully restored. FlyGarmin and Garmin Pilot, which provides navigation and other services to pilots, were also back online.
Garmin’s outage underscores the main scourge ransomware has become since its appearance in 2013, primarily as a malware novelty. Ransomware not only cost US governments, healthcare providers and educational institutions a combined total of $ 7.5 billion last year, the resulting disruptions can cause hospitals to reject patients seeking emergency care, dangerous intrusion of critical infrastructure, and hardships for millions of end users. The attack Garmin experienced gives little reason to believe that the police and security industry are close to containing this growing threat.
Updated post to add details about the Sky News report.
