Image: vchal, iStockphoto

GPS titan Garmin is still recovering from the fallout of the devastating ransomware attack that has crippled its website, disrupted customer support, disabled apps, and paused communications since late July 22.

After days of opaque FAQs and brief Twitter statements, the company sent out a full response to the crisis on Monday, finally acknowledging that it was hit with a “cyberattack that encrypted” some of its systems.

Since the crisis began, employees of the company around the world took to social media to admit what the company would not: That it was hit with a damaging ransomware attack that locked them out of significant portions of their own system globally. The company courted even more controversy on Monday when inside sources told Sky News the company was somehow able to obtain “the decryption key to recover its computer files.”

As analysts and insiders have noted, the attack was most likely launched by a Russia-based cybercrime organization aptly named Evil Corp due to the use of the WastedLocker strain of malware. The US Treasury Department filed charges and sanctions against the group in December, meaning that if officials connected to Garmin paid the ransom to free their systems, they would be in violation of these sanctions and face penalties.

SEE: Zero trust security: A cheat sheet (free PDF) (TechRepublic)

Security analysts said the situation had wide-ranging implications considering the scale of the attack, the perceived mismanagement of the initial response to the crisis, and the people behind the crime.

“It is sadly no surprise to see another organization fall victim to a suspected ransomware attack. Our recent State of Email Security report found that nearly half of companies in the US have been impacted by ransomware attacks in the last year,” said Carl Wearn, head of e-crime at Mimecast.

“The key thing is that as long as organizations continue to pay, attackers will view this attack approach as being financially viable.”

In an annual report submitted to the SEC in December, Garmin officials noted just how damaging a cyberattack would be to its services, reputation, and more.

In the filing the company says it collects, stores, processes, and uses users personal information like names, addresses, phone numbers, email addresses, payment account information, height, weight, age, gender, heart rates, sleeping patterns, GPS-based location, and activity patterns.

“If our security measures or applications are breached, are disrupted or fail, unauthorized persons may be able to obtain access to user data,” the SEC filing added.

“If we or our third-party service providers, business partners, or third-party apps with which our users choose to share their Garmin data were to experience a breach, disruption or failure of systems compromising our users’ data or the media suggested that our security measures or those of our third-party service providers were insufficient, our brand and reputation could be adversely affected, use of our products and services could decrease, and we could be exposed to a risk of loss, litigation, and regulatory proceedings.”

The document also notes that in the event of a breach, the company may have no choice but to “provide some form of remedy for the individuals affected by the incident.”

WastedLocker and Evil Corp

The WastedLocker ransomware, named after the tag included on the end of all the encrypted files, has been floating around since May and has been used specifically to target high-end corporations. MalwareBytes spotlighted WastedLocker less than two weeks before the Garmin attack, warning that Evil Corp cybercriminals were using it in addition to other malware like Dridex and BitPaymer.

Since using the ransomware, the attackers have demanded ransoms ranging from $500,000 to over $10 million in bitcoin, according to Curtis Simpson, CISO at IoT security firm Armis.

“Not only are the attacks targeted in nature, the malware is also customized for each target. The malware was first spotted in the wild in May and by July, has been regularly impacting large enterprises with newsworthy results,” Simpson said. “Unlike other actors that have started releasing compromised data online and/or selling such data to the highest bidder on the Dark Web, Evil Corp has not been taking such actions when affected companies fail to pay ransoms.”

He added that Evil Corp’s targeted approach has involved compromising employee accounts, systematically assessing security capabilities and exposures, and then disabling capabilities like malware protection before exploiting vulnerabilities to deliver and widely propagate the ransomware attack through the environment.

Kaspersky senior security researcher Denis Legezo said much of what the public knows about what actually happened to Garmin has come from employees’ photos and other sources.

This is not the only ransomware used in such a manner, according to Legezo, with Maze and some other ransomware families using similar schemes.

“The encryption algorithms in use are nothing special for ransomware—modern and strong. It’s pretty obvious they know for whom they came after. We monitor dozens of web domains related to this malware family. On many of these domains, we registered the server as part of CobaltStrike—a legitimate commercial penetration testing platform widely used by malefactors as well,” Legezo said.

“This and other techniques used by attack operators are quite similar to more classical targeted attacks, which come for data. But in WastedLocker’s case, so far, there are no signs of anything besides encryption and request for ransom payment.”

Don Smith, senior director of Secureworks Counter Threat Unit, was most troubled by the increasing frequency of these types of attacks.

Over the last two years, Smith said his incident response teams have been engaged to help increasing numbers of victims, with a 100% year-on-year increase in such engagements over the last two years.

“If Garmin has been the subject of a post-intrusion ransomware attack then they are not alone. They will be one of many who have fallen prey to such cybercriminals. Post-intrusion ransomware is a highly profitable and effective way to extort money from large enterprises,” Smith said.

“Given a network intrusion the ‘return on investment’ of post-intrusion ransomware makes it a compelling route to monetization for cyber criminals. The good news is that you can prevent these attacks. It is not easy, but it is possible,” he added. “Criminals will leverage commodity malware to gain an initial foothold into a network but will then spend time assessing how best to attack the enterprise. If the initial foothold is missed, then a well instrumented enterprise should be able to detect the footfall of the criminals as they navigate around the victim enterprise prior to deploying ransomware.”

How organizations can prepare/handle attacks like this

Cybersecurity experts had a variety of suggestions when asked about what companies could do to avoid a fate similar to Garmin.

Ransomware attacks are now becoming the norm for large organizations, and 2019 saw attack numbers skyrocket. One Emisoft report found that there were at least 966 US governments, healthcare providers and educational establishments hit with ransomware attacks at a cost of $7.5 billion.

Since the onset of the coronavirus pandemic, the numbers decreased in every sector except for healthcare, with institutions in the industry reporting stark increases in the number and severity of ransomware attacks.

Torsten George, cybersecurity evangelist with Centrify, said it was important for every organization to first implement security awareness programs to educate employees on how ransomware is being deployed and how to avoid spear-phishing attacks. Basic actions like updating anti-virus and anti-malware software with the latest signatures as well as regular scans are also a necessity at this point.

Entities, he said, should create an application whitelist allowing only specific programs to run on a computer, including the disabling of macro scripts from Microsoft Office files transmitted over email.

As a way to deal with ransomware attacks specifically, organizations need to back up data regularly to a nonconnected environment and verify the integrity of those backups regularly, George said, adding that an effective privileged access management solution using a zero trust approach is key to preventing bad actors from accessing critical systems, infrastructure and sensitive data.

“By verifying who is requesting access, the context of the request, as well as the risk of the access environment, organizations can minimize the impact of a ransomware attack and prevent malware from spreading through a network,” George said.

Simpson from Armis told TechRepublic that organizations should be asking themselves whether they would know if an attack moved from their traditional IT infrastructure into networks and devices that are critical to manufacturing and servicing their downstream customers.

Enterprises should also question whether IT and manufacturing teams are jointly aware of and practiced in how to communicate and handle a cyber event with the potential to impact critical operations.

“Do we have the required modern technical controls like access broker technologies that can help to rapidly discover the likely compromise of employee credentials, before a larger impact is observed? If our supply chain relies on other critical third parties, what opportunities do we have to mitigate risks associated with one or more of these providers being critically impacted and unable to support our operations?” Simpson asked.

Wearn from Mimecast said his recent report on email security found that the average downtime an organization suffers from a ransomware attack is three days, but at times can be indefinite and lead to the failure of a business.

Due to the fact that the people behind WastedLocker often penetrate systems multiple times before unleashing a full attack, organizations need to pay particular attention to their patterns of network traffic and data logs to identify any potential compromise, he said, noting that there is a potential short window of opportunity to remediate any initial dropper infection and thereby prevent the further insertion of ransomware.

“This particular attack is also worrying because of the type of data that could be lost, including both location and personal health data. When consumers trust organizations with this data, it is absolutely vital that it is kept secure. Incidents like these can have devastating consequences for the reputation of an organization,” Wearn said.

“Non-networked backups and a fallback email and archiving process need to become standard security measures if organizations are to significantly mitigate ransomware threats. Individual users can also assist greatly by being aware of the potential for unsafe attachments, but should also be wary of clicking any email links received in any communication, as criminals are increasingly utilizing URL links rather than file-based attachments to infect networks.”

He added that it was imperative now more than ever that remote working software, such as VPNs and any servers, are kept up to date in relation to patching, as open source reporting indicates that ransomware threat actors are increasingly targeting Windows Remote Desktop Protocols and exploits to initiate compromise.

Chris Clements, vice president of solutions architecture at cybersecurity company Cerberus Sentinel, also said Garmin’s response to the crisis was an example of what not to do. Organizations need to implement a well-thought-out and formalized Incident Response plan with a preselected response team for key tasks like recovery, root cause analysis, and public communications.

“With no details forthcoming from official Garmin spokespeople, employees have been tweeting out information that may or may not be accurate and leading to wild speculation as to the extent and severity of the situation,” Clements said.

“In a carefully coordinated incident response action, instructions would be sent out to all employees to refrain from communicating information that may be incomplete or inaccurate. Instead, the IR team members most involved with the situation communicate through a company spokesperson to ensure that information about the incident is complete and accurate.”