[Update: Click here for an analysis of the WastedLocker ransomware]
Garmin Inc., a leading provider of "GPS navigation and wearable technology to the automotive, aviation, marine, outdoor and fitness markets", with 65 offices across the globe, experienced a service outage on July 23rd, 2020.
In a statement Monday, Garmin announced that they were "…the victim of a cyber-attack that encrypted some of our systems on July 23, 2020. As a result, many of our online services were interrupted including website functions, customer support, customer facing applications, and company communications. We immediately began to assess the nature of the attack and started remediation".
While Garmin was quick to acknowledge the service outage was the outcome of a cyber-attack, there are several especially noteworthy facts that they did not mention in their notice. No information is supplied about the malware strain or family, or even confirmation of if the attack was ransomware, DDoS, or any other specific type of attack. No ransom or remediation is mentioned, and their website is especially cryptic on what data (if any) was stolen. From the FAQ section of the Garmin website, where customers have been asking if their data has been impacted, Garmin says that there is "no indication" that any customer data of value was "accessed, lost or stolen" during the attack - not the most specific statement in the opinion of many.
BBC reporter Joe Tidy identifies the attack as a new malware strain named WastedLocker, said to be deployed by the Evil Corp gang and targeting very specific, deep pocketed organizations such as multinational corporations (MNCs) for ransoms starting from 500K and reaching $10 million in Bitcoin. Evil Corp attacks are consistently devastating, with most victims reporting exorbitant ransom demands and at least some files encrypted in every attack. Malwarebytes reports that WastedLocker is custom built for each client, that it follows the same basic processes in each attack, and deletes system backups during the attack, among many other insidious functions. Malwarebytes notes that "The malware from these websites is a penetration testing and exploration kit designed to create a foothold and gather information about the network. Historically Evil Corp has targeted file servers, database services, virtual machines, and cloud environments".
[Update as of 4th August 2020]
Garmin has received the decryption key capable of ending the ransomware attack and releasing their encrypted files. BleepingComputer, who broke the story, said, "To obtain a working decryption key, Garmin must have paid the ransom to the attackers. It is not known how much was paid, but as previously stated, an employee had told BleepingComputer that the original ransom demand was for $10 million". As previously reported, BBC identified the attack as being launched using a new malware strain named WastedLocker, said to be deployed by the Evil Corp gang and targeting very specific, deep pocketed organizations for 500K - $10 million in Bitcoin, but not typically for theft or sale of stolen information.
The type of organizations attacked are often MNC’s with extensive resources, including dedicated and often, in-house cyber-security teams. It’s important that "…staff is alert on the early warning signs of these attacks which may be indicated by breach attempts. At later stages more disruptive actions may be taken, such as disabled security software, dropped files, and deleted backups". Sage advice - but what do organizations without dedicated security teams do to protect themselves?
Sangfor Threat Identification, Analysis & Risk Assessment Services
For organizations, regardless of vertical, seeking professional network security services without the added expense of maintaining an entire network security team, many are deploying services like Sangfor’s TIARA and MDR. TIARA starts by performing a security posture assessment service, determining the threat posture of the entire network quickly and easily. Sangfor then provides improvement and remediation assistance to strengthen network security functions. MDR conducts ongoing, comprehensive threat analysis and asset identification, performing root-cause analysis and providing long-term suggestions on how to maintain complete network security to the best of your ability. Most CISO’s value TIARA and MDR services for the credible assessment of current security posture delivered by independent and certified consultants with unbiased opinions. They also find that it significantly improves security posture by addressing misconfigurations and deploying additional security controls. Business continuity and compliance are improved along with security operation productivity.
Sangfor Incident Response Service
Taking the proper precautions is always better than seeking a cure after the worst has happened. Deployment of a professional incident response (IR) service provides closed-loop incident response for organizations, giving them heightened security capabilities in every phase of the attack chain.
Why Sangfor?
Sangfor Technologies is an APAC-based, global leading vendor of IT infrastructure solutions specializing in Network Security and Cloud Computing. Visit us at www.sangfor.com to learn more about Sangfor’s Security solutions, and let Sangfor make your IT simpler, more secure, and valuable.
