On July 23, 2020, GPS device and fitness watch manufacturer Garmin was forced to shut down several of its services worldwide due to a ransomware attack on their internal network and client facing production systems. We dive into the company’s decision to pay their attackers, what this means for other organizations similarly targeted by WastedLocker and what steps they can take to avoid a similar situation.
While the details of Garmin’s backup policies and retention practices were not disclosed, Garmin devices, its website and call centers were all out of action for over 48 hours. To mitigate further damage, Garmin’s IT department decided to shut down access to all connected devices across the network internally.
Garmin publicly apologized to its customers and explained the outage on their Twitter account and company website:
“We’re sorry. We are currently experiencing an outage that affects Garmin.com and Garmin Connect. This outage also affects our call centers, and we are currently unable to receive any calls, emails or online chats. We are working to resolve this issue as quickly as possible and apologize for this inconvenience.”
The outage of the Garmin Connect service left users unable to synchronize their sporting activities on their fitness watches. The service flyGarmin, used by aircraft pilots for navigation, was also affected by the ransomware attack. This affected the pilot’s ability to run the latest version of the database, which is required by the Federal Aviation Administration. This could have affected their ability to fly, possibly forcing those using flyGarmin to ground their aircraft. Fortunately, on Monday July 27, 2020, flyGarmin came back online.
On July 28, 2020, Garmin announced that there was no indication of customer data having been accessed or exfiltrated during the attack, which they attributed to WastedLocker. This a particularly growing concern as exfiltration is used to increase the pressure on victims to pay the ransom and avoid the loss of data. Based on our experience with the variant, and in line with findings by industry peers, we can confirm WastedLocker does not typically exfiltrate victim data prior to encryption. WastedLocker’s attack impacted many of Garmin’s files with the .garminwasted extension, leaving the company unable to access their information unless they paid an alleged $10 million ransom demand, or restored from backups.
While the attack on Garmin’s is one of the highest profile attacks this year, what makes it unique is the decision by Garmin, their cyber insurance, and/or their Digital Forensics & Incident Response (DFIR) partner to facilitate a ransom payment to obtain the decryption key. Alongside our own proprietary intelligence and that of industry partners, there is mounting credible evidence that the WastedLocker ransomware group has a close association with the nation-state sponsored and U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) sanctioned group Evil Corp. According to an article on the attack published on Bleeping Computer, Evil Corp is “best known for their distribution of the Dridex banking and downloader trojan”.
The OFAC sanction against Evil Corp is part of a sweeping action against one of the world’s most prolific cybercriminal organizations. “This coordinated action is intended to disrupt the massive phishing campaigns orchestrated by this Russian-based hacker group,” Steven T. Mnuchin, Secretary of the Treasury, is quoted as saying in the Treasury’s press release announcing the sanctions. “OFAC’s action is part of a multiyear effort with key NATO allies, including the United Kingdom. Our goal is to shut down Evil Corp, target the “money mule” network used to transfer stolen funds, and ultimately to protect our citizens from the group’s criminal activities.”
Because WastedLocker is a ransomware group that holds suspected associations to Evil Corp and Russian Intelligence, American businesses are faced with only one option to mitigate their impact from WastedLocker ransomware attacks: viable backup practice. Because incident response stakeholders are choosing to err on the side of caution and withhold paying ransom, when purchasing a decryption key is not an option, nor backups available, a business’s existence may be jeopardized.
Kivu has contacted OFAC for guidance on this issue. While OFAC could not give official guidance on the connection between Evil Corp and WastedLocker, it provided a clear warning, that “U.S. persons are prohibited from interacting with the entity either directly or indirectly.” Given the body of evidence supporting the connection between Evil Corp and WastedLocker, knowingly making payment or engaging the WasterLocker attacker, whether directly or indirectly, may carry civil and criminal penalties. Fundamentally, funding state sponsored cyber criminals weakens American national security efforts.
Kivu recommends that before any entity pays or funds a ransom to an attacker, the entity or its insurance carrier confirms that the DFIR service provider assisting in facilitating payment is a US Treasury registered Money Service Business (MSB). Responding to a ransomware incident with a MSB ensures a proper due diligence on the attacker is conducted, because MSBs are legally required to provide evidence of their thorough sanctions checks to the Treasury. An MSB would have flagged the WastedLocker variant and advised against making the payment, as Kivu has done for its clients.
Kivu would further recommend a DFIR firm with a strong recovery team, in order to assist with recovering systems rapidly via backups and/or restoration methods. The deployment of recovery specialists will bring down overall business interruption (BI), by restoring core functionality rapidly. Specialist teams are also able to utilize risk management tactics which reduce the risk of reinfection dramatically.
In terms of preparedness, this case once again highlights that backups are of vital importance to any organization’s information security and operational risk framework. Threat actors actively seek out backups for destruction because this often results in organizations being forced into either accepting data loss or paying the ransom. It’s equally as important to protect your backup credentials and limit access so that threat actors cannot destroy your safety net. Kivu highly recommends following the 3-2-1 system for backups:
- At a minimum, you should have three copies of your data, one for production and two backup copies.
- Your backup should be on two or more pieces of equipment or media.
- Finally, one copy needs to be kept completely offline so that there is no way for a remote threat actor to alter your backups.