Garmin Ransomware Attack

If you run or bike, you probably heard about the Garmin Ransomware attack, taking down its website, disrupting customer support, disabling apps, and pausing communications late July 22nd. Garmin is known for producing Boat Radars, GPS systems, and Smart Fitness Watches. Many bikers and runners use their Fitness Watches to track their exercise for the day, tracking calories, steps, distance, and the entire route taken during your session. One week later, some Garmin systems are still down leading to user frustration for those using Garmin Connect applications with their devices.

What Happened?

A Hacker Gang by the name of EvilCorp, operating out of Russia, breached the internal network and encrypted the company’s servers. The attack has led to a five day outage now seven day outage. Additionally, many users fear that their personal details such as geolocation history may have been stolen from Garmin’s servers. Stealing critical data and threatening to release it online is becoming commonplace for ransomware attacks in 2020. This is because it gives the hacker additional leverage to extort a ransom payment by threatening the confidentiality of the stolen data.

Experts are concerned about Garmin’s security practices, as Garmin has stated they “obtained the decryption key to recover the files“. This would indicate either the company could not restore its files from backup effectively to thwart the encryption event, or, the hackers had critical data they threatened to release publicly which Garmin could not allow to happen.  Either case, it appears they have paid the ransom. This high-profile event will encourage many more attacks on companies due to the ransom being paid.

Social Engineering Attacks on the Rise

Due to the nature of the attack, it’s likely that the attack was done through social engineering techniques. Social engineering is when a hacker uses psychological manipulation to have users perform specific actions. Those actions often lead to the compromise or theft of critical and sensitive data. Social engineering attacks are often deployed through the form of Phishing Attack, where hackers trick users into taking some action.  For example, opening a malicious file attachment that compromises the user’s computer.  The user may click a link to a fake website where they give their login credentials to the hacker compromising that account.  Finally, its often as innocuous as a conversation with someone they think is the CEO/CFO/CTO of their company but is in fact the hacker.  In all three cases, the hacker parlays this action on the user’s behalf into a major security breach such as a ransomware attack. 

How Can You Defend Against Ransomware?

The best way to defend against most cybersecurity threats is through educating your staff and clients to improve their awareness. Lucy Security CEO, Colin Bastable, commented on the Garmin attack mentioning, “All the security technology in the world is not going to protect against determined attackers. 97% of losses stem from socially-engineered attacks and over 90% are initiated by email”. With these statistics in mind, it should be obvious the first step in securing your business: train your users. 

Ransomware attacks are growing in popularity, as organizations often pay out the ransom. As long as businesses keep paying, hackers will keep deploying these attacks. CyberHoot helps organizations educate their staff and reduce the likelihood of becoming victim to a ransomware attack. To further prevent these ransomware attacks, do these actions to protect your business and reduce the chances of falling victim to this all-too-common attack vector:

• Adopt two-factor authentication to prevent a password breach of your business’s VPN, email services, and any other critical service that is directly Internet accessible;
• Regularly backup data following the 3-2-1 backup method for backing up all your critical and sensitive data;
• Train employees on how to spot and avoid phishing attacks which are the primary way ransomware attacks occur;
• Phish Test Employees to keep them on their toes inspecting every email;
• Have a documented and tested Business Continuity and Disaster Recovery (BCDR) plan;
• Ensure your company follows the principle of Least Privilege.

Sources: TheHackerNews, TechRepublic, ZDNet

Technical Details: What is WastedLocker Ransomware?

Many cybersecurity experts conclude that the ransomware attack was deployed through the malware, “WastedLocker”. According to experts at SentinelOne, WastedLocker is a relatively new ransomware family active for the last few months and has since been attacking high-value targets across numerous industries. WastedLocker uses JavaScript-based “SocGholish” toolset to deliver the ransomware payload by masquerading as system or software updates; exploiting UAC bypass techniques to elevate privileges, and leverages Cobalt Strike for lateral movements.

Additional Reading: Major Twitter Accounts Hacked 

To learn more about Ransomware, watch this short 3 minute video:

https://youtube.com/watch?v=N01cc-6tSwo