An interesting ransomware case affected one of our co-workers recently as he went hiking in the Rocky Mountains. This being that his Garmin GPS was out of commission as he was trying to navigate himself through the wilderness. The good thing is that he was not in a life and death situation and lost somewhere in the forrest. The bad thing is that he was left with no mapping capabilities and did find himself trekking somewhat blindly during several sections of his hike.
Unfortunately, our co-worker was one of millions of customers globally in this situation as GPS titan Garmin’s website, customer support, apps and communications were all taken out by a massive ransomware attack in late July 2020. This ransomware, which was finally admitted by the company after days of nebulous statements, locked users out of their GPS services and disrupted a wide variety of Garmin GPS-based systems, along with causing Garmin an untold amount of reputational damage. This is due to what many perceive to be mismanagement of the initial crisis response by the company.
According to an SEC report that the company filed in December of 2019, Garmin officials provided some insight into just how damaging a cyberattack would be to the company as it has transitioned from a simple GPS navigation company to a health and fitness tracking organization. It collects, stores, processes and uses a wide variety of personal user information such as names, addresses, phone numbers, email addresses, payment accounts, height, weight, age, gender, heart rates, sleeping patterns, GPS locations and other activities. Any of this information, if it were to be leaked, could cause a ton of headaches for the company as users lose confidence in Garmin’s ability to safeguard their confidential data.
In this case, security experts have confirmed that the WastedLocker ransomware was to blame for the attack. This ransomware is a new variety that is operated by a hacker group known as Evil Corp. The only positive news about the usage of this particular piece of ransomware is that it does not yet appear to have the capability to steal or exfiltrate the data before it encrypts the victim’s files (unlike even newer ransomware strains). This seems to be the case as Garmin put out a statement saying that it had “no indication that this outage has affected your data, including activity, payment or other personal information”. In some cases, companies that have backups can sometimes get away without paying the demanded ransom. However, those who do not have adequate backups have often faced ransom demands as high as $10MM. With this uptick in ransom demands, it will not be surprising if other big companies are targeted in the near future as well. Unlike smaller organizations who do not have the resources to pay high ransoms, bigger companies are often well-insured and can pay a lot more.
As Garmin’s services start coming back online, there is speculation that the company ended up having to give in to ransom demands in order to get their services back as quickly as they have been able to. The interesting thing is that the U.S. Treasury department imposed sanctions on Evil Corp for their involvement in a decades-long hacking campaign against a variety of large global corporations and other U.S. interest. As a result, it is nearly impossible for U.S.-based companies to pay ransoms to this hacker organization as they are generally prohibited from transacting with sanctioned groups. This sets up a legal minefield for any company that considers paying a ransom to Evil Corp as a result of the WastedLocker ransomware. In this respect, guess are that Garmin somehow did pay a ransom and may face some Treasury department sanctions in the near future.
Getting back to the underlying point of this story is that ransomware is certainly becoming a huge thorn in the side of corporations around the world. It is causing companies grief in terms of lost revenues from service disruptions, losses to reputation, potential data breaches, as well as losses from having to pay ransoms. The thing is that ransomware attacks such as these could be easily prevented through the use of Detect and Block solution such as the Wedge Absolute Real-time Protection (WedgeARP) platform. Through a combination of patented Deep Content Inspection, orchestrated threat management and deep learning / machine learning, WedgeARP is able to stop all malware (including known, never-before-seen, APTs and zero-days) in real-time, BEFORE they can enter the network. If companies such as Garmin were to embrace the proactive Detect and Block approach to network security with a solution such as provided by Wedge, this attack could have been stopped before any damage could occur. To find out more about WedgeARP and the Detect and Block approach, contact our team at: info@wedgenetworks.com.
