Garmin Pays Up to Evil Corp After Ransomware Attack — Reports

garmin wastedlocker attack ransom

The ransom for the decryptor key in the WastedLocker attack could have topped $10 million, sources said.

Garmin, the GPS and aviation tech specialist, reportedly negotiated with Evil Corp for an decryption key to unlock its files in the wake of a WastedLocker ransomware attack.

The attack, which started on July 23, knocked out Garmin’s fitness-tracker services, customer-support outlets and commercial aviation offerings such as flight-plan filing, account-syncing and database-concierge capabilities. Garmin officially confirmed a cyberattack to Threatpost (and later in a web post), but declined to explain the specific cause.

However,  sources reportedly shared photos with BleepingComputer of a Garmin computer with encrypted files with the .garminwasted extension on each file’s name. That indicated that WastedLocker was the malware involved. Soon, the company’s systems started coming back online, and as of Monday Garmin said its services are now fully restored.

BleepingComputer also said it obtained a copy of the working decryptor from the Garmin IT department with a time stamp of July 25, and that the original ransom amount requested was $10 million. Sky News meanwhile reported that the device-maker paid the ransom to Evil Corp, the gang behind the ransomware, via a ransomware-negotiation business called Arete IR.

If Garmin did indeed pay the ransom, the company could be in hot water from a legal perspective. The U.S. Treasury Department in December issued sanctions against Evil Corp, which state that “U.S. persons are generally prohibited from engaging in transactions” with Evil Corp or any of its individual members.

Evil Corp’s previous schemes involved capturing banking credentials with the Dridex banking trojan and then making unauthorized electronic funds transfers from unknowing victims’ bank accounts. Money mules would then receive these stolen funds into their bank accounts, and transport the funds overseas. Multiple companies have been targeted by Dridex, costing them millions of dollars; victims included two banks, a school district, a petroleum business, building materials supply company and others.

As a result, the U.S. authorities are offering up $5 million for information leading to the arrest of Evil Corp leader Maksim V. Yakubets, 32, of Russia, who goes under the moniker “aqua.”

Garmin has declined to comment on any of the investigative findings regarding the ransom or the decryptor.

“In organizations, one method to avoid paying is to assess whether their backups are available and not corrupted or deleted by cybercriminals,” James McQuiggan, security awareness advocate at KnowB4, said via email. “It’s crucial within an organization’s cybersecurity program to have a backup policy. This policy needs to include the planning and testing of backups regularly to determine their integrity. If the backup restoration process fails, it can mean additional risk to the organization’s revenue and reputation due to the downtime. Backups are just one part of a ransomware mitigation plan. Examining the root cause of most ransomware attacks is determined either to be a phishing attack or through vulnerable and unpatched systems.”

WastedLocker: A Look Inside

Kaspersky researcher Fedor Sinitsyn, in a recent post, said that there has been an increase in the use of WastedLocker in the first half of this year. In his technical analysis, the researcher highlighted several noteworthy features in the WastedLocker ransomware.

For one, it has a command line interface that attackers can use to control the way it operates; they can specify specific directories to target, and prioritize which sets of files are encrypted first. The CLI also allows attackers to encrypt files on specified network resources.

WastedLocker also features a bypass for User Account Control (UAC) on Windows machines, which is a security check meant to prevent malicious privilege escalation. If a program seeks to elevate privileges in order to function, a pop-up prompt will ask, “Do you want to allow the following program to make changes to this computer?” Device-owners or administrators can choose yes or no; but users that have been assigned a standard user access token will be prompted to enter admin credentials.

To get around this, WastedLocker can silently elevate its privileges using a known bypass technique, Sinitsyn said: “[This] sequence of actions results in WastedLocker being relaunched from the alternate [Windows NT file system (NTFS)] stream with elevated administrative privileges without displaying the UAC prompt.”

On the crypto front, WastedLocker uses a combination of AES and a publicly available reference implementation of an RSA algorithm named “rsaref,” according to the researcher, which is also seen elsewhere with other ransomwares. Also, it applies an MD5 hash of the original content of each encrypted file, which is used during decryption to ensure the correctness of the procedure.

“For each processed file, WastedLocker generates a unique 256 bit key and a 128 bit IV which will be used to encrypt the file content using the AES-256 algorithm in CBC mode,” he explained. “The AES key, IV and the MD5 hash of the original content, as well as some auxiliary information, are encrypted with a public RSA key embedded in the trojan’s body. The sample under consideration contains a 4096-bit public RSA key.”

The result of RSA encryption is Base64 encoded and saved in a new file with the extension .garminwasted_info, he added – and unusually, a new info file is created for each of the victim’s encrypted files.

“This is a rare approach that was previously used by the BitPaymer and DoppelPaymer trojans,” Sinitsyn said. “This WastedLocker sample we analyzed is targeted and crafted specifically to be used in this particular attack. It uses a ‘classic’ AES+RSA cryptographic scheme which is strong and properly implemented, and therefore the files encrypted by this sample cannot be decrypted without the threat actors’ private RSA key.”

To prevent ransomware attacks, users should maintain up-to-date OS and application versions; prevent Remote Desktop Protocol access via the internet and improve end-user awareness of these kinds of threats, he concluded, echoing McQuiggan.

“The Garmin incident is the next in a series of targeted attacks on large organizations involving crypto-ransomware,” Sinitsyn said. “Unfortunately, there is no reason to believe that this trend will decline in the near future.”

Complimentary Threatpost Webinar: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar “Cloud Security Audit: A Confidential Computing Roundtable” brings top cloud-security experts from Microsoft and Fortanix together to explore how Confidential Computing is a game changer for securing dynamic cloud data and preventing IP exposure. Join us  Wednesday Aug. 12 at 2pm ET for this FREE live webinar with Dr. David Thaler, software architect, Microsoft and Dr Richard Searle, security architect, Fortanix – both with the Confidential Computing Consortium. Register Now.

Suggested articles

Ransomware in 2020: A Banner Year for Extortion

From attacks on the UVM Health Network that delayed chemotherapy appointments, to ones on public schools that delayed students going back to the classroom, ransomware gangs disrupted organizations to inordinate levels in 2020.