A ransomware attack that took the GPS and smartwatch business Garmin entirely offline for more than three days is believed to have been carried out by a Russian cybercriminal gang which calls itself “Evil Corp”.
Garmin began to restore services to customers on Monday morning, after being held hostage for a reported ransom of $10m, although some services were still operating with limited functionality.
The hack is thought to be just the latest in a long string of attacks on American companies that have earned the cybercriminals’ alleged leader, Maksim Viktorovich Yakubets, 33, a $5m bounty on his head from the FBI. That reward is the highest ever offered for a cybercriminal.
Unlike those behind some previous high-profile ransomware outbreaks, such as the notorious WannaCry and NotPetya campaigns of 2017, Evil Corp has historically been very focused in how it picks and attacks its targets. Rather than going after end users and small businesses, who may be easy to trick into opening a malicious email attachment but unlikely to pay significant ransoms for their data, the organisation has instead deployed a mixture of technical prowess and social engineering to attack sizeable targets such as banks, media organisations and now technology companies.
Ransomware is the most common form of criminal malware currently in use. Targets are commonly infected through malicious emails, which may trick them into downloading and running the software, or through exploiting vulnerabilities in other software such as Adobe Flash. When the ransomware program is activated, it encrypts the user’s hard drive with a single use encryption key, before flashing up a message asking for ransom, typically in the form of a payment in the cryptocurrency Bitcoin.
Usually, although not always, paying the ransom really does restore access to the encrypted files, which means that many businesses and organisations have found themselves funding the criminal outfits that launch ransomware attacks. Even organisations that regularly back up their data have been known to pay the ransom, since the time required to fully restore a large and complicated network from a back-up can be many days, during which no business can be done.
WannaCry, one of the most famous pieces of ransomware, managed to freeze much of the NHS in May 2017. The malware made use of a vulnerability in Microsoft’s Windows operating system to spread automatically between computers, allowing it to rapidly traverse the globe. The attack was launched by a cybercrime group dubbed Lazarus by researchers, which is believed to be a state-backed outfit run by the North Korean government.
Most ransomware attacks are very different from WannaCry, involving highly targeted infections of big targets who are likely to pay a high ransom to receive their data back in good time.
Garmin was the latest victim of Evil Corp’s ransomware, dubbed WastedLocker by researchers at cybersecurity firm NCC. The malware, first seen in the wild in May this year, is deployed in a “selective” manner by the outfit, says NCC’s Stefano Antenucci. “Typically, they hit file servers, database services, virtual machines and cloud environments.
“Of course, these choices will also be heavily influenced by what we may term their ‘business model’ – which also means they should be able to disable or disrupt backup applications and related infrastructure. This increases the time for recovery for the victim, or in some cases due to unavailability of offline or offsite backups, prevents the ability to recover at all.”
Whereas WannaCry and NotPetya used vulnerabilities in Microsoft Windows to automatically infect new computers, WastedLocker is spread in a more targeted manner. While it is not yet known how Garmin fell prey to the ransomware in early July, researchers in the threat intelligence team of cybersecurity firm Symantec identified one possible route: hijacked newspaper websites.
A US publisher had been attacked by Evil Corp and was unknowingly hosting malware on its newspaper websites, according to Symantec. That malware was used to infect selected visitors with a second set of software that gave the Evil Corp attackers a route to install WastedLocker and hold the company to ransom.
While Symantec declined to name either the publisher, the newspapers or victims, the company said that the attack had hit at least 31 organisations to date, “including many household names. Aside from a number of large private companies, there were 11 listed companies, eight of which are Fortune 500 companies. All but one of the targeted organisations are US-owned, with the exception being a US-based subsidiary of an overseas multinational”.
Writing almost a month before the Garmin outage, Symantec warned: “The attackers behind this threat appear to be skilled and experienced, capable of penetrating some of the most well protected corporations, stealing credentials, and moving with ease across their networks. As such, WastedLocker is a highly dangerous piece of ransomware. A successful attack could cripple the victim’s network, leading to significant disruption to their operations and a costly clean-up operation.
However Evil Corp installed WastedLocker on Garmin’s systems, the ransomware’s next step was the same: it charged through the most sensitive parts of the company’s network and encrypted essential files, before demanding a ransom in exchange for the decryption key.
Although Garmin would not confirm the level of the requested ransom, it is believed to be around $10m, according to a source quoted by the industry site Bleeping Computer.
By Monday morning, Garmin had succeeded in restoring many services, according to a status dashboard it published. But Garmin Connect, which allows users to upload data from fitness trackers to Garmin and on to other services such as Strava, is operating with “limited functionality”: many uploads are “queued” or “delayed”, including Strava integration itself.
Even before WastedLocker, Evil Corp had become one of the most notorious cybercrime groups operating today. In December 2019, the US government took action against the organisation over its “Dridex” campaign, which used malware to harvest login credentials from banks and led to the theft of more than $100m. The campaign led to the American Department of Justice criminally charging two of the group’s members and the Department of State offering a $5m reward for information that helps capture or convict Yakubets.