Abstract
Garmin, a major manufacturer of GPS systems, fitness trackers and other products, has been severely affected by a ransomware attack. Meanwhile, new forms of ransomware have emerged, including malware originating from North Korea.
Garmin Connect and other services were hit on July 23. Initially, the company remained silent on the cause, just posting that sites were down for ‘maintenance’. It was four days before some services started to be restored, although its aviation services – flyGarmin and Garmin Pilot Apps – were the slowest to come back online.
Eventually it emerged that the firm had been hit with the WastedLocker ransomware used by Evil Corp (aka the Dridex gang), a cybercrime group based in Russia and active since at least 2007. The IT department attempted to remotely shut down all devices on the network – including PCs being used by staff working from home – which had the knock-on effect of the company's factories in Taiwan having to stop production due to not being able to access networks and databases.
WastedLocker is customised for each target and known to use memory management features in Windows to avoid detection by anti-malware products. The encrypted data on each machine was stored in files with the .garminwasted extension.
“If this gang has found an entrance into your network it will be impossible to stop them from encrypting at least part of your files,” commented Malwarebytes researcher Pieter Arntz. “The only thing that can help you salvage your files in such a case is if you have either roll-back technology or a form of off-line back-ups. With online or otherwise connected back-ups you run the chance of your back-up files being encrypted as well, which makes the whole point of having them moot.”
Evil Corp was sanctioned by the US Treasury Department 2019 after its use of the Dridex ransomware caused an estimated $100m in damages. Paying a ransom to the group would be in breach of these sanctions.
The attackers demanded a ransom of $10m. According to Bleeping Computer, Garmin received a decryption key, suggesting that the ransom was paid. Where this leaves Garmin legally, with respect to the sanctions, is not yet clear. There's more on the decryptor here: https://bit.ly/33pmX8h.
It has only recently emerged that Blackbaud, a US firm that offers hosting and cloud-based solutions such as CRM, was the victim of ransomware back in May. It wasn't until July that the firm issued a statement about the attack which, it claimed, had been detected and shut down quickly.
Blackbaud is used mainly by non-profit organisations, educational institutions and healthcare organisations. Among the earliest organisations to be affected were universities and the National Trust in the UK.
It subsequently emerged, during an earnings call by the company, that the attackers had managed to exfiltrate some data. No financial data was taken, said the company, but personal information was among the haul. Later still, it was discovered that Blackbaud had paid the ransom on the basis that the criminals would destroy their copies of the information.
The Lazarus hacking group – a nation-state group in North Korea – has developed a new strain of virtual hard disk (VHD) ransomware that it is actively using against enterprise targets. It uses the MATA framework, which has been around since 2018, to launch attacks designed to steal customer databases and distribute ransomware.
According to a report from Kaspersky: “Functionally, VHD is a fairly standard ransomware tool. It creeps through the drives connected to a victim's computer, encrypts files and deletes all System Volume Information folders (thereby sabotaging System Restore attempts in Windows). What's more, it can suspend processes that could potentially protect important files from modification (such as Microsoft Exchange or SQL Server).”
Kaspersky analysed two major attacks and attributed them to the Lazarus group based on the tools and tactics employed. It's not particularly sophisticated malware – it apparently took 10 hours to fully infect one target's network and uses weak cryptographic methods. But it does suggest that North Korea is once again attempting to raise funds via cybercrime.
“We have known that Lazarus has always been focused on financial gain: however, since WannaCry we had not really seen any engagement with ransomware,” said Ivan Kwiatkowski, senior security researcher at Kaspersky. “While it is obvious that the group cannot match the efficiency of other cyber criminal gangs with this hit-and-run approach to targeted ransomware, the fact that it has turned to such types of attacks is worrisome.”
There's more information here: https://bit.ly/3a9t95L.
Meanwhile, the FBI has issued an urgent warning about a surge in activity of Netwalker ransomware, which is being used to target government bodies and major organisations in the US and beyond. Attacks – many of them using Covid-19 themes as lures – began in June when the Netwalker operators successfully encrypted systems at UCSF School of Medicine, the Australian transportation and logistics company Toll Group and Lorien Health Services.
There's more information here: https://bit.ly/2DAQRvq.