Garmin Run Into Major Ransomware Problem

On Thursday 23rd July, hackers hit the American GPS and fitness giant Garmin with a ransomware attack which took many of their systems offline for more than 5 days. Website functions, customer support, customer-facing applications and company communications were all interrupted by the attack. This included the flyGarmin and Garmin Pilot app both suffered days-long outages. On a less impactful but more person5al note, it stopped myself being able to track runs and walks over the weekend. Almost a week later and Garmin are still to return their systems to complete functionality.

 

What happened?

Garmin’s cloud platform Garmin Connect, which syncs user data from their wearable tech with the Garmin app, went offline. This left customers unable to sync their workouts and record them within the application.

Also, pilots who use Garmin products for position, navigation, and timing services in planes had their own issues. Both the flyGarmin and Garmin Pilot apps suffered long outages, which had a knock on effect on some Garmin hardware used in planes. Pilots who use flyGarmin were unable to download up-to-date aviation databases, which aviation regulators such as the FAA require pilots to have before they can fly.

A Garmin employee told The Hacker News that the outage also affected their call centres “we are currently unable to receive any calls, emails or online chats”.

On the 27th July Garmin released a statement confirming that they were “the victim of a cyberattack that encrypted some of our systems” They went on to state that there is no indication any customer data, including payment information from Garmin Pay was accessed, lost or stolen.

Several reports indicate Garmin was hit by the WastedLocker ransomware which is a relatively new strain associated with Russian hacking group Evil Corp. Although this is not confirmed by Garmin who are staying incredibly tightlipped regarding the attack.

 

What is WastedLocker?

WastedLocker is a new form of ransomware which is being reportedly used in targeted attacks. The ransomware name is derived from the filename it creates which includes an abbreviation of the victim’s and the string ‘wasted’.

It uses a JavaScript-based SocGholish toolset to deliver a payload by posing as a system or software update. It then elevates privileges exploiting UAC bypass techniques and moves laterally through systems using Cobalt Strike to install ransomware on valuable systems before demanding a ransom payment.

Given the ransomware attempts to go for every backup, ransom demands for affected organisations are usually expensive ranging anywhere between €400,000 to €8,500,000. With backups potentially affected many organisations are left feeling obligated to pay up.

It can be challenging to completely eradicate ransomware from a fully compromised network which is why we at Secora Consulting see it as critical that all internet-facing systems are regularly patched and mitigations are put in place to reduce the risk of spread across networks. This can include the introduction of air gaps and separation on the network, ensuring systems are effectively segmented so the attack cannot spread, much like the social distancing we are observing, with the virus finding it impossible to jump across and spread further.

 

How can we help you?

We offer a wide range of services which are tailored to your requirements. We can help you prepare for the worst-case scenario by simulating threats to your organisation.

Should you ever be on the unfortunate end of a cyberattack our in-depth knowledge and Incident Response service will have your organisation ransomware free and up and running in no time.

Partner with us today, our experienced consultants will go the extra mile to ensure your organisation stays secure by:

• Validating implemented security controls.
• Prioritising your risks based on their exploitability and impact.
• Providing expert and effective advice to immediately improve your cyber security posture.
• Understanding how uncovered issues will affect your organisation, operations availability and profitability,
• Recovery from incidents and cyber attacks

If you have any questions or are unsure if the steps you are taking to help keep your organisation secure during this period are working. Get in touch!