Crypto-ransomware in action: A closer look at the WastedLocker hijack of Garmin

This high-profile incident is the latest in a growing number of targeted ransomware attacks against large organizations

  

On July 23, Garmin, the popular fitness and GPS technology company, was the victim of a crypto-ransomware attack that forced the company’s most popular services offline for three days while its internal network and production systems were encrypted and held for a $10 million ransom. This high-profile incident is the latest in a growing number of targeted ransomware attacks against large organizations.

Garmin was attacked by the Trojan WastedLocker—ransomware that has become noticeably more active since the first half of this year. This particular version was designed to specifically target Garmin and contains several unusual technical aspects.

The first is its User Access Control (UAC) bypass technique. Once launched on a compromised device, the Trojan checks whether it has high enough privileges. If not, it will attempt to silently elevate its privileges by tricking a legitimate system binary into launching the Trojan’s body hidden in an alternate NTFS stream.

In addition, the sample of WastedLocker analyzed from the Garmin attack used a single public RSA key—the type of key used to encrypt the files. This would be somewhat of a weakness if the malware were to be massively distributed. The decryptor would only have to contain the one private RSA key to decrypt everyone’s files. However, if the campaign is targeted—as it clearly was in this case—a single RSA key is an effective approach. 

“This incident only highlights that there is a growing trend of targeted crypto-ransomware attacks against large corporations—in contrast to the more widespread and popular ransomware campaigns of the past, like WannaCry and NotPetya. While there are fewer victims, these targeted attacks are typically more sophisticated and destructive. And there is no evidence to suggest that they will decline in the near future. Therefore, it’s critical that organizations stay on alert and take steps to protect themselves,” comments Fedor Sinitsyn, security expert at Kaspersky.

Read more about the WastedLocker attack on Garmin on Securelist. 

To reduce the risk of being exposed to WastedLocker and other ransomware, Kaspersky experts have the following recommendations:

  • Use up-to-date versions of OS and applications
  • Use a VPN to secure remote access to company resources  
  • Use a modern endpoint security solution, such as Kaspersky Endpoint Security for Business with behavior detection support and remediation engine allowing automatic file rollback, and a number of other technologies to stay protected from ransomware 
  • Improve employees’ cybersecurity education. Kaspersky Security Awareness offers computer-based training products that combine expertise in cybersecurity with best-practice educational techniques and technologies 
  • Use a reliable data backup scheme or solution

About Kaspersky
Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 250,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com

Send us your press releases to pressrelease.zawya@refinitiv.com

© Press Release 2020

Disclaimer: The contents of this press release was provided from an external third party provider. This website is not responsible for, and does not control, such external content. This content is provided on an “as is” and “as available” basis and has not been edited in any way. Neither this website nor our affiliates guarantee the accuracy of or endorse the views or opinions expressed in this press release.

The press release is provided for informational purposes only. The content does not provide tax, legal or investment advice or opinion regarding the suitability, value or profitability of any particular security, portfolio or investment strategy. Neither this website nor our affiliates shall be liable for any errors or inaccuracies in the content, or for any actions taken by you in reliance thereon. You expressly agree that your use of the information within this article is at your sole risk.

To the fullest extent permitted by applicable law, this website, its parent company, its subsidiaries, its affiliates and the respective shareholders, directors, officers, employees, agents, advertisers, content providers and licensors will not be liable (jointly or severally) to you for any direct, indirect, consequential, special, incidental, punitive or exemplary damages, including without limitation, lost profits, lost savings and lost revenues, whether in negligence, tort, contract or any other theory of liability, even if the parties have been advised of the possibility or could have foreseen any such damages.


More From Press Releases