Crypto-ransomware in action: a closer look at the WastedLocker hijack of Garmin
August 2020 by Kaspersky
On July 23, Garmin, the popular fitness and GPS technology company, was the victim of a crypto-ransomware attack that forced the company’s most popular services offline for three days while its internal network and production systems were encrypted and held for a $10 million ransom. This high-profile incident is the latest in a growing number of targeted ransomware attacks against large organizations.
Garmin was attacked by the Trojan WastedLocker—ransomware that has become noticeably more active since the first half of this year. This particular version was designed to specifically target Garmin and contains several unusual technical aspects.
The first is its User Access Control (UAC) bypass technique. Once launched on a compromised device, the Trojan checks whether it has high enough privileges. If not, it will attempt to silently elevate its privileges by tricking a legitimate system binary into launching the Trojan’s body hidden in an alternate NTFS stream.
In addition, the sample of WastedLocker analyzed from the Garmin attack used a single public RSA key—the type of key used to encrypt the files. This would be somewhat of a weakness if the malware were to be massively distributed. The decryptor would only have to contain the one private RSA key to decrypt everyone’s files. However, if the campaign is targeted—as it clearly was in this case—a single RSA key is an effective approach.
“This incident only highlights that there is a growing trend of targeted crypto-ransomware attacks against large corporations—in contrast to the more widespread and popular ransomware campaigns of the past, like WannaCry and NotPetya. While there are fewer victims, these targeted attacks are typically more sophisticated and destructive. And there is no evidence to suggest that they will decline in the near future. Therefore, it’s critical that organizations stay on alert and take steps to protect themselves,” comments Fedor Sinitsyn, security expert at Kaspersky.
To reduce the risk of being exposed to WastedLocker and other ransomware, Kaspersky experts have the following recommendations:
1. Use up-to-date versions of OS and applications
2. Use a VPN to secure remote access to company resources
3. Use a modern endpoint security solution, such as Kaspersky Endpoint Security for Business with behavior detection support and remediation engine allowing automatic file rollback, and a number of other technologies to stay protected from ransomware
4. Improve employees’ cybersecurity education. Kaspersky Security Awareness offers computer-based training products that combine expertise in cybersecurity with best-practice educational techniques and technologies
5. Use a reliable data backup scheme or solution