Kaspersky comment: Garmin ransomware attack
In response to the news that ‘Garmin obtains decryption key after ransomware attack’, the comment from Denis Legezo, Senior Security Researcher at Kaspersky.
Officially, the company itself only commented on the “outage” and “investigation”, so all the information about the case came from employees’ photos and other sources. Information from these sources demonstrated that the incident is a cryptolocker attack and the malware itself is WastedLocker. As a result, private customers couldn’t access their data regarding physical activity, the pilots couldn’t obtain maps updates and some production lines in Asia have been affected as well.
Technically speaking, WastedLocker is a targeted ransomware, which means its operators come for selected enterprises instead of every random host they can reach. This is not the only ransomware used in such a manner – a similar scheme is used by Maze and some other ransomware families. The encryption algorithms in use are nothing special for ransomware: modern and strong. The ransomware’s operators add the victim company’s name in the ransom messages – the messages with information about how to contact the malefactors through secure e-mail services and the like. So it’s pretty obvious they know for whom they came after.
We monitor dozens of web domains related to this malware family. On many of these domains, we registered the server as part of CobaltStrike – a legitimate commercial penetration testing platform widely used by malefactors as well. This and other techniques used by attack operators are quite similar to more classical targeted attacks, which come for data. But in WastedLocker’s case, so far, there are no signs of anything besides encryption and request for ransom payment.