Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Malware Analysis
Analysis of WastedLocker targeted ransomware (Garmin)
Message
<blockquote data-quote="Bot" data-source="post: 897142" data-attributes="member: 52014"><p>In late July 2020, tech news sites were brimming with articles about Garmin. Various Garmin services, including device syncing with the cloud and tools for pilots, were disabled. The dearth of accurate information left everyone theorizing wildly. For our part, we decided to wait for some concrete data before assessing the situation.</p><p></p><p>In its <a href="https://www.garmin.com/en-US/outage/" target="_blank">official statement</a>, Garmin confirmed that it had been hit by a cyberattack that interrupted online services and encrypted some internal systems. The information available at the time of this writing indicates that the attackers used the WastedLocker ransomware. Our experts performed a detailed technical analysis of the malware, and here are their main findings.</p><p></p><p><span style="font-size: 18px"><strong>WastedLocker ransomware</strong></span></p><p></p><p></p><p>WastedLocker is an example of <em>targeted</em> ransomware — malware tweaked to attack a specific company. The ransom message referred to the victim by name, and all encrypted files got the additional extension <strong>.garminwasted</strong>.</p><p></p><p>The cybercriminals’ cryptographic scheme points to the same conclusion. Files were encrypted using the AES and RSA algorithms, which ransomware creators often use in combination. However, one public RSA key is used to encrypt files, rather than one generated uniquely for each infection. In other words, if this ransomware modification were used against multiple targets, the data-decryption program would be general-purpose, because there would have to be one private key as well.</p><p></p><p>In addition, the ransomware displays the following curious features:</p><p></p><ul> <li data-xf-list-type="ul">Prioritizing of data encryption, meaning the cybercriminals can specify a particular directory of files to encrypt first. That maximizes damage in case security mechanisms stop the data encryption before it’s complete;</li> <li data-xf-list-type="ul">Support for file encryption on remote network resources;</li> <li data-xf-list-type="ul">Privilege checking and use of <a href="https://encyclopedia.kaspersky.com/glossary/dll-hijacking/" target="_blank">DLL hijacking</a> for privilege elevation.</li> </ul><p></p><p>You’ll find detailed analysis of the ransomware in the <a href="https://securelist.com/wastedlocker-technical-analysis/97944/" target="_blank">WastedLocker: technical analysis</a> post on Securelist.</p><p></p><p><span style="font-size: 18px"><strong>How’s Garmin doing?</strong></span></p><p></p><p></p><p>According to the company’s updated statement, services are up and running again, although data synchronization might be slow and is still limited in some individual cases. That’s understandable: Devices that couldn’t sync with their cloud services for several days are now contacting company servers all at once, increasing the load.</p><p></p><p>Garmin reports that there is no evidence anyone gained unauthorized access to user data during the incident.</p><p></p><p><span style="font-size: 18px"><strong>How to protect against such attacks</strong></span></p><p></p><p></p><p>Targeted ransomware attacks on companies are here to stay. That being the case, our recommendations for guarding against them are fairly standard:</p><p></p><ul> <li data-xf-list-type="ul">Always keep software up to date, especially the operating system — most Trojans exploit known vulnerabilities;</li> <li data-xf-list-type="ul">Use RDP to deny public access to company systems (or, if necessary, use a VPN);</li> <li data-xf-list-type="ul">Train employees in the basics of cybersecurity. Most often, it’s <a href="https://encyclopedia.kaspersky.com/glossary/social-engineering/" target="_blank">social engineering</a> on employees that lets ransomware Trojans in to infect corporate networks;</li> <li data-xf-list-type="ul">Use cutting-edge security solutions with advanced antiransomware technologies. <a href="https://www.kaspersky.com/small-to-medium-business-security?redef=1&THRU&reseller=gl_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder_______" target="_blank">Our products</a> detect WastedLocker and prevent infection.</li> </ul><p></p><p><a href="https://www.kaspersky.com/blog/wastedlocker-garmin-incident/36626/" target="_blank">Source</a></p></blockquote><p></p>
[QUOTE="Bot, post: 897142, member: 52014"] In late July 2020, tech news sites were brimming with articles about Garmin. Various Garmin services, including device syncing with the cloud and tools for pilots, were disabled. The dearth of accurate information left everyone theorizing wildly. For our part, we decided to wait for some concrete data before assessing the situation. In its [URL='https://www.garmin.com/en-US/outage/']official statement[/URL], Garmin confirmed that it had been hit by a cyberattack that interrupted online services and encrypted some internal systems. The information available at the time of this writing indicates that the attackers used the WastedLocker ransomware. Our experts performed a detailed technical analysis of the malware, and here are their main findings. [SIZE=5][B]WastedLocker ransomware[/B][/SIZE] WastedLocker is an example of [I]targeted[/I] ransomware — malware tweaked to attack a specific company. The ransom message referred to the victim by name, and all encrypted files got the additional extension [B].garminwasted[/B]. The cybercriminals’ cryptographic scheme points to the same conclusion. Files were encrypted using the AES and RSA algorithms, which ransomware creators often use in combination. However, one public RSA key is used to encrypt files, rather than one generated uniquely for each infection. In other words, if this ransomware modification were used against multiple targets, the data-decryption program would be general-purpose, because there would have to be one private key as well. In addition, the ransomware displays the following curious features: [LIST] [*]Prioritizing of data encryption, meaning the cybercriminals can specify a particular directory of files to encrypt first. That maximizes damage in case security mechanisms stop the data encryption before it’s complete; [*]Support for file encryption on remote network resources; [*]Privilege checking and use of [URL='https://encyclopedia.kaspersky.com/glossary/dll-hijacking/']DLL hijacking[/URL] for privilege elevation. [/LIST] You’ll find detailed analysis of the ransomware in the [URL='https://securelist.com/wastedlocker-technical-analysis/97944/']WastedLocker: technical analysis[/URL] post on Securelist. [SIZE=5][B]How’s Garmin doing?[/B][/SIZE] According to the company’s updated statement, services are up and running again, although data synchronization might be slow and is still limited in some individual cases. That’s understandable: Devices that couldn’t sync with their cloud services for several days are now contacting company servers all at once, increasing the load. Garmin reports that there is no evidence anyone gained unauthorized access to user data during the incident. [SIZE=5][B]How to protect against such attacks[/B][/SIZE] Targeted ransomware attacks on companies are here to stay. That being the case, our recommendations for guarding against them are fairly standard: [LIST] [*]Always keep software up to date, especially the operating system — most Trojans exploit known vulnerabilities; [*]Use RDP to deny public access to company systems (or, if necessary, use a VPN); [*]Train employees in the basics of cybersecurity. Most often, it’s [URL='https://encyclopedia.kaspersky.com/glossary/social-engineering/']social engineering[/URL] on employees that lets ransomware Trojans in to infect corporate networks; [*]Use cutting-edge security solutions with advanced antiransomware technologies. [URL='https://www.kaspersky.com/small-to-medium-business-security?redef=1&THRU&reseller=gl_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder_______']Our products[/URL] detect WastedLocker and prevent infection. [/LIST] [url="https://www.kaspersky.com/blog/wastedlocker-garmin-incident/36626/"]Source[/url] [/QUOTE]
Insert quotes…
Verification
Post reply
Top