“Untouchable” Russian hacker’s ransomware squeezes Garmin for $10m

Just over a week ago, the wearables and GPS navigation company Garmin were held to a $10 million ransom, having suffered a crippling ransomware attack after a hacker gang infiltrated its internal network and encrypted the company’s servers.

The breach caused a five-day blackout for the company, affecting its call centers, its Taiwanese production line, Garmin Connect, flyGarmin, and Strava. After what can only be called a two week period in hell, Garmin is officially back up and running after apparently receiving a custom decryption key – but at what cost?

EVILCORP suspected of attack

The suspected hacker group, EVILCORP, headed by the “untouchable” Maksim Yakubets, has been on official US watchlists since December. But since then, the hacker gang has managed to breach 31 major US corporations. Yakubets, who is now missing, has worked with Russian intelligence agencies and has stolen around $100 million from victims around the world. His firm of cybercriminals is said to pose the biggest cyber-crime threat to the UK, with several UK and US police, secret service, cybersecurity and justice departments putting up a $5 million reward for his capture – the largest ever offered for a cybercriminal.

His weapons of choice? Dridex, WastedLocker and Zeus ransomware.

These powerful programs install malware on a person’s computer and unlock permissions on the corporate network the employee is connected to. Eventually, the entire company is locked out of its own systems and a ransom is demanded for the decryption.

In Garmin’s case, all signs pointed to a WastedLocker ransomware attack – the chilling words ‘GARMINWASTED’ replaced the extension names of every file on the company’s network, rendering them permanently inaccessible. The files were encrypted with the message “get a price for your data” attached to each, as well as instructions to contact one of two email addresses.

Custom decryptor used to reverse ransomware

Various employee screenshots have surfaced of Garmin’s IT department decrypting a workstation and installing security software on a machine. The software package contains various cybersecurity software installers, the decryption key, a Wastedlocker decryptor, and a script to run them all. Analysts suspect that Garmin paid the ransom on the 24/7/2020 or the 25/07/2020, two days before they publicly announced the ransomware attack after initially telling users that it was a mere “technical fault”.

Wastelocker was designed exclusively by EVILCORPS and has no known flaws or weaknesses in its encryption algorithm. The near impossibility of obtaining a decryption key means that Garmin most likely paid a hefty ransom.

Are Garmin users safe?

In a public statement, Garmin announced that they have “no indication that any customer data, including payment information from Garmin Pay, was accessed, lost, or stolen”, and that they expect to return to normal operation.

It seems as though the hackers are more interested in extracting million-dollar ransoms from corporate giants rather than targeting users. If EVILCORPS’ previous ransomware attacks are anything to go by, users may find some consolation. By targeting banks, financial institutions, retailers and other US institutions, the criminals opt for large-scale attacks, where trojans are deployed to move across the network to disable it and effectively stop a company from functioning.

Reports from previous victims, eight of whom were Fortune 500 companies, suggest that no user data was ever leaked by EVILCORPS. On the other hand, since all systems must be wiped after a ransomware attack, it’s difficult to know what the attackers have changed or perhaps stolen during the intrusion.

The question is, will Garmin provide proof that no user data was compromised? Will all parties involved continue to refuse comment while we send the completely wrong message to cybercriminals? To this day, however, it’s still unclear whether any of the affected global corporations paid a ransom to EVILCORPS, but judging by the hacker’s $250,000 wedding amidst rumors of a “Lamborghini-driving, tiger-owning Russian playboy,” it’s pretty obvious they must have.

How to protect yourself from ransomware attacks

Ransomware attacks are typically carried out using malware disguised as a legitimate file in a phishing email. Users are tricked into downloading the file or opening the attachment. This opens the door to the malware, which then travels through the network, infecting and disabling everything it can. Some malware, like the “WannaCry worm”, can even travel between computers automatically without user interaction.

It goes without saying that you must never open suspicious or irrelevant emails, especially if they include any links or attachments. You should also keep the following in mind:

• Only use official and verified download channels, especially on work devices. Since you’re connected to your work network remotely, your device makes it easier for hackers to spread malware to the entire network and potentially disable it.
• Update your products with tools or functions provided by legitimate developers. Never use ‘cracked’ tools and third-party updaters, as they’re usually loaded with malware.
• Install trusted anti-virus or spyware software to run system scans and remove or alert you about potential threats.
• Make backups of your data and keep them away from your computer. For example, an external hard drive or encrypted cloud storage have very small chances of being hacked.

Although there are tools to decrypt files locked by ransomware, success rates vary. Simple ransomware may be easy for an expert to reverse. But more advanced cryptoviral attacks, like the Garmin one, can be approached only by the gifted and ambitious, since they require a unique decryption key to recover the system. Either way, we’re keeping our fingers crossed for Garmin.