Ransomware attack on Garmin thought to be the work of 'Evil Corp'

Guardian Technology 27 Jul 2020 05:57
Garmin Connect, which enables data upload from services such as fitness trackers, is still operating with ‘limited functionality’, the company says. Photograph: Brian Snyder/Reuters

A ransomware attack that took the GPS and smartwatch business Garmin entirely offline for more than three days is believed to have been carried out by a Russian cybercriminal gang which calls itself “Evil Corp”.

Garmin began to restore services to customers on Monday morning, after being held hostage for a reported ransom of $10m, although some services were still operating with limited functionality.

The hack is thought to be just the latest in a long string of attacks on American companies that have earned the cybercriminals’ alleged leader, Maksim Viktorovich Yakubets, 33, a $5m bounty on his head from the FBI. That reward is the highest ever offered for a cybercriminal.

Unlike those behind some previous high-profile ransomware outbreaks, such as the notorious WannaCry and NotPetya campaigns of 2017, Evil Corp has historically been very focused in how it picks and attacks its targets. Rather than going after end users and small businesses, who may be easy to trick into opening a malicious email attachment but unlikely to pay significant ransoms for their data, the organisation has instead deployed a mixture of technical prowess and social engineering to attack sizeable targets such as banks, media organisations and now technology companies.

Garmin was the latest victim of Evil Corp’s ransomware, dubbed WastedLocker by researchers at cybersecurity firm NCC. The malware, first seen in the wild in May this year, is deployed in a “selective” manner by the outfit, says NCC’s Stefano Antenucci. “Typically, they hit file servers, database services, virtual machines and cloud environments.

However Evil Corp installed WastedLocker on Garmin’s systems, the ransomware’s next step was the same: it charged through the most sensitive parts of the company’s network and encrypted essential files, before demanding a ransom in exchange for the decryption key.

By Monday morning, Garmin had succeeded in restoring many services, according to a status dashboard it published. But Garmin Connect, which allows users to upload data from fitness trackers to Garmin and on to other services such as Strava, is operating with “limited functionality”: many uploads are “queued” or “delayed”, including Strava integration itself.

Continue reading original article...


Evil CorpGarminNotPetyaSymantecMaksim Viktorovich Yakubets
You may also like