1.888.900.DRIZ (3749)
The Driz Group
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Careers
    • Subsidiaries
  • Contact
    • Newsletter
  • How WAF Works
  • Blog
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Careers
    • Subsidiaries
  • Contact
    • Newsletter
  • How WAF Works
  • Blog

Cybersecurity Blog

Thought leadership. Threat analysis. Cybersecurity news and alerts.

7/26/2020

0 Comments

Threat Focus: WastedLocker Ransomware

 
WastedLocker Ransomware

Threat Focus: WastedLocker Ransomware

Garmin, an American multinational company that markets GPS navigation and wireless devices and applications, has reported a global outage on its systems since last July 23.

Last July 23, Garmin announced that it was experiencing an outage that affected Garmin Connect – a service that syncs users' activity and data to the cloud and other devices. Garmin also announced that the outage affected the company's call centers, cutting off the company's ability to respond to any calls, emails and online chats.

Last July 26, Garmin followed up its July 23 announcement. The statement said the company "has no indication that this outage has affected your data, including activity, payment or other personal information."

flyGarmin, Garmin's service that offers navigational software to pilots, in a separate statement said that last July 23 it also experienced a similar outage in which users couldn't access flyGarmin's website and call centers. flyGarmin specified that its Connext services, in particular, weather, data from the on-board Central Maintenance Computer (CMC), position reports were down; and Garmin Pilot apps, in particular, flight plan filing (unless connected to FltPlan, account syncing, database concierge) were down.

Based on its July 26 update, flyGarmin said that its website and mobile app are now operational, and that customer support can handle limited calls, but emails and chat supports are still unavailable.

WastedLocker Ransomware

While Garmin remains silent on what caused the global outage of its systems, BleepingComputer and TechCrunch reported that sources familiar with the Garmin outage investigation and company employees point to the direction that Garmin fell victim to WastedLocker ransomware.

A Garmin employee told BleepingComputer that they first learned of the attack when they arrived at their office last Thursday morning. As devices were being encrypted, employees were told to shut down any computer on the network, including computers used by remote workers that were connected via virtual private network (VPN), to prevent additional devices from being encrypted. As shown by the photo sent by a Garmin employee to BleepingComputer, the ".garminwasted" extension was appended to the file name of every encrypted file.

WastedLocker ransomware was first tracked in the wild in May of this year. This ransomware was named after the filename it creates which includes an abbreviation of the victim’s name and the word "wasted".

One of the known methods used by the group behind the WastedLocker ransomware is the use of fake software update that shows up on the users' computer screen when visiting certain legitimate websites. Malicious code is inserted by the group behind the WastedLocker ransomware on vulnerable websites, prompting unsuspecting users to click on the fake software updates that show up on their trusted websites.

Once a user clicks on this fake software update, the WastedLocker ransomware activates CobaltStrike – a commercial penetration testing tool that can be used by ethical security researchers as well as by malicious actors. This commercial penetration testing tool uses tools such as Metasploit and Mimikatz.

Metasploit is an open-source tool for probing vulnerabilities on networks and servers. It can easily be customized and used with most operating systems.

Mimikatz, meanwhile, is another open-source tool that gives out passwords as well as hashes and PINs from memory. This tool makes it easy for attackers to conduct post-exploitation lateral movement within a victim's network.

After exploring the weak spots and access credentials, the WastedLocker ransomware is then dropped into the victim's network or server. With WastedLocker ransomware, it isn't possible to get backup copy on the affected computer as this malicious software deletes shadow copies – the default backups made by Windows operating systems.

Security researchers, including those from Malwarebytes and Fox-IT, named Evil Corp Group as the group behind WastedLocker ransomware. Most of today's ransomware groups openly admit that they steal victims' data prior to encrypting files. These ransomware groups publish or auction the data belonging to victims that are unwilling to pay the ransom.

According to Malwarebytes, the group behind the WastedLocker ransomware "does not exfiltrate stolen data and publish or auction the data that belong to 'clients' that are unwilling to pay the ransom".

Fox-IT, meanwhile, said that the group behind WastedLocker ransomware “has not appeared to have engaged in extensive information stealing or threatened to publish information about victims”. "We assess that the probable reason for not leaking victim information is the unwanted attention this would draw from law enforcement and the public," Fox-IT said.

The group behind WastedLocker ransomware demands ransom payment ranging from US$500,000 to over $10 million in Bitcoin. One of the sources of BleepingComputer said that the ransom demand in exchange for decryption keys that could unlock the encrypted files of Garmin is priced at US$10 million.

In December 2019, the U.S. Treasury Department, sanctioned Evil Corp by way of prohibiting U.S. persons in dealing with the group. The U.S. Treasury Department said that "U.S. persons are generally prohibited from engaging in transactions with them [Evil Corp]." Engagement, in this case, could be mean that US individuals or organizations are prohibited in engaging with Evil Corp, such as via ransom payment.

The sanction of the U.S. Treasury Department’ came after leaders and members of the Evil Corp were charged for developing and distributing the malicious software (malware) called "Dridex". The U.S. Treasury Department said that Dridex infected computers and harvested login credentials from hundreds of banks and financial institutions in over 40 countries, causing more than US$100 million in theft.

0 Comments

Your comment will be posted after it is approved.


Leave a Reply.

    Author

    Steve E. Driz, I.S.P., ITCP

    Picture
    View my profile on LinkedIn

    Archives

    January 2023
    December 2022
    June 2022
    May 2022
    February 2022
    December 2021
    November 2021
    October 2021
    September 2021
    August 2021
    July 2021
    June 2021
    May 2021
    April 2021
    March 2021
    February 2021
    January 2021
    December 2020
    November 2020
    October 2020
    September 2020
    August 2020
    July 2020
    June 2020
    May 2020
    April 2020
    March 2020
    February 2020
    January 2020
    December 2019
    November 2019
    October 2019
    September 2019
    August 2019
    July 2019
    June 2019
    May 2019
    April 2019
    March 2019
    February 2019
    January 2019
    December 2018
    November 2018
    October 2018
    September 2018
    August 2018
    July 2018
    June 2018
    May 2018
    April 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    October 2017
    September 2017
    August 2017
    July 2017
    June 2017
    May 2017
    April 2017
    March 2017
    February 2017
    January 2017
    December 2016
    October 2016
    August 2016
    May 2016
    March 2016
    January 2016
    November 2015
    October 2015
    August 2015
    June 2015

    Categories

    All
    0-Day
    2FA
    Access Control
    Advanced Persistent Threat
    AI
    Artificial Intelligence
    ATP
    Awareness Training
    Botnet
    Bots
    Brute Force Attack
    CASL
    Cloud Security
    Compliance
    COVID 19
    COVID-19
    Cryptocurrency
    Cyber Attack
    Cyberattack Surface
    Cyber Awareness
    Cyber Espionage
    Cybersecurity
    Cyber Security
    Cyber Security Consulting
    Cyber Security Insurance
    Cyber Security Risk
    Cyber Security Threats
    Data Breach
    Data Governance
    Data Leak
    Data Leak Prevention
    DDoS
    Email Security
    Fraud
    GDPR
    Hacking
    IoT
    Malware
    MFA
    Microsoft Office
    Mobile Security
    Network Security Threats
    Phishing Attack
    Privacy
    Ransomware
    Remote Access
    SaaS Security
    Social Engineering
    Supply Chain Attack
    Supply-Chain Attack
    Third-Party Risk
    Virtual CISO
    Vulnerability
    Vulnerability Assessment
    Web Applcation Security
    Web-applcation-security
    Web Application Firewall
    Web Application Protection
    Web Application Security
    Web Protection
    Windows Security
    Zero Trust

    RSS Feed

Picture

1.888.900.DRIZ (3749)

Managed Services

Picture
Web Application Security
​Virtual CISO
Compliance
​Vulnerability Assessment
Free Vulnerability Assessment
Privacy Policy | CASL

About us

Picture
Testimonials
​Meet the Team
​Subsidiaries
​Contact us
​Blog
​
Jobs

Resources & Tools

Picture
​Incident Management Playbook
Sophos authorized partner logo
Picture
© 2023 Driz Group Inc. All rights reserved.
Photo used under Creative Commons from GotCredit