[BreachExchange] Garmin Pays Up to Evil Corp After Ransomware Attack — Reports

[Destry Winant]

https://threatpost.com/garmin-pays-evil-corp-ransomware-attack-reports/157971/

The ransom for the decryptor key in the WastedLocker attack could have
topped $10 million, sources said.

Garmin, the GPS and aviation tech specialist, reportedly negotiated
with Evil Corp for an decryption key to unlock its files in the wake
of a WastedLocker ransomware attack.

The attack, which started on July 23, knocked out Garmin’s
fitness-tracker services, customer-support outlets and commercial
aviation offerings such as flight-plan filing, account-syncing and
database-concierge capabilities. Garmin officially confirmed a
cyberattack to Threatpost (and later in a web post), but declined to
explain the specific cause.

However,  sources reportedly shared photos with BleepingComputer of a
Garmin computer with encrypted files with the .garminwasted extension
on each file’s name. That indicated that WastedLocker was the malware
involved. Soon, the company’s systems started coming back online, and
as of Monday Garmin said its services are now fully restored.

BleepingComputer also said it obtained a copy of the working decryptor
from the Garmin IT department with a time stamp of July 25, and that
the original ransom amount requested was $10 million. Sky News
meanwhile reported that the device-maker paid the ransom to Evil Corp,
the gang behind the ransomware, via a ransomware-negotiation business
called Arete IR.

If Garmin did indeed pay the ransom, the company could be in hot water
from a legal perspective. The U.S. Treasury Department in December
issued sanctions against Evil Corp, which state that “U.S. persons are
generally prohibited from engaging in transactions” with Evil Corp or
any of its individual members.

Evil Corp’s previous schemes involved capturing banking credentials
with the Dridex banking trojan and then making unauthorized electronic
funds transfers from unknowing victims’ bank accounts. Money mules
would then receive these stolen funds into their bank accounts, and
transport the funds overseas. Multiple companies have been targeted by
Dridex, costing them millions of dollars; victims included two banks,
a school district, a petroleum business, building materials supply
company and others.

As a result, the U.S. authorities are offering up $5 million for
information leading to the arrest of Evil Corp leader Maksim V.
Yakubets, 32, of Russia, who goes under the moniker “aqua.”

Garmin has declined to comment on any of the investigative findings
regarding the ransom or the decryptor.

“In organizations, one method to avoid paying is to assess whether
their backups are available and not corrupted or deleted by
cybercriminals,” James McQuiggan, security awareness advocate at
KnowB4, said via email. “It’s crucial within an organization’s
cybersecurity program to have a backup policy. This policy needs to
include the planning and testing of backups regularly to determine
their integrity. If the backup restoration process fails, it can mean
additional risk to the organization’s revenue and reputation due to
the downtime. Backups are just one part of a ransomware mitigation
plan. Examining the root cause of most ransomware attacks is
determined either to be a phishing attack or through vulnerable and
unpatched systems.”

WastedLocker: A Look Inside

Kaspersky researcher Fedor Sinitsyn, in a recent post, said that there
has been an increase in the use of WastedLocker in the first half of
this year. In his technical analysis, the researcher highlighted
several noteworthy features in the WastedLocker ransomware.

For one, it has a command line interface that attackers can use to
control the way it operates; they can specify specific directories to
target, and prioritize which sets of files are encrypted first. The
CLI also allows attackers to encrypt files on specified network
resources.

WastedLocker also features a bypass for User Account Control (UAC) on
Windows machines, which is a security check meant to prevent malicious
privilege escalation. If a program seeks to elevate privileges in
order to function, a pop-up prompt will ask, “Do you want to allow the
following program to make changes to this computer?” Device-owners or
administrators can choose yes or no; but users that have been assigned
a standard user access token will be prompted to enter admin
credentials.

To get around this, WastedLocker can silently elevate its privileges
using a known bypass technique, Sinitsyn said: “[This] sequence of
actions results in WastedLocker being relaunched from the alternate
[Windows NT file system (NTFS)] stream with elevated administrative
privileges without displaying the UAC prompt.”

On the crypto front, WastedLocker uses a combination of AES and a
publicly available reference implementation of an RSA algorithm named
“rsaref,” according to the researcher, which is also seen elsewhere
with other ransomwares. Also, it applies an MD5 hash of the original
content of each encrypted file, which is used during decryption to
ensure the correctness of the procedure.

“For each processed file, WastedLocker generates a unique 256 bit key
and a 128 bit IV which will be used to encrypt the file content using
the AES-256 algorithm in CBC mode,” he explained. “The AES key, IV and
the MD5 hash of the original content, as well as some auxiliary
information, are encrypted with a public RSA key embedded in the
trojan’s body. The sample under consideration contains a 4096-bit
public RSA key.”

The result of RSA encryption is Base64 encoded and saved in a new file
with the extension .garminwasted_info, he added – and unusually, a new
info file is created for each of the victim’s encrypted files.

“This is a rare approach that was previously used by the BitPaymer and
DoppelPaymer trojans,” Sinitsyn said. “This WastedLocker sample we
analyzed is targeted and crafted specifically to be used in this
particular attack. It uses a ‘classic’ AES+RSA cryptographic scheme
which is strong and properly implemented, and therefore the files
encrypted by this sample cannot be decrypted without the threat
actors’ private RSA key.”

To prevent ransomware attacks, users should maintain up-to-date OS and
application versions; prevent Remote Desktop Protocol access via the
internet and improve end-user awareness of these kinds of threats, he
concluded, echoing McQuiggan.

“The Garmin incident is the next in a series of targeted attacks on
large organizations involving crypto-ransomware,” Sinitsyn said.
“Unfortunately, there is no reason to believe that this trend will
decline in the near future.”