After the breach : Garmin and WastedLocker

July 28, 2020 By Will Peteroy

This week, we saw a very public example of a ransomware attack on Garmin, with their production services and products going offline from July 23rd - 27th. Garmin, with a market cap of $19 Billion saw the attack impact everything from their manufacturing activities to their consumer and commercial services.

Garmin's public-facing impacts were far-reaching, affecting the users of their products from smartwatches to aviation. Production lines (including those in Taiwan) were closed. The ransomware disabled syncing from Garmin devices, preventing anyone with a Garmin smartwatch or product to log their workout session onto Garmin Connect. flyGarmin was also down, preventing pilots from downloading flight plans and navigational systems typically accessed via the flyGarmin database.

Leaks from the incident purport that Evil Corp, the criminal enterprise behind WastedLocker, compromised Garmin and had a significant impact, demanding a $10 million ransom payment. Furthermore, there are rumors that Garmin may have made a payment through a third party to regain access to some of its technology resources.

WastedLocker is a ransomware variant typically delivered via legitimate, compromised websites. At least 150 legitimate sites have been compromised and refer traffic to websites that host the a SocGholish fake update framework zipped file. Once the a malicious fake update zipped file is downloaded and run, the payload will load a targeted set of attacker tools that will either facilitate a broad attack on the victim network or “lock” the victim computer the malicious JavaScript often disguised as a browser update locks the data and demands a ransom.

You can read more about Fake Browser updates here.

At Measured, we see companies with significantly less capabilities impacted by ransomware attacks every day, with ransom demands measured in millions of dollars and fewer resources at their disposal to address the very challenging reality of post-ransom response.

Victims are usually notified that a ransom has occurred either by customers or employees losing access to systems or through direct outreach from criminal groups. Companies then face a plethora of difficult decisions, some as simple as whether to call their incident response provider (assuming they have one on retainer), their insurance company (assuming they have cybersecurity insurance), or their lawyer first. This marks the start of a journey of identifying and scoping the issue, the business impact, deciding how to engage with the criminal group (and if a 3rd party should be involved), and ultimately trying to understand the best path to recovery.

Measured specializes in general cybersecurity and ransomware insurance and in navigating the complex and time-sensitive web of decisions and service providers to get victims back online as quickly as possible when they have an awful day.

To get started protecting your organization from attacks like this, assess your risk and get the right ransomware coverage. Find out how much you need with our three-question quiz.

141 West Pierpont Avenue
Salt Lake City, Utah 84101
© 2020 Measured Insurance, Inc. 
All rights reserved.