In late July, a ransomware attack on Garmin brought the company’s business to its knees. The attack forced the business, a major player in the GPS smartwatch and wearables market, to shut down Garmin Connect, the website used by users to sync data about activities such as runs and bike rides, as well as its aviation database services, some production lines in Asia, as well as its call centers.
After five long days, Garmin’s systems slowly began to come back online. Soon after that, reports began to appear that Garmin paid a multimillion-dollar ransom to obtain a decryption key to restore data scrambled by a particularly pernicious piece of malware, called WastedLocker. Some researchers have linked this malware to Evil Corp, a crime group based in Russia that has been sanctioned by the US Department of the Treasury.
As with any large-scale cybersecurity incident, there are lessons to be learned. Here are eight takeaways from the Garmin ransomware incident.
1. No organization is safe from ransomware
One of the main takeaways from this incident is that no organization or network is safe from a ransomware attack, said Kacey Clark, a threat researcher with Digital Shadows, a provider of digital risk protection solutions.
“Vulnerabilities can be found, systems can be misconfigured, and employees can be misled.”
Even large and mature organizations are not immune to having their entire operational capabilities completely halted by a sophisticated attacker, said Chris Clements, vice president of solutions architecture at Cerberus Sentinel, a cybersecurity consulting and penetration testing company.
“Modern ransomware gangs are not script kiddies. They have a high level of expertise and are well funded to develop their own tooling and exploits.”
Not only are large organizations not immune from ransomware attacks, but they can be attack magnets, said Dan Piazza, the technical product manager at Stealthbits Technologies, a cybersecurity software company.
“A larger organization means more chances to expose surfaces for attackers, as well as larger potential profit for attackers.”
As ransomware attacks become common, they begin to be lumped into other risks and their impact diluted, said Israel Barak, CISO of Cybereason, a maker of an endpoint detection and response platform.
“Ransomware has become a part of doing business. Garmin’s stock price didn’t even drop after the attack was reported.”
2. To pay or not to pay: A tricky question
Law enforcement authorities and many security experts advise against paying ransoms to extortionists. “Paying off ransomware operators can further compromise organizations,” Digital Shadows’ Clark said. Attackers may see your company as an easy target in the future.
“Payment may fuel the attackers to continue their operations,” she added. “Legal implications may also be involved. “
What’s more, paying a ransom is, at best, only a short-term fix to ransomware problems. “It doesn’t make the problem go away,” said Melody J. Kaufmann, a cybersecurity specialist at Saviynt, an application and infrastructure security provider.
“It’s been proven that paying up emboldens the bad actors.”
—Melody J. Kaufmann
Garmin can expect to have similar cyber criminals knocking on their door in the future because now it’s common knowledge they aren’t prepared for such an incident, she said. “In cases like this, unless the victim takes some serious steps to prevent this again, they will be hemorrhaging ransom money repeatedly.”
Ken Jenkins, CTO of EmberSec, a managed detection and response services company, said that if a target is victimized again, it probably won’t be by the original gang of bandits.
“I don’t see a lot of re-infections. Attackers seem to believe the well is dry after an attack. The target has probably taken measures to protect against another attack.”
The thinking is, he continued, if I got my ransom and got away with it, why risk going back when there’s all these other companies that I can go after that haven’t already been hit with ransomware?
Despite admonishments, though, companies are more likely to pay a ransom than not. According to an IBM survey, 70% of businesses infected with ransomware pay the ransom to regain access to their data and systems.
Tim Bandos, vice president of cybersecurity for Digital Guardian, a data loss protection company, said the sophistication of ransomware had evolved quite considerably over the past several years, with encryption being almost impossible to crack without a key.
“This has ultimately led to companies having to pay the ransom in order to reclaim their information.”
Saryu Nayyar, CEO of Gurucul, a threat intelligence company, said the reality of the situation meant companies are forced to be pragmatic.
“We’re learning the painful lesson that sometimes it’s cheaper to pay off a criminal than it is to implement tools and processes that will prevent the crime in the first place.”
Whether or not to pay the ransom can be further complicated by cybersecurity insurance.
“Cyber criminals will inflate the ransom they ask for, knowing that if it’s sufficiently higher than the deductible in a cybersecurity policy, the company will pay it because they expect most of it to be paid by the insurance company.”
3. Attacks are timed and targeted
Garmin was an attractive target for Evil Corp, whose ransomware is believed to be used in the attack on its data and systems. “We saw that Evil Corp targeted Garmin because they knew they were a large corporation with both deep pockets and mission-critical data, which meant they’d pay up,” said Chloé Messdaghi, vice president of strategy at Point3 Security, a provider of training and analytic tools to the security industry.
“Many ransomware perpetrators don’t target SMBs, even though the smaller and medium-sized companies are usually easier targets, because their security spending and planning aren’t as extensive as the larger enterprises. Evil Corp picked their target and intentionally used an attack that cripples networks, takes a lot of time to recover from, and is expensive.”
Evil Corp also timed its attack shrewdly, said Hank Schless, senior manager for security solutions at Lookout, a provider of mobile phishing solutions.
“Data protection, and security in general, has a direct impact on the financials of the organization. This attack was launched shortly before quarterly earnings were announced, which could have been intentional—to get Garmin to comply with the ransomware demands.”
4. Ransomware is most powerful when it impacts customer operations
Ransomware attacks on businesses have the most value when they can disrupt customer operations. “The real issue with Garmin was their connected devices stopped working,” said Ron Brash, director of cybersecurity insights at Verve Industrial Protection, a provider of industrial control security solutions.
“This is a fundamental consumer value proposition. If Garmin had allowed more downtime, customers would switch off and not trust them.”
This has major implications for any business that has operating assets, Brash added.
“Sure, it would stink if you couldn’t bill or you couldn’t get access to your Salesforce account, but if your customers cannot access your product, you’ll be willing to pay a very high ransom.”
He said Garmin should have been investing more in protection of the assets that deliver essential services to customers.
5. An extensive array of products can make an organization vulnerable to large-scale attacks
The more products and services offered by an organization, the less transparent an organization’s infrastructure can be. That lack of transparency can provide attackers with the cover they need to launch an attack.
“We’ve learned that having an extensive offering of hardware, such as watches and GPS systems, and software, such as mobile apps and platforms, makes any organization a target for a large-scale attack.”
To protect your organization and your customers’ data, he continued, you need to ensure that your security team has visibility into every potential entry point or asset that can be leveraged in your infrastructure.
From servers to mobile devices, each endpoint represents a potential target that a threat actor could leverage for an attack, he said.
6. No network safeguards can contribute to the severity of an attack
Although details of the Garmin attack are scant, what’s known about it points to a lapse in network security, EmberSec’s Jenkins said.
“They probably didn’t see themselves as a target for ransomware. I say that because this just propagated across their network. They were in a race to shut things down instead of containing the problem.”
Most companies don’t have playbooks for cyber attacks, and of those that do, less than half have ransomware plans, said Point3’s Messdaghi.
Verve’s Brash said that, given the wide spreading of the ransomware, it’s likely Garmin’s network structure was flat and centralized. This lack of diversity basically allowed the ransomware to spread unfettered, and the organization likely had few means to restore its systems in a timely and effective manner.
“Highly homogeneous networks and systems, and lack of segmentation—either network-wise or by business units—seem to have led from what could have been a limited incident to one with a far more catastrophic impact.”
All too often, the manufacturing or customer-delivery parts of the technology stack are the last to be protected, he said. “These should be the first to be segmented and protected.”
7. Human error continues to be a ransomware enabler
Garmin hasn’t explained how its systems became infected, but the ransomware believed to be the source of the attack, WastedLocker, is known to masquerade as a software update on a website until it’s downloaded by a user.
Employees continue to need ongoing education with regard to identifying threats, Stealthbits’ Piazza said.
“While many types of vulnerabilities continue to exist in networks, the human factor continues to be one of the largest threats to security.”
Point3’s Messdaghi added that the Garmin attack raises questions about what kind of training employees received. “Many companies train hundreds of employees virtually, with multiple-choice questions and very basic content rather than ongoing training and testing,” she noted.
8. Sanctions are ineffective at preventing payments
Some complexity has been introduced into meeting ransom demands made by Evil Corp, thanks to action taken last year by the Treasury Department. It imposed sanctions on Evil Corp that included barring any US person from engaging in transactions with the hacker group. Reportedly, Garmin skirted the sanctions by paying the ransom to a third party that then paid the hackers. That party claimed there was no clear evidence that WastedLocker belonged to Evil Corp.
We learned that government sanctions are “squishy” when the bad actor cannot be clearly and specifically identified or tied to that exact attack, Saviynt’s Kaufmann said.
“Even though Evil Corp was implicated in the attack, there was just enough probable doubt that Garmin was able to find a negotiation service that could leverage that doubt to allow them to pay.”
—Melody J. Kaufmann
If sanctions are enforced only when the cyber criminal can be 100% pinned to the crime, then they aren’t going to be effective, because rarely are cyber criminals so inept that they leave clear, indisputable evidence of their deed.
“You don’t remain a cyber criminal long if you are leaving behind evidence of what you’ve done.”
—Melody J. Kaufmann
Largely, and historically, sanctions barely work as expected, especially in a world of nearly non-existent borders on the web, added Verve’s Brash.
How to throttle bad actors’ ROI
The attack on Garmin illustrates how ransomware uses legitimate business models to operate, said Gurucul’s Nayyar.
“Ransomware negotiation services are an indication of just how much of a business this has become. There is now an entire ecosystem in place for these malicious acts, with malware as a service and technical support to explain to victims how they can purchase cryptocurrency to pay off a ransom.”
That’s why ransomware artists need to be hurt where a business can be hurt most, ROI, said Mounir Hahad, head of the threat lab for Juniper Networks, a network security and performance company.
“We have to put the bar so high that return on investment for the cybergang pushes them to give up the ransomware business. Business leaders should be driven by morals that dictate that we won’t pay a ransom, unless human lives are at stake.”
We also have to enact laws that criminalize the lack of good IT practice, he said.
“If you are sitting on a treasure trove of data or are providing critical services, but you didn’t take steps to secure your network, back up your data, or patch your systems for too long, falling prey to ransomware and causing harm to others should be grounds for prosecution.”
Get your CompTIA A+, Network+ White Hat-Hacker, Certified Web Intelligence Analyst and more starting at $35 a month. Click here for more details.