Fighting Back Against Ransomware
Garmin Ltd., the GPS device and service provider, recently confirmed the worldwide outage of their network due to a cyber attack. Reports had begun surfacing on Twitter of concerned GPS users regarding an inability of devices to connect to the Garmin network. Within hours of the first reports, it was obvious the outage was at a massive scale. It took days for Garmin to confirm the extent of the outage but they finally released this statement.
“Garmin Ltd. was the victim of a cyber attack that encrypted some of our systems on July 23, 2020, as a result, many of our online services were interrupted including website functions, customer support, customer facing applications, and company communications. We immediately began to assess the nature of the attack and started remediation.”
The outage left millions of Garmin customers unable to use GPS devices, fitness trackers, smartwatches, and other Garmin devices. Although the company has yet to acknowledge the outage was linked to a ransomware attack, Garmin employees have confirmed through social media that ransomware was indeed the culprit.
The ransomware used in the Garmin attack is called WastedLocker. It is a new strain of ransomware first witnessed by the public earlier in July. WastedLocker is a highly-adaptable ransomware able to specifically target organizations through the use of customized modules. Through a Threat Spotlight, Malwarebytes reports:
“The attacks performed using WastedLocker are highly targeted at very specific organizations. It is suspected that during a first penetration attempt an assessment of active defenses is made and the next attempt will be specifically designed to circumvent the active security software and other perimeter protection.
The ransomware name is derived from the filename it creates which includes an abbreviation of the victim’s name and the string “wasted”.
For each encrypted file, the attackers create a separate file that contains the ransomware note. The ransom note has the same name as the associated file with the addition of ‘_info’.”
Through the targeting of specific organizations, the attackers can make significant ransom demands — usually ranging from $500,000 to over $10 million in Bitcoin.
How to Protect Against Ransomware
The first line of defense in any ransomware strategy needs to be user education. Most ransomware is spread through phishing attacks which means the user is willfully granting resource access to the ransomware because they have been tricked. An example could be: you could receive an email that appears to be from your IT department asking you to run an update in the email attachment. Instead of an update, the attachment contains the ransomware. If only one user on your network is fooled, the ransomware may have gained access to your corporate files. Everyone with access to your network, this includes employees, vendors and customers, needs education on how not to become a victim.
The second most critical line of defense is an effective anti-ransomware security package like Threat Detection and Response (TDR) and APT Blocker from WatchGuard. Ransomware is constantly evolving. And it can be difficult to detect new ransomware strains that have yet to be identified. TDR and APT Blocker look at how ransomware behaves, instead of relying on a database of known ransomware signatures. This allows for protection against new strains just as they are released.
The third most critical strategy to defend against ransomware is to implement offline backups of all critical data. If ransomware does penetrate your network, the chances are high that at least some files will be encrypted and held for ransom. Having an up-to-date and secure offline backup may be your final line of defense keeping you from paying the ransom.