Ransomware attack on Garmin, how this attack happened?

Ransomware attack on Garmin connect

Last week, you probably saw news about a ransomware attack on Garmin. It started on 23 July and continued through the weekend. Garmin users worldwide weren’t able to use Garmin connect, the company’s website was down, support centers were out of commission and flyGarmin services were also down. 

Firstly, the Attackers encrypted some of Garmin’s system and then demanded for $10 million to restore the access. 

Last Tuesday, the website was back up and activities are syncing again. But, how did this attack happen? Let’s find out. 

How this attack happened

Oren T. Dvoskin, the Global marketing director of Sasa Software explained this week, ransomware attacks are commonplace and easy to fall for. Sasa Software(an Israeli IT security firm), that specialize in preventing file-based attacks. 

He said “You open an inconspicuous email attachment, and before knowing it, your files are encrypted”. Sometimes these files can restore using backups, or by paying the ransom, usually in Bitcoin. Victims often find that ransomware attackers have excellent customer services. 

Ransomware attackers can target individuals, but it’s usually more profitable for attackers to go after large organizations. 

In the ransom attack on Garmin, the attackers used WastedLocker ransomware. WastedLocker is operated by Russian cybercrime group Evil Corp, and is used by the group to attack specific organizations. 

According to Dvoskin, to deliver the ransomware, the Evil Corp adds malicious code to existing websites. This code tells users to download a software update. 

Dvoskin also said, the attack was started when users were browsing legitimate websites. Browsing the site opens a page telling users to download fake software. In the case of Garmin, it was hacked news sites, sending a request to update Google chrome browsers. 

By installing an update of Google Chrome a weaponized file entered into the user’s computer, from where it was able to spread across Garmin’s system. 

These files enable attackers to study the victim’s network to identify weaknesses and use the discovered vulnerabilities to spread the ransom component in as many locations as possible. 

When the control is achieved, many attackers withdraw data from the network prior to the ransomware activation. 

Once the process of taking control and exfiltration has been completed, the ransom is activated in an orchestrated way to achieve a rapid enterprise-wide disruption. Depending on the effort required to achieve control, this process can take several weeks. 

Once the WastedLocker activated on the Garmin network, the ransomware was set to encrypting files. According to reports, as the devices were being encrypted, the Garmin IT department tried to shut down all the network computers remotely. Also home computers connected via VPN. All devices in a data center were also shut down and results of which Garmin connect and other services went down. 

With the data encrypted, the attackers then reportedly demanded a US$10 million ransom in exchange for a key that would decrypt the data.