Analysis of WastedLocker targeted ransomware

Our experts’ detailed analysis of the prime suspect in the ransomware attack on Garmin.

In late July 2020, tech news sites were brimming with articles about Garmin. Various Garmin services, including device syncing with the cloud and tools for pilots, were disabled. The dearth of accurate information left everyone theorizing wildly. For our part, we decided to wait for some concrete data before assessing the situation.

In its official statement, Garmin confirmed that it had been hit by a cyberattack that interrupted online services and encrypted some internal systems. The information available at the time of this writing indicates that the attackers used the WastedLocker ransomware. Our experts performed a detailed technical analysis of the malware, and here are their main findings.

WastedLocker ransomware

WastedLocker is an example of targeted ransomware — malware tweaked to attack a specific company. The ransom message referred to the victim by name, and all encrypted files got the additional extension .garminwasted.

The cybercriminals’ cryptographic scheme points to the same conclusion. Files were encrypted using the AES and RSA algorithms, which ransomware creators often use in combination. However, one public RSA key is used to encrypt files, rather than one generated uniquely for each infection. In other words, if this ransomware modification were used against multiple targets, the data-decryption program would be general-purpose, because there would have to be one private key as well.

In addition, the ransomware displays the following curious features:

  • Prioritizing of data encryption, meaning the cybercriminals can specify a particular directory of files to encrypt first. That maximizes damage in case security mechanisms stop the data encryption before it’s complete;
  • Support for file encryption on remote network resources;
  • Privilege checking and use of DLL hijacking for privilege elevation.

You’ll find detailed analysis of the ransomware in the WastedLocker: technical analysis post on Securelist.

How’s Garmin doing?

According to the company’s updated statement, services are up and running again, although data synchronization might be slow and is still limited in some individual cases. That’s understandable: Devices that couldn’t sync with their cloud services for several days are now contacting company servers all at once, increasing the load.

Garmin reports that there is no evidence anyone gained unauthorized access to user data during the incident.

How to protect against such attacks

Targeted ransomware attacks on companies are here to stay. That being the case, our recommendations for guarding against them are fairly standard:

  • Always keep software up to date, especially the operating system — most Trojans exploit known vulnerabilities;
  • Use RDP to deny public access to company systems (or, if necessary, use a VPN);
  • Train employees in the basics of cybersecurity. Most often, it’s social engineering on employees that lets ransomware Trojans in to infect corporate networks;
  • Use cutting-edge security solutions with advanced antiransomware technologies. Our products detect WastedLocker and prevent infection.