fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Confirmed: Garmin Received Decryptor For Wastedlocker Ransomware

Confirmed: Garmin Received Decryptor For Wastedlocker Ransomware

BleepingComputer can confirm that Garmin has received the decryption key to recover their files encrypted in the WastedLocker Ransomware attack.

On July 23rd, 2020, Garmin suffered a worldwide outage where customers could not access their connected services, including the Garmin Connect, flyGarmin, Strava, inReach solutions.

BleepingComputer was the first to confirm that they suffered a cyberattack by the WastedLocker Ransomware operators after employees shared photos of encrypted workstations, and we found a sample of the ransomware utilized in the attack.

Photo of encrypted Garmin workstation

Employees later shared with BleepingComputer that the ransom demand was $10 million.

After a four day outage, Garmin suddenly announced that they were starting to restore services, and it made us suspect that they paid the ransom to receive a decryptor.

Garmin refused, though, to comment any further.

Confirmed: Garmin received a WastedLocker decryption key

Today, BleepingComputer gained access to an executable created by the Garmin IT department to decrypt a workstation and then install a variety of security software on the machine.

WastedLocker is an enterprise-targeting ransomware with no known weaknesses in their encryption algorithm. This lack of flaws means that a decryptor can not be made for free.

If you work at Garmin or know someone working there with first-hand information on this incident, you can confidentially contact us on Signal at +16469613731.

To obtain a working decryption key, Garmin must have paid the ransom to the attackers. It is not known how much was paid, but as previously stated, an employee had told BleepingComputer that the original ransom demand was for $10 million 

When extracted, this restoration package includes various security software installers, a decryption key, a WastedLocker decryptor, and a script to run them all.

Garmin restoration package contents

When executed, the restoration package decrypts the computer and then preps the machine with security software. 

Garmin script to restore a workstation

Garmin’s script contains a timestamp of ’07/25/2020′, which indicates that the ransom was paid either on July 24th or July 25th.

Using the sample of WastedLocker from the Garmin attack, BleepingComputer encrypted a virtual machine and tested the decryptor to see if it would decrypt our files.

In our test, demonstrated in the video below, the decryptor had no problems decrypting our files.

All companies should follow the general rule of wiping all computers and installing a clean image after a ransomware attack. This reinstall is necessary as you never know what the attackers changed during their incursion.

Based on the script above, it does not appear that Garmin is following this guideline and is simply decrypting the workstations and installing security software.

Also read: 12 brief explanation about the benefits of data protection for business success

Custom decryptor used

The decryptor enclosed in the package includes references to both cybersecurity firm Emsisoft and ransomware negotiation service firm Coveware.

When BleepingComputer reached out to Coveware, we were told that they do not comment on any ransomware incidents reported in the media.

In a similar response, Emsisoft told us that they could not comment on any cases, but that they create decryption tools and are not involved in ransom payments.

“I cannot comment on specific cases, but generally speaking, Emsisoft has no involvement whatsoever in negotiating or transacting ransom payments. We simply create decryption tools,” Brett Callow, a threat analyst at security firm Emsisoft, told BleepingComputer.

Emsisoft commonly makes custom ransomware decryptors when the tools supplied by the threat actors are buggy or if companies are concerned that they may contain backdoors.

“If the ransom has been paid but the attacker-provided decryptor is slow or faulty, we can extract the decryption code and create a custom-built solution that decrypts up to 50 percent faster with less risk of data damage or loss,” Emsisoft’s ransomware recovery services page states.

As Evil Corp has been attributed as the creator of WastedLocker and was placed on the US sanctions list for using Dridex to cause more than $100 million in financial damages, paying this ransomware could lead to hefty fines from the government.

Due to these sanctions, sources familiar with Coveware have told BleepingComputer that the negotiation company has placed WastedLocker on their restricted list in early July, and are not handling negotiations for related attacks.

Garmin has not responded to our queries at this time.

Also read: How Being Data Protection Trained Can Help With Job Retention

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us