BLOG HOME > Cybersecurity > Garmin Ransomware Attack: SOC Threat Analysis and 10 Lessons Learned

Garmin Ransomware Attack: SOC Threat Analysis and 10 Lessons Learned

Heff
Director of SIEM Operations
   

From the SecurityMetrics Security Operations Center (SOC)

The global pandemic has created more opportunities for threat actors to create mayhem and chaos across the threat landscape. If threat actors are looking for opportunities to do harm, then this pandemic has created the perfect storm. SecurityMetrics Threat Analysts have described this situation as if all the major holidays combined and created a once-in-a-lifetime opportunity for cyber criminals. 

This post examines these breaches and shares the lessons learned from the recent Garmin ransomware attack. These attacks are a warning to organizations everywhere and should not be ignored, no matter the size of your business. 

Register for SecurityMetrics Summit Here

Save Your Spot

What is ransomware?

Ransom malware or “ransomware” is a type of cyber attack that generally involves malicious software. Ransomware can infect one device or an entire network in your environment. Typically the threat actor will encrypt files on a victim’s machine or throughout an entire network; thereby restricting users' access until a ransom is paid to unlock it. 

Many ransomware variants, including Petya and WannaCry, have been observed over the years by SecurityMetrics Threat Analysts. The primary motive in most ransomware attacks is to extort money from victims, usually through an onscreen alert or warning. 


Current ransomware threats and trends

It’s less likely that SecurityMetrics Threat Analysts will see cyber criminals solely focused on breaking into an environment and stealing data or important “crown jewels.” Recent trends indicate that current attacks aim to go beyond simply exfiltrating data. 

One current trend involves using the threat of exposure as a bargaining chip. As if the prospect of being locked out of your computer or entire network was not damaging enough; now, you have the added concern of your stolen data being leaked unless you pay a ransom. ransomware threats


This way, threat actors can increase their chances of a payday if an organization is able to restore their files or systems without paying a ransom. 

Using the stolen data as leverage is kicking businesses when they are already down. In essence, bullying organizations who've become infected with ransomware into paying the requested amount. 

The problem has become so widespread, that some firms offer ransomware negotiation services to assist organizations that have been breached. 

Understanding Garmin’s ransomware attack

On July 23, an enormous, strategically planned ransomware attack against Garmin brought the company to its knees, knocking products, apps, websites, and even call centers offline for five days. Garmin reportedly paid over 10 million dollars in ransom to resolve their situation.

Many consumers are familiar with Garmin’s product lines. Their wearable technologies like activity trackers and smartwatches compete with products from FitBit and Apple. Garmin also provides GPS-reliant products and services to many businesses as part of their critical infrastructure. Businesses that rely on these GPS products and services include those in the automotive, aviation, marine, and outdoor industries.

A close up of a sign  Description automatically generated

The impact of Garmin’s ransomware attack

Ransom demands are not always a business killer–but downtime is. This attack forced Garmin’s business offline for five long days. 

After five days, Garmin's systems slowly began to come back online. Soon after going live, reports appeared that Garmin paid a multimillion-dollar ransom for an encryption key to restore data scrambled by a particularly pernicious piece of malware, called WastedLocker. Some researchers have linked this malware to Evil Corp, a crime group based in Russia that has been sanctioned by the US Department of the Treasury.

If you take into account the size and scope of the Garmin breach, it is by far the largest of 2020.

SecurityMetrics Pulse Helps You Manage Threats

Start Here

10 lessons learned from the Garmin breach

The SecurityMetrics Threat Analysts put together a short list of our top lessons learned from the Garmin ransomware breach. These lessons are a great primer for any organization concerned about malware attacks.

1. Compliance does not equal protection from ransomware

You may have heard the quote, “Just because you are compliant, it doesn’t mean you are secure,” followed by, “Just because you're secure, it doesn’t make you compliant.” 

If your focus is always to develop  a mature, holistic cybersecurity posture, you’ll be more likely to keep the big picture in mind when developing a comprehensive strategic and tactical plan. 

Big-picture planning beyond compliance helps you continually examine every aspect of your network, people, process, and tools. 

2. No organization, no matter your size or industry is immune from ransomware

We hear of million-dollar ransom attacks on Universities, government agencies, and large enterprises. Which makes sense considering that universities are doing research in areas like the COVID-19 vaccine. In June, hackers attacked the UC Santa Barbara medical center. 

But it’s not just large healthcare, legal, retail, and financial targets who are suffering. The reality is that small-to-medium businesses (SMBs) can be just as vulnerable. The average ransom demand for an SMB is around $1,000, but the downtime is even costlier. When a company can’t take payments and is bleeding customers, it becomes a critical situation. 

3. Business resiliency, continuity planning, and customer communication are key

How many days did Garmin go without making a statement? Too long. In a situation this serious, there is no such thing as over-communication, especially when social media is available. 

Garmin had a significant outage & initially only offered a short Q&A which provided little reassurance or confidence to their customers.

Beyond crisis media management, several areas of business continuity and resiliency planning were not in place or failed. 

"Organizations should have policies in place to deal ransoms, as well as have playbooks for responding to a variety of ransomware attacks."

4. An age-old question: to pay or not to pay?

Law enforcement and other forensic professionals do not advise paying ransoms.

Paying threat actors can embolden them to continue their actions. It can set a bad precedent too. Cyber criminals may decide to just inflate the ransom after receiving payment if they are still in your network. 

You also run the risk of copycat cyber criminals who now know that your organization always pays. 

In the Garmin case, their team felt paying was the best option to get their network back and keep their customers from switching services. 

5. Ransomware attacks are both strategic and tactical.

Threat actors are smart. The Garmin attack was timed and targeted to launch shortly before the quarterly earnings were announced. Evil Corp’s attack pattern would cripple Garmin’s network internally while also destroying their customer operations. 

Threat actors look for easier targets based on security spending, cyber budget, and team size. They read organizations’ job announcements to see what types of skills and people they are hiring.

6. Ransomware reaches peak power when it affects customers.

Ransomware is most effective when it impacts your front-facing customer operations. 

Garmin had downtime of five days. Imagine if your business was offline for five days. How many customers would you lose? Many firms rely on Garmin GPS technology for their critical infrastructure. What about their customers? 

What are your business options and business continuity plans? Imagine, like Garmin, that your entire product line goes offline. Threat actors knew the impact that would have for Garmin and specifically targeted those parts of the business.

7. The bigger you are, the harder you can fall

With products and services across many industries, including aviation, marine, automobile, logistics, athletics, and more, Garmin has a huge technological footprint. 

Garmin’s reported ransom payment of 10 million dollars directly reflected the scope of damage done, and the potential for more.

8. Defense in Depth is still King

Garmin was not ready for this attack, and as threat actors moved laterally across their network, Garmin found themselves in a race between shutting systems down and trying to contain the issue. 

“Defense in depth” is a concept first conceived by the NSA. It involves a layering approach to security. The following foundational concepts, practices, and tools can help you develop defense in depth at your organization:

Network safeguards, daily cyber fundamentals, and regular cyber hygiene can help reduce the severity and escalation of an attack. 

  • Avoid homogeneous networks and systems, flat networks, and a lack of network segmentation because they contribute to an ease of movement for threat actors 
  • Have a consistent patch management program in place to reduce vulnerabilities 
  • Ensure your team performs both external and internal scanning on a regular basis 
  • Practice obfuscation of your networks; use color code for your servers–versus names or numbers
  • Deploy MFA and strong password policies 
  • Consistently audit what devices, hardware, and software are actually on your network 
  • Ensure you have some sort of governance plan in place to regularly review and update your policies 
  • Perform a risk assessment on any software or hardware before you introduce it to your environment
  • Strive for a more engaged, robust security awareness or education program
  • Offer consistent monthly security engagements or training

9. Human firewalls are the first line of defense

Human error continues to be a ransomware enabler and your employees are no exception. They are the first line of defense–often termed the “human firewall.” 

Offering an engaging, robust security awareness or education program helps extend your security beyond just the technology. Organizations should offer consistent monthly engagements or training,  All staff should learn and demonstrate knowledge of cybersecurity on the job in everything they do. 

10. Sanctioning cybercriminals doesn't work

Last year, the US Department of the Treasury implemented sanctions when dealing with cyber criminals. These sanctions bar any US person from engaging in transactions with these cyber criminal enterprises including advanced persistent threat (APT) groups like Evil Corp. 

The unintended side effect has been a growth industry of third party providers who will handle paying negotiating and paying ransoms on your organization's behalf. Garmin was able to skirt this sanction and pay the ransom to the third party, who in turn paid Evil Corp. 

Many organizations may not have policies or procedures to deal with paying ransoms. Even if they wanted to, they may not have the mechanisms in place to pay the ransom, such as access to transferring untraceable bitcoin ransoms.

Prevent ransomware and data breaches with SecurityMetrics Pulse

Working backwards from large corporate data breaches, we've been able to pinpoint some of the most common attack vectors used in network breaches:

If you are a large franchise or corporate entity with many remote locations, it's crucial to find a network security company that can provide a level of visibility into your gray area networks to monitor for threats, vulnerabilities and malicious activity while also providing assurance to network owners that they are still in control of their own networks and privacy.

SecurityMetrics Pulse External Security

Do you know what vulnerabilities threaten your external network security? Pulse External Security is a SOC/SIEM product to help you stay ahead of cyber criminals who attempt to exploit your organization’s locations through external vulnerabilities.

SecurityMetrics Pulse includes:

  • Low cost per location
  • Low-touch implementation (only requires account setup and external IP addresses), no on-site installation required
  • Simple integration with more thorough Pulse sensors and packages

Learn more about Pulse here

Matt Heffelfinger–"Heff" is preferred–is a Utah based cybersecurity professional and serves as SecurityMetrics Director of SIEM Operations. His primary wheelhouse includes leading the SecurityMetrics Security Operations Center (SOC) and Threat Intelligence Teams for multiple clients both in the USA and globally.  With over 15 years of global cybersecurity experience, his career stops include Caesars Entertainment, TJX, Inc., General Electric, NBC Television and the Las Vegas Sands Corp. 

Join Thousands of Security Professionals and Subscribe

Subscribe