Garmin expects its operations to be back up in the next few days, with some delays, after suffering a targeted WastedLocker ransomware attack that reinforced that the best cybersecurity strategy is to prepare for the worst.
The smart watch/wearable tech firm admitted on its website the attack encrypted some of its systems on July 23, and as a result, many of the company’s online services were interrupted, including website functions, customer support, customer facing applications, and company communications.
Garmin did not indicate whether it paid the ransom, or how much money might have been requested. Some attack details reportedly trickled via employees’ photos via social media. Garmin now states on the website it has no indication any customer data, including payment information from Garmin Pay, was accessed, lost or stolen.
As of July 27, Garmin as affected systems are restored, “we expect some delays as the backlog of information is being processed.”
Chris Clements, vice president of solutions architecture for Cerberus Sentinel, said a carefully coordinated incident response action that would have avoided details being leaked by employees.
“Instructions would be sent out to all employees to refrain from communicating information that may be incomplete or inaccurate,” he said. Without corporate transparency as to what happened, “employees have been tweeting out information that may or may not be accurate and leading to wild speculation as to the extent and severity of the situation.”
Although its Garmin Connect was not accessible during the outage, activity and health and wellness data collected from Garmin devices during the outage was stored on the device. “We anticipate that all data will appear in Garmin Connect once the user syncs their device,” the company stated.
By that statement, consumers still don’t know for sure if their personal data was impacted.
Underscoring the semantics nature of crisis communications, Denis Legezo, senior security researcher at Kaspersky, pointed out that it appeared pilots couldn’t obtain maps updates and some production lines in Asia were impacted, although Garmin insisted the functionality of its products was not affected, other than the ability to access online services.
Kaspersky monitors dozens of web domains related to this malware family, and registered the Garmin server as part of CobaltStrike, which Legezo deemed a legitimate commercial penetration testing platform also widely used by malefactors.
“In WastedLocker’s case, so far, there are no signs of anything besides encryption and request for ransom payment,” Legezo said.
Torsten George, cybersecurity evangelist at Centrify, pointed out that what happened to Garmin underscores how Ransomware attacks can severely disrupt business and cost hours of productivity and profit.
“There are a few basic steps that an organization can take to minimize their exposure to ransomware and keep their services up and running,” George said, advocating cyber hygiene strategy. “Implement security awareness programs to educate employees on how ransomware is being deployed and how to avoid spear-phishing attacks,” he said, adding that organizations should also frequently update anti-virus and anti-malware with the latest signatures and perform regular scans.
Lucy Security CEO Colin Bastable concurred employees need to be trained to detect and resist ransomware attacks, “just as you patch systems, patch your people with regular, varied, continuous and well-planned security awareness training to make them part of your defenses.”
Richard Cassidy, senior director of security strategy at Exabeam, agreed the best defense against ransomware is a good offense through proactive prevention and mitigation. “Behavioral modeling through user and entity behavior analytics is one of the most effective approaches,” he said. By monitoring certain behaviors on a regular basis, organizations have a better chance to recognize what is normal for users and devices on the network, Cassidy said. Unusual behavior could indicate a ransomware attack possibly preventable with early detection, he added.
Carl Wearn, head of e-crime at Mimecast, agreed about the need to pay particular attention to their patterns of network traffic and data logs to identify any potential compromise. “There is a potential short window of opportunity to remediate any initial dropper infection,” Wearn said, thereby preventing the further insertion of ransomware, which he believes victims should not pay because that only encourages attackers.
To prevent lengthy downtimes from which some organizations might not ever survive, everyone should implement as standard operations Non-networked backups and a fallback email and archiving process, he said.
Gurucul CEO Saryu Nayyar called the Garmin attack “a doozy” for being able to disable its website, call center, email, chat, production systems, and data-syncing service. Besides a daily backup regimen, she noted “machine-based responses are becoming table stakes to machine-based threats these days.”
Javvad Malik, security awareness advocate at KnowBe4, said this incident shows that organizations must have a layered security model to defend, detect, and response in a timely manner to any attacks.
Curtis Simpson, CISO at IoT security firm Armis, pointed out that companies which rely on operational technology (OT) need to pay attention what happened and the disaster potential for airlines because pilots rely on Garmin navigational systems.