Skip to main content
Article | Decode Cyber Brief

Ransomware goes mainstream as cyber criminals open the Locker

Corporate Risk Tools and Technology|Cyber Risk Management|Financial, Executive and Professional Risks (FINEX)
N/A

By Jake Wingfield and Dean Chapman | August 21, 2020

Another Fortune 500 company has recently been held ransom through a cyber attack. How did this happen? And what can businesses do to mitigate the risks?

Background

WastedLocker is the newest strain of Ransomware being reported by cyber security organizations. First visible in May 2020, WastedLocker seems to be targeted at predominantly U.S. based organizations. Quickly attributed to a Russian Cyber Criminal group, it is the latest in a significant line of earlier Malwares developed by Evil Corp – the group responsible for the Locky, Dridex and BitPaymer campaigns1 .

According to recently published reports this past week, WastedLocker has claimed its most notable target to date: Garmin Ltd2.

What is known?

This latest attack is one of eight that targeted Fortune 500 companies this year, indeed it is believed that over 31 other large private organizations have also been attacked3. What Evil Corp have in store for the remaining organizations is unclear, but the threat posed has the potential for significant disruption.

This latest attack is one of eight that targeted Fortune 500 companies this year, indeed it is believed that over 31 other large private organizations have also been attacked.

In the most recent attack on Garmin (who have yet to confirm explicitly the presence of WastedLocker), initial reports point to a Taiwan facility as the point of breach4. This is an interesting point as it highlights the likelihood of intensive reconnaissance activity on the part of the attackers. So unlike earlier ransomware such as NotPetya, which was indiscriminate in its nature, WastedLocker (and Evil Corp) are deliberately and directly targeting firms.

Yet, if the focus of the campaign was to target US companies, why is Taiwan significant? It’s all about the path of least resistance. Cyber criminals, even the sophisticated ones such as Evil Corp, will always look for, the quickest and easiest ‘way in’.

While exact details are currently scarce, it may be this location was perceived to have a lack of effective cyber security; alternatively it may have been identified as holding the ‘Crown Jewels’ and as such attracted attention as a way to gain access across the wider network. Ultimately, all the criminal group needed was a way in, targeting either technical or human ‘vulnerabilities’.

In this case, the target business has a broad range of wireless devices and applications serving five primary business units, including auto, aviation, fitness, marine, and outdoor across both private and public sectors5. The presence of these interconnected devices on essential transportation networks raise the possibility that a cyber breach could have secondary effects on Critical National Infrastructure (CNI), as an incident at any one point in this value chain can have severe consequences in other areas6.

This is important because the majority of the developed world rely on Critical National Infrastructures (CNI) day in, day out. We need the communications networks to keep in touch with friends and family (especially in the current environment with the global COVID-19 crisis), transport networks to travel to work and school, and satellite networks for safe navigation and to identify the geospatial positioning of supply chains. Interruption to any of these critical services would clearly impact global economies and businesses.

Infection method

WastedLocker follows the same path (of earlier ransomware strains from Evil Corp) and continues to play to the strengths of their highly skilled exploit and software developers, all of whom have proven themselves to be highly capable in bypassing network defenses on all levels and scales.

WastedLocker is named due to the filename it creates. The preferred method of infection is to utilise JavaScript to create a fake update framework, this is then used to distribute the malicious payload. The SocGholish framework is inserted into a compromised (and usually legitimate) website which results in victims seeing a very believable browser update message, similar to that presented in the image below7:

This is an example of a believable alert that users should beware of. Source: Malwarebytes Labs
This is an example of a believable alert that users should beware of.

Source: Malwarebytes Labs

Geopolitical tensions

As mentioned previously, WastedLocker is the latest in a long line of highly disruptive and costly malware strains from Evil Corp. Whilst displaying a number of similar characteristics as observed in previous ransomware’s, WastedLocker does indicate a slight change in Tactics, Techniques and Procedures (TTPs) by the Evil Corp group.

Evil Corp is famed for targeting file servers, databases, virtual machines (VM) and cloud environments; the impacts of their nefarious activities prompting the U.S. Treasury Department to apply sanctions and monetary fines upon the group in December 2019 (after being charged for causing more than $100 million in financial damages from 2003)8. Considering these actions, it is probable that Evil Corp are looking to target U.S. based companies in an act of ‘revenge’ and to rebalance the books after significant sanctioning.

Should U.S based firms decide to yield to ransom demands the situation may become very complex. If they pay the ransom they will potentially find themselves in violation of the United States sanction referred to above.

This might prove an explanation as to why Garmin have not yet confirmed the ransomare strain to be WastedLocker, and thus Evil Corp. Non-payment could result in continued disruption and business interruption.

Working to Support our Clients

The Cyber Risk Solutions Team offers tailored services that support insurance goals, align cyber risk management with business objectives and deliver cost effective Cyber Risk Resilience. Willis Towers Watson have developed a comprehensive approach to assessing and managing the risks and impacts associated with a ransomware incident, our 3-stage methodology comprising:

Workforce Cyber Culture Assessment (WCCA)

The WCCA is an innovative assessment methodology that focuses on people and business culture, working to highlight areas of potential risk in workforce attitudes and behaviours. The analysis of findings linked to our proprietary assessment framework, as well as the identification of cyber-related cognitive biases amongst your employees, allows us to better predict the LIKELIHOOD and IMPACT of cyber security incidents, including exposure to ransomware. Effective cyber security requires a holistic approach that moves beyond just technology controls, the WCCA will support your organisation in developing a ‘cyber safe’ workforce and culture.

Ransomware Risk Assessment (RRA)

This high-level and focused ‘snapshot’ of the ransomware risk(s) facing your organisation is the first step towards identifying ransomware vulnerabilities. The RRA is a succinct ransomware risk report, with an easy to read executive summary, and actionable insights to aid you in improving your ransomware risk posture While reducing your threat surface. The RRA is designed to be delivered remotely in as little as 3 weeks, and our consultants will chart an easy course to guide your project sponsor through the various stages.

Cyber Risk Transfer

Cyber Risk Transfer through insurance can help companies reduce the impact of losses from ransomware. The detection of ransomware will generally trigger the cyber incident response coverage under a cyber policy, providing coverage for legal and forensics work at a minimum. To the extent the ransomware has resulted in a demonstrable interruption in the operation of the business, and loss of income could be substantiated, cyber insurance policies (and certain property policies) could also provide coverage under the business interruption insuring agreement as extra expenses incurred.

Ransomware is an ever-increasing threat and with this ‘new locker open’, organizations should be treating this as more than an inconvenience. A holistic, three-pronged approach involving technology, risk transfer and people-based solutions remains the optimal strategy.

Why Willis Towers Watson

As a global leader in human capital solutions, risk advisory and broking, we are well prepared to assess your cyber vulnerabilities and offer tried and tested solutions which help improve your ability to recover from future attacks. Explore comprehensive cyber security at willistowerswatson.com/cyber.

For more information regarding our cyber risk services, or to discuss Ransomware in greater detail with our diverse and global team of specialists, please contact us.

Footnotes

1 https://www.cybersecurity-insiders.com/wastedlocker-ransomware-demands-10-million-as-a-ransom/

2 https://news.sky.com/story/garmin-obtains-decryption-key-after-ransomwareattack-12036761

3 https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us

4 https://www.zdnet.com/article/garmin-services-and-production-go-down-after-ransomware-attack/

5 https://www.sec.gov/Archives/edgar/data/1121788/000156459020005133/grmn-10k_20191228.htm

6 http://www3.weforum.org/docs/WEF_Cyber_Resilience_in_Aviation_An_Industry_Analysis.pdf

7 https://blog.malwarebytes.com/threat-spotlight/2020/07/threat-spotlight-wastedlocker-customized-ransomware/

8 https://techcrunch.com/2020/07/25/garmin-outage-ransomware-sources/

Download
Authors

Cyber Risk Associate

Lead Consultant (Cyber Risk, GB) and Director (People + Cyber Solutions)

Contact

Dominic Keller, CISSP
Global Team Leader, Senior Consultant, Cyber Risk Solutions Team

Contact Us

Related Capabilities