Skip links

Tracing the anatomy of a ransomware attack: Evil Corp, WastedLocker and Garmin

In July 2020 – as businesses still reeled to maintain service through the disruptive force of a global pandemic – disaster struck at Garmin.

The multinational giant is known for its consumer wearables and smartwatches but its business extends far beyond this into innovative GPS technology used in the aviation and marine sectors.

Garmin lost access to all the essential systems it uses, causing widespread disruption.

It had become another high-profile victim to a ransomware attack. The price it paid to gain back control of its systems is believed to have been $10 million – but the cost to its reputation and from the total loss of operational capacity is inestimable.

Here, we outline the essential anatomy of the attack, detailing the key players and their modus operandi.

What is ransomware?

Ransomware is the most common form of criminal malware currently in use.

It is far from restricted to multinational enterprises and is increasingly being used against the softer targets of SMBs.

Typically, malicious emails are the port of entry although vulnerabilities in software are also used to gain access.

Upon activation the ransomware program encrypts valuable folders and flashes up a ransom demand, with payment usually in a cryptocurrency like Bitcoin.

While, in most cases, payment does restore access the disruption and reputational damage carries an even higher price.

What is WastedLocker?

WastedLocker is the name given by cybersecurity experts to a powerful malware with the capability to devastate organisations.

It works in a similar way to other ransomware but has been very effective in targeting and taking down a number of high-profile organisations from the banking, media and technology sectors.

It was first identified in May 2020 and, prior to being used against Garmin, is thought to have infected at least 31 ‘household name’ organisations, all but one American-owned, including eight Fortune 500 companies.

Who is behind WastedLocker?

It is widely suggested that WastedLocker is the work of Evil Corp, one of Russia’s most feared cyber-criminal groups.

Evil Corp’s alleged leader, Maksim Viktorovich Yakubets, currently carries a $5m bounty on his head from the FBI. This is the highest ever reward offered for a cybercriminal.

Before WastedLocker, Evil Corp had already gained notoriety. In December 2019, the US government took action against the organisation after its ‘Dridex’ campaign had used malware to steal more than $100m from US banks.

How does WastedLocker work?

As with most cyber-attacks, login credentials are gained through social engineering exercises. Once admin credentials are obtained criminals can VPN in.

If there is no multi-factor authentication, then they can go straight in to disable security tools.

With the current coronavirus pandemic and remote working increased throughout organisations the conditions for cyber criminals to conduct campaigns is ideal. 

What can I do now to protect my organisation?

  • Check that default passwords are not being used for remote login portals.
  • Introduce multi-factor authentication to add in an extra barrier.
  • Make sure that security patches are prioritised and deployed immediately.
  • Train your employees to report any suspicious emails – share our tips to spot an email phishing attack video.

How can I protect my organisation from future threats?

Your network needs protective monitoring continuously.

Our Managed Detection and Response service works on your behalf using UK security cleared analysts to investigate and prioritise threats. We proactively threat hunt to discover existing vulnerabilities in your network.

MDR means that your in-house IT team can focus on their day to day roles, confident in the knowledge that the security of your data and your reputation is protected.