WastedLocker and the Vulnerability of Our Supply Chain

The ransomware attack targeting smartwatch and wearables maker Garmin in late July highlights the vulnerability of connected IoT devices and the consequences this kind of disruption can have on crucial industries like supply chain, OT and even aviation. 

The ransomware strain known as WastedLocker was used to attack Garmin Connect and shut down access to its official website, its data-syncing service for users, its aviation database services and even certain production lines in Asia. The outage even took down its call centers, so that users’ calls, emails and online chats remained unanswered. The result was a days-long maintenance window where users could not access the full functionality of Garmin’s consumer wearables and sportswear, as well as GPS and aviation navigation equipment. 

The Garmin Connect disruption also led to a number of concerning challenges for the aviation industry. Pilots were unable to download updates from Garmin’s databases onto their navigation systems, which the FAA requires before takeoff. The Garmin Pilot App, which is used to schedule and plan flights, was also shut down temporarily. Fortunately, the airline industry has established disaster recovery plans and backup procedures to ensure that critical services can be maintained in the wake of a disruption like this. Even so, the attack highlights how crucial these connected devices are and the dangerous potential if they are disrupted. 

Evil Corp and WastedLocker

The WastedLocker ransomware is affiliated with the Russian cybercrime group known as Evil Corp. This is the same criminal organization behind other recently impactul ransomware strains known as Dridex, Locky and BitPaymer. WastedLocker attacks have been remarkably targeted and focus on larger organizations that can afford to pay ransoms ranging from $500k to $10 million. The malware was first spotted in the wild in May of 2020. By July, it was regularly impacting large enterprises with newsworthy results.

Unlike other cybercrime groups that release compromised data online or sell it to the highest bidder on the dark web, Evil Corp has not been taking such actions when affected companies fail to pay ransoms. Instead, their targeted approach involves compromising employee accounts, systematically assessing security capabilities and exposures, and then disabling capabilities like malware protection. Evil Corp then exploits these vulnerabilities to deliver and widely propagate the ransomware attack through the environment.

In late 2019, U.S. officials offered a $5 million reward for information that would lead to the arrest of the Evil Corp’s leaders. This came in response to the many millions of dollars stolen from U.S. business and citizens leading up to 2020, but has had no effect on the group’s targeted campaigns.

Widespread Implications Across Industries

The Garmin Connect outage makes it clear that bad actors understand the chaos they can bring by disrupting supply chains. It also highlights the significant impact that attacks on traditional IT infrastructure like user credentials and remote-work laptops can have on manufacturing operations. 

Cybercrime organizations have learned that if they impact one disconnected organization with no ripple effect, the ransom they can demand is limited. But if they systematically target an enterprise that consumers and other enterprises rely on, they can demand and expect much more lucrative ransom payments. If bad actors have penetrated a large amount of the enterprise environment through reconnaissance efforts and have disabled controls that would help them recover from an attack — as Evil Corp routinely does — they know they can demand even larger payments.  This applies to no industries more than those that rely on OT to deliver core services and capabilities.

Due to the ever-increasing attack surface and opportunity for material disruption, industries that rely on OT should ultimately ask themselves the following questions: 

• Would we know if an attack moved from our traditional IT infrastructure into networks and devices that are critical to manufacturing and servicing our downstream customers?
• As a follow-on question, are our IT and Manufacturing teams jointly aware of and practiced in how to communicate and handle a cyber event with the potential to impact critical operations?
• Do we have the required modern technical controls (e.g. access broker technologies) that can help to rapidly discover the likely compromise of employee credentials, before a larger impact is observed?
• If our supply chain relies on other critical 3rd parties, what opportunities do we have to mitigate risks associated with one or more of these providers being critically impacted and unable to support our operations?

What Needs to Happen Next?

According to Garmin, no customer data was compromised in the attack and the impact was limited to its service and manufacturing ability — good news for consumers. This also gives us the ability to shift focus towards discussing what we should learn from these events.

In 2020, preventing and recovering from a ransomware event is more complex than ever before.  These attacks no longer impact only PCs and servers in our environments, but also IoT and OT systems in manufacturing, energy and critical infrastructure, supply chain, healthcare and more.  Whether we consider the cyberattacks on renewable energy and oil and gas operations from earlier this year or many of the healthcare attacks witnessed even during the pandemic, two things are for certain:  

1. The interconnection of IT, IoT and OT are being equally impacted by widespread ransomware events in complex environments
2. A failure to effectively prepare for and enable capabilities to prevent and respond to attacks involving any and all forms of connected devices exposes an operation to potential outages of significance, downstream brand impacts, and even data theft (depending on the actor and their tactics, motives, capabilities, etc.)

Computers such as OT and IoT devices can and are being impacted by ransomware events and cyberattacks every day, and in many cases, just as easily as a desktop, laptop, or server. In fact, many of the most impactful, newsworthy ransomware events in recent months have involved the encryption of IT, IoT and OT alike.  

Failing to understand how these devices are truly interconnected and support and enable key business capabilities means that any security strategy developed around protecting our critical environments and networks is only partially complete. This also means that the ability to truly recover the business from a widespread ransomware event without being forced to pay the ransom and obtain the decryption key may be exponentially lower.  

OT enterprises in particular should assess their ability to rapidly detect, prevent and respond to a ransomware attack that impacts or moves laterally through IT, IoT or OT devices with the potential to impact critical operations, before impacting critical operations. As noted by the NSA and CISA in their recent urgent cybersecurity advisory, the ability to continuously and holistically monitor all forms of networked devices is a key capability in safeguarding our OT operations and brands moving forward.

And lastly, as security professionals, it’s important that we remember that one of our most positive levers for change is to learn from known enterprise attacks and how they can help prevent attacks in similar operations and environments. When immediately followed by a tactical and continuous risk mitigation strategy — along with details around the likely cost of doing nothing versus the expense associated with taking action — this can be incredibly powerful in helping to move the needle when security knows that it needs to be moved to safeguard the brand.