Last Thursday, the GPS and smartwatch firm Garmin suffered what was allegedly a massive, system-wide ransomware attack, forcing them to take down all of their services ranging from their apps to their support call centers. While Garmin has been tight-lipped as to the cause of the outage, multiple publications have reported that the company was targeted by WastedLocker, a relatively new ransomware campaign that researchers at NCCGroup have attributed the hacking collective known as Evil Corp. Evil Corp was previously responsible for thee Dridex banking malware and BitPaymer ransomware.
As of Monday, Garmin is slowly bringing much of their services back online. It’s as of yet unknown if they paid the reported $10 million ransom demands or if they’ve been able to recover from backups but the 4 days of downtime doesn’t bode well considering the affected services included their aviation database.
Evil Corp primarily distributes WastedLocker through the SocGholish fake update framework, which masquerades as a fake browser update page to trick users into downloading a malicious JavaScript or PowerShell file. SocGholish contains code to gather information on the victim’s computer, including whether or not it is a part of a wider network, before delivering a malicious payload. Malicious SocGholish domains often use HTTPS encryption to evade detection. To catch SocGholish, WastedLocker, and other modern threats, make sure you’ve enabled HTTPS inspection on your network perimeter and have multiple layers of malware detection that can identify and block threats before they reach your endpoints and back those tools up with user training to identify common phishing techniques like fake updates.