Who is behind the attack on Garmin?

The manufacturer of portable devices and GPS trackers Garmin suffered a ransomware attack last week after a gang of hackers broke into his internal network and encrypted the company's servers.

The attack caused a five day break, during which users feared they had stolen data personal along with the geolocation history from Garmin servers.

A usual practice

The practice of stealing data before encrypting the victim's network has become widespread today among ransomware groups, which often use stolen data to compel victims to pay the ransom demand.

However, three cybersecurity companies that spoke to ZDNet this week have said that the group of hackers suspected of being behind the Garmin attack is one of the few groups that do not participate in this particular practice and have no history of stealing customer data before encrypting files

EVILCORP, the group that caused the fall.

Known as EvilCorp, this group of hackers operates out of Russia, and two of the gang members have been indicted by US officials last December for operating the Dridex malware botnet.

However, while the core piece of the group's malware is the great Dridex botnetThe group has also been linked to ransomware operations.

All the first forays from EvilCorp en the ransomware scene occurred in 2016 when the group began distributing the Locky and Bart strains, which they sent en masse over the Internet, to home consumers.

In 2018 EvilCorp changed its shape over time and launched BitPaymera new strain of ransomware that they used exclusively in attacks against high-profile targetssuch as businesses, government networks, or healthcare organizations.

In early 2020 EvilCorp evolved again replacing BitPaymer with a newer and better called ransomware strain. WastedLocker.

This new version of WastedLocker has been identified as the ransomware that encrypts the Garmin network, according to Garmin employees who spoke to ZDNet and many other media outlets.

No data theft in previous Bitpaymer and Wastedlocker attacks

Yesterday, Garmin formally admitted to having suffered a ransomware attack in documents filed with SEC 8-K and in a public press release. A particular phrase from  Press release It got attention.

"We have no indication that any customer data, including Garmin Pay ™ payment information, has been accessed, lost or stolen".

Since Garmin's formal announcement yesterday, ZDNet has reached out to cybersecurity companies known to provide incident response services for ransomware attacks.

In interviews this week, security researchers from Coveware, Emsisoft, and Fox-IT told ZDNet that historically, have not seen evidence of theft of user data during the latest BitPaymer and WastedLocker attacks.

“Bitpaymer did not have a history of data exfiltrationBill Siegel, CEO of Coveware, a company that responds to incidents and even handles ransomware payment negotiations, told ZDNet.

"In the WastedLocker cases we were involved in, we didn't see any indication of stolen data“, told us Fabian Wosar, technical director of Emsisoft.

“We have not seen them [EvilCorp] stealing customer data to use them specifically to force victims to pay”Frank Groenewegen, Fox-IT's chief security expert, also told ZDNet in a phone call.

However, Groenewegen does not rule out the fact that some data breach has occurred, one way or another.

Evilcorp stole some user data in the past, a long time ago

But Groenewegen cautions that if EvilCorp has not visibly stolen data to use for extortion in previous BitPaymer and WastedLocker attacks, this does not mean that they are not doing so right now, or that they will not do so in the future.

The Fox-IT executive says that EvilCorp is more than capable of extracting data, referring to older attacks.

"Before they started to focus on implementing ransomware, used to target payment processors to steal data de debit / credit cardsGroenewegen said. The EvilCorp gang then turned around and sold these data in carding forums for profit.

However, based on what the three security companies have told ZDNet, currently, Garmin user data appears to be secure, according to the group's past modus operandi.

Of course, this article is not final in its assessment, and is only a speculative analysis of the Garmin incident based on previous EvilCorp attacks and the experience of those involved in responses to the respective incidents.

Source: zdnet