Last edited by Sangfor Elsa 05 Aug 2020 15:17.
WastedLocker Ransomware Attacks Garmin: Enterprise Security is Critical
WastedLocker ransomware has garnered attention in recent weeks after an attack on Garmin Inc., a leading provider of "GPS navigation and wearable technology to the automotive, aviation, marine, outdoor and fitness markets". The attack resulted in many Garmin Inc. services being suspended, to the frustration of customers globally. WastedLocker was first detected in May 2020, and believed to be related to Evil Corp, a hacking group which adopts a highly targeted strategy to infiltrate high-value targets, and uses the target’s name when composing encrypted suffixes for ransomware files.
Analysis of the Ransomware Behavior
The ransomware uses an Alternate Data Stream (ADS) method to avoid detection.
The encryption process excludes some directories and suffixes, as follows:
File encryption includes the suffix, ”target name + wasted“, as follows:
Files including ransom information are generated simultaneously, with the content of the file as follows:
The content of the ransom information is as follows:
The file in the encryption process is as follows:
The Sangfor Security Team recommends that ransomware prevention should be a top priority when planning network and application security. At present, files encrypted by ransomware cannot be decrypted, making daily preventative measures all the more critical.
1. Install patches regularly to fix vulnerabilities.
2. Regularly perform AND test restoration of non-local backups of important data files.
3. Don't open email attachments from unknown sources, and don't download software from unknown websites.
4. Implement a Zero Trust policy and only allow permissions to files and directories to only those users that must have access.
5. Change account passwords regularly, setting a strong password when doing so. Avoid using the same password for multiple platforms and programs to avoid compromising multiple accounts if credentials are stolen.
6. If RDP is not required for business, close RDP. If a security incident occurs, use Sangfor NGAF (Next Generation Application Firewall) or the Endpoint Secure micro-isolation function to block ports like 3389 and prevent the spread of malware.
7. Both NGAF and Endpoint Secure have anti-propagation policies for malware and ransomware. In the event of a malware infection, the firewall will enable rules 11080051, 11080027, 11080016 simultaneously, and open the anti-propagation functionality.
8. Sangfor recommends that NGAF customers upgrade to the latest version and deploy AI-detection capabilities with Engine Zero to achieve the best defense.
9. Detect new threats instantly and defend your system using Sangfor's cloud based Platform-X management console.
10. Sangfor Security Services can help users quickly improve their security capabilities using hybrid "human-machine intelligence", and provide services like equipment security compliance inspection, threat hunting, and related vulnerability inspection. Ensure that risks are detected immediately and that response & mitigation strategies are updated to prevent such threats.
Finally, Using Endpoint Secure, execute a complete virus scan and system vulnerability scan on the entire network to identify and remove potential attack surfaces. Together, Sangfor Cyber Command, NGAF and Endpoint Secure can help you detect and kill ransomware and protect your intranet.
Consultation and Services
Please do not hesitate to contact Sangfor to get a free consultation and support services:
1) Telephone: +60 12711 7129 (or 7511).
2) Visit the Sangfor Community at http://community.sangfor.com/ and select the "Chatbox" option on the right bottom for consultation.
3) Contact us through our contact form for more information & support: https://www.sangfor.com/about/contact-way.html