WastedLocker responsible for Garmin’s outage, company agrees to pay ransom

WastedLocker ransomware is file-encrypting malware, responsible for the recent attack on technology company Garmin. The wearable technology company fell victim to the attack and was forced to pay millions of dollars to recover files.


WastedLocker ransmware image

WastedLocker ransomware is associated with the notorious Evil Corp group who are responsible for other malware such as Dridex and BitPaymer. This ransomware is essentially a tool to target someone specific, such as Garmin. It is targeted ransomware that regular users do not need to worry about, as it targets companies who can afford to pay millions of dollars.

WastedLocker uses AES and RSA algorithms to encrypt files, and is able to prioritize which files to encrypt first. Encrypted files have an extension added to them, which helps victims determine which ransomware they are dealing with. The extension is the name of the company plus “wasted”, so in Garmin’s case, the extension was .garminwasted. Interestingly enough, the ransomware creates a ransom note for every encrypted file.

The ransomware is highly sophisticated with no known weaknesses, which prevents malware researchers from developing a free decryption tool. Thus, paying the ransom or recovering systems from backup are the only options. It appears that Garmin agreed to pay the ransom, though it is not clear how much exactly.

WastedLocker attacks specific targets

WastedLocker ransomware, as we said above, is not one to massively attack users at random. It’s a piece of malware that attacks specific targets. Once it gains access to a network, it’s essentially impossible to prevent it from encrypting files. And it’s not only files on the system that are in danger, files in connected backups would become encrypted as well.

Security researchers have found that WastedLocker ransomware is being distributed via fake update alerts embedded in certain websites.

“The malware from these websites is a penetration testing and exploration kit designed to create a foothold and gather information about the network. Historically Evil Corp has targeted file servers, database services, virtual machines, and cloud environments,” Malwarebytes reports. The ransomware is dropped on the compromised system as soon as the exploration phase is complete.

Are WastedLocker files recoverable

Ransomware targeting specific organizations and companies has been an ongoing trend the past few years. With companies paying millions of dollars for decryption tools, this trend is unlikely to decline any time soon.

When WastedLocker infects a system, it can prioritize which files to encrypt first. This ensures that the ransomware can encrypt the most important files first, in case the attack is somehow stopped. Encrypted files will have a specific file extension added to them made up of the company name and “wasted”. Every encrypted file will have a ransom note. For example, a file named “image.jpg” in Garmin’s system would have a ransom note “image.jpg.garminwasted_info”. The note is rather brief, it addresses the company whose files the ransomware has encrypted and demands they contact them via the given email. The ransom amount is not specified in the ransom note, and likely is negotiable. According to reports, the gang behind the ransomware demanded that Garmin pay $10 million to get the decryptor.

Because of the attack, Garmin suffered a worldwide outage and customers were unable to access certain services, such as Garmin Connect. The outage lasted for days, while the company presumably made the decision to pay the ransom and started negotiating the price. However, since WastedLocker is associated with Evil Corp, choosing to paying the ransom is not so simple, and most companies that specialize in helping victims negotiate the payments would not be willing to help.

The US Treasury has sanctioned the Evil Corp group last year for being responsible for Dridex malware, which essentially prohibits US citizens from engaging in transactions with the group. Garmin paying the ransom could lead to rather significant fines. However, the company that helped Garmin negotiate the payment suggests that WastedLocker is not conclusively EvilCorp’s, meaning it is possible to pay the ransom.

Ransomware attacks are mostly preventable but companies have inadequate security and are often not prepared to handle such an attack, despite having an entire department dedicated to cybersecurity. The good news is that WastedLocker ransomware is not following the recent trend of ransomware not only encrypting files but also stealing data and threatening to publicly release it if the ransom is not paid. Whether targeted companies pay the ransom or not, it appears that their data would not be published.