Garmin’s admission this week that a ransomware attack had encrypted some its systems last Wednesday raised as many questions as it answered.
One of the world leaders in activity tracking gadgets, it said many of its online services were interrupted, “including website functions, customer support, customer facing applications, and company communications”.
“We immediately began to assess the nature of the attack and started remediation,” it said in a statement on Monday. “We have no indication that any customer data, including payment information from Garmin Pay, was accessed, lost or stolen. Additionally, the functionality of Garmin products was not affected, other than the ability to access online services.”
Of course, online services have become among the key functions of its devices – allowing users to update and analyse their physical activity statistics – suggesting the organisation is attempting to downplay the incident.
Garmin’s woe’s deepened when it emerged that it had probably paid a ransom to obtain a decryption key from Evil Corp, the Russian hacking group behind the WastedLocker malware that was used to encrypt the systems. The ransom demand had reportedly been for $10-million.
“If in fact Garmin paid the astronomically high ransom to obtain the decryption key, the popular connected device maker could find itself in legal trouble for breaching a US Treasury sanction that prohibits such transactions,” says Chester Wisniewski, principal research scientist at British data security provider Sophos. “In paying, the sanction’s intended purpose of eliminating cyber-criminal activity is wholly defeated.”
The prohibition against paying ransomware is also a basic principle of combating ransomware: it is broadly agreed that any such payment validates the ransomware “business model”. As a result, it not only encourages further attacks, but also provides a form of validation to other victims in that it suggests that payments are an appropriate response.
As Wisniewski puts it, “Victims crippled by ransomware often find themselves faced with the same prisoner’s dilemma of whether to pay or bite the bullet. It’s a no win situation that usually boils down to the lesser of two costs. But as research shows, paying the ransom usually doubles the total cost of remediation.”
He cautions against faulting the victims, however.
“Regardless of how Garmin is picking itself back up and restoring operations, victim shaming isn’t the answer. The ransomware threat landscape is rapidly and constantly changing as cyber criminals invest significant resources and expertise into their toolsets. Unfortunately, no one is off limits, and the industry needs to band together as a whole to raise the bar of protection and make it harder for these relentless attackers to succeed.”
Nevertheless, it is also clear that the fundamental need in this landscape is better preparation.
“It is sadly no surprise to see another organisation fall victim to a suspected ransomware attack,” says Carl Wearn, head of e-crime at Mimecast, who warns that South African organisations are especially vulnerable.
“Our recent State of Email Security report found that 45% of companies in South Africa have been impacted by ransomware attacks in the last year,” he says. “The key thing is that as long as organisations continue to pay, attackers will view this attack approach as being financially viable.
“This particular attack is also worrying because of the type of data that could be lost, including both location and personal health data. When consumers trust organisations with this data, it is absolutely vital that it is kept secure. Incidents like these can have devastating consequences for the reputation of an organisation.”
Garmin said on Monday: “Affected systems are being restored and we expect to return to normal operation over the next few days. We do not expect any material impact to our operations or financial results because of this outage. As our affected systems are restored, we expect some delays as the backlog of information is being processed.”
This may be an over-optimistic outlook, as is the company’s argument that device functionality is not affected.
“It is clear in this instance that the victim has experienced lengthy downtime as a result of this attack, which will of course have a massive impact upon the business,” says Wearn. “Our research found that the average downtime an organisation suffers from a ransomware attack is three days, but this can of course be indefinite and lead to failure of a business. This is happening.”
Read more on the next page about such attacks, and how companies can protect themselves.
He does not have any advice for Garmin, but has the following tips for oganisations concerned about ransomware:
- “To minimise the threat of ransomware attacks, organisations must implement adequate resiliency measures to preserve business-as-usual should the worst happen. Non-networked backups and a fallback email and archiving process need to become standard security measures if organisations are to significantly mitigate ransomware threats.
- “Individual users can also assist greatly by being aware of the potential for unsafe attachments, but should also be wary of clicking any email links received in any communication, as criminals are increasingly utilising URL links rather than file-based attachments to infect networks.
- “It is also imperative that remote working software, such as VPNs and any servers are kept up to date in relation to patching, as open source reporting indicates that ransomware threat actors are increasingly targeting Windows Remote Desktop Protocols (RDP) and exploits to initiate compromise.
- “As the more complex threats are often delivered by secondary infection, organisations should also pay particular attention to their patterns of network traffic and data logs to identify any potential compromise. There is a potential short window of opportunity to remediate any initial dropper infection and thereby prevent the further insertion of ransomware.”
IBM Security has also offered advice to the industry more broadly, following the release of a study examining the financial impact of data breaches. it revealed that these incidents cost South African companies R40.2-million per breach on average, among organisations studied. Sponsored by IBM Security and conducted by the Ponemon Institute, the 2020 Cost of a Data Breach Report is based on in-depth interviews with security professional in organisations that suffered a data breach over the past year, so does not necessarily represent the scale of attack in South Africa.
The study identified the three root causes of data breaches as malicious or criminal attack (48%), human error (26%) and system glitches (26%)
On average, malicious or criminal attacks took 191 days to identify and 62 days to contain. Human error breaches took 164 days to identify and 40 days to contain while system glitch breaches took 163 days to identify and 44 to contain.
“It is becoming increasingly important for IT leaders to put security measures in place which reduce the impact of a data breach,” says Sheldon Hand, IBM Security leader for South Africa. “With this year’s study we’re seeing how costs were much higher for South African organisations that had not yet invested in areas such as security automation and incident response processes – and how complex security systems and cloud migration cost companies the most.
“With growing complexities facing companies, putting measures in place which significantly reduce the time it takes to investigate, isolate, contain and respond to the damage, will significantly reduce financial and brand impact.”
As the Garmin breach demonstrated so dramatically, it is not only South African organisations that have been rendered vulnerable by lack of adequate measures.