It’s been over a week since hackers crippled Garmin with a ransomware attack, and five days since its services started flickering back to life. The company still hasn’t fully recovered, as syncing issues and delays continue to haunt corners of the Garmin Connect platform. Two things, though, are clear: It could have been worse for Garmin. And it’s only a matter of time before ransomware’s big game hunters strike again.
By this point, the world has seen a few large-scale meltdowns stem from ransomware-style attacks, where hacker groups encrypt sensitive files and shake down the owners for money. In 2017, WannaCry swept the globe before intrepid hacker Marcus Hutchins found and activated its kill switch. That same year, NotPetya caused billions of dollars of damage at multinational corporations like Maersk and Merck, although the ransomware aspect turned out to be a front for a vicious data-wiper. Time appears to have emboldened some hackers, however, as large companies take their place on the list of popular targets, alongside hospitals and local governments.
Recent victims include not just Garmin but Travelex, an international currency exchange company, which ransomware hackers successfully hit on New Year’s Eve last year. Cloud service provider Blackbaud—relatively low-profile, but a $3.1 billion market cap—disclosed that it paid a ransom to prevent customer data from leaking after an attack in May. And those are just the cases that go public. “There are certainly rather large organizations that you are not hearing about who have been impacted,” says Kimberly Goody, senior manager of analysis at security firm FireEye. “Maybe you don’t hear about that because they choose to pay or because it doesn’t necessarily impact consumers in a way it would be obvious something is wrong.”
Bigger companies make attractive ransomware targets for self-evident reasons. “They’re well-insured and can afford to pay a lot more than your little local grocery store,” says Brett Callow, a threat analyst at antivirus company Emsisoft. But ransomware attackers are also opportunistic, and a poorly secured health care system or city—neither of which can tolerate prolonged downtime—has long offered better odds for a payday than corporations that can afford to lock things down.
The gap between big business defenses and ransomware sophistication, though, is narrowing. “Over the last two years, we’ve seen case after case of vulnerable corporate networks, and the rise of malware designed for the intentional infection of business networks,” says Adam Kujawa, a director at security firm Malwarebytes Labs. And for hackers, success breeds success; Emsisoft estimates that ransomware attackers collectively took in $25 billion last year. “These groups now have huge amounts to invest in their operations in terms of ramping up their sophistication and scale,” Callow says.
Even ransomware attacks that start without a specific high-profile target in mind—who knows what a phishing campaign might turn up?—have increasingly focused on spotting the whales in the net. One actor associated with Maze ransomware, FireEye’s Goody says, specifically sought to hire someone whose sole job would be to scan the networks of compromised targets to determine not only the identity of the organization but its annual revenues.
The Garmin incident proves especially instructive here. The company was reportedly hit by a relatively new strain of ransomware called WastedLocker, which has been tied to Russia’s Evil Corp malware dynasty. For much of the past decade, the hackers behind Evil Corp allegedly used banking-focused malware to pilfer more than $100 million from financial institutions, as outlined in a Department of Justice indictment last year. In 2017, Evil Corp began incorporating Bitpaymer ransomware into its routine. After the indictment, it apparently retooled and set its sights much higher.
“When you see them hitting governments, cities, hospitals, these more common targets that we’ve seen over the past couple of years, the ransom that they’re asking in those is usually in the hundreds of thousands. With WastedLocker, the amount of ransom that we’re seeing is definitely on the uptick. We’re seeing them ask for millions,” says Jon DiMaggio, a senior threat intelligence analyst at Symantec. “With Evil Corp, there’s no doubt that it’s a big change that they’re hitting Fortune 500–type companies now.”
The WastedLocker hackers reportedly demanded $10 million for the keys to liberate Garmin’s systems. Sky News reported that the company ultimately paid, likely through an intermediary. Garmin has declined to comment much beyond confirming that a cyberattack did occur. “Most of you are aware of the recent cyberattack that led to a network outage affecting much of our website and consumer-facing applications,” said Garmin CEO Cliff Pemble during the company’s earnings call this week. “We immediately assessed the nature of the attack and started remediation efforts. We have no indication that any customer data was accessed, lost, or stolen.”
Which makes Garmin surprisingly fortunate. The other recent ransomware trend sees hackers not just encrypting files but stealing them and threatening to dump them online if payment doesn’t come through. Blackbaud wasn’t quite so lucky. According to its brief write-up of the incident, it successfully stopped the ransomware attack but not before the hackers grabbed files from at least 125 of its clients, including Planned Parenthood and the UK’s National Trust. A recent report from Emsisoft pegs the odds of ransomware also grabbing data at one in 10. It’s not hard to imagine a world in which that rate becomes much higher, especially when multibillion-dollar companies with sensitive consumer data are seen as viable targets.
"They're becoming more capable of conducting these attacks successfully," Goody says about the hackers. "As these criminal organizations grow, they're growing like a regular business would. They're building out different teams who can conduct these intrusion operations at a greater scale, or with greater efficiency, or without being detected. That's going to continue to grow as well."
For a sense of how businesslike these exchanges have become, look no further than the cordial chat transcripts between ransomware hackers and US travel firm CWT, which has a market cap of $2.2 billion. Reuters reported Friday that after agreeing on the $4.5 million ransom—the initial ask was $10 million, but CWT got a "very SPECIAL PRICE" for reaching out within two days—the attackers went so far as to give CWT bonus security tips on how to prevent further intrusions.
Ransomware continues to affect the usual suspects; the hospitals and cities and homeowners who click on a bad link haven’t gotten any sort of reprieve. But as hacking groups add both to their coffers and tool sets, it seems likely that Garmin is hardly an outlier—and only a matter of time before the next big target takes a big fall.