Skip to main content

By now, you’ve probably heard about the massive multi-day outage that Garmin is suffering at the hands of the WastedLocker ransomware strain.  This is the latest in a long line of ransomware attacks that have been accelerating during the COVID-19 era.

Typically when ransomware strikes, companies do their best to avoid disclosure – nobody wants to admit that they’ve been hacked — but the scale of this attack, and the impact on Garmin’s consumer-facing services has made it impossible to hide.

We should all have great empathy for the situation at Garmin right now.  This can’t be a pleasant time to be a member of their team.  The past 5 days have surely involved a herculean effort across every corner of the company, with immense stress and close to no sleep.  We’re all vulnerable to ransomware – they just happen to be the latest victim.

But, what can we learn from the event?  And how can we prevent the same outcomes for our own businesses?  Let’s dive in.

The Garmin Attack

The Garmin attack began early the morning on July 23rd, and by 8:35 a.m. Garmin’s Twitter account was announcing that the Garmin website, their consumer-facing Garmin Connect service, and their call centers were all offline.  Leaks from within the company further indicated that several assembly lines had also been shut down.  And they confirmed that the culprit was ransomware.

The particular ransomware strain appears to be “WastedLocker,” a new strain that was released two months ago by the Russian hacking group “Evil Corp Gang.”  WastedLocker is a very customizable ransomware, and they most likely built a custom package specific to the Garmin environment.

WastedLocker encrypts all files it can access, and leaves a ransom note next to each file.  It also aggressively seeks to delete data backups that would allow the victim to restore files without paying the ransom.  Luckily, WastedLocker does not (currently) attempt to exfiltrate data from the infected machines.

According to news reports, the ransom fee for the Garmin attack was $10 million.  And apparently, they paid it (or had a third party do so on their behalf), which is not surprising given the catastrophic impact of losing their data.  They were certainly losing significantly more money than this as their entire company was idled for days.

Protecting Your Business from Ransomware

Ransomware is a fact of doing business in 2020, and it’s important that all businesses seriously consider this threat and work actively to mitigate it.  Obviously, this starts by preventing bad actors from accessing your systems and network.

But conventional wisdom in the security world accepts that you can no longer prevent hackers from getting in.  You need a layered strategy that minimizes the damage they can do once they get in.  This is generally implemented through best practices such as network segmentation (micro-segmentation is the new standard), least-privilege, and multi-factor authentication.

But what happens when even those methods fail, and a ransomware attack is upon you?  At that time, you have a disaster on your hands, and your last line of defense is your disaster recovery plan.  So it’s absolutely critical that your DR plans contemplate recovery from ransomware attacks.

Recovering from a ransomware disaster requires restoring data from backups, so it’s critical that you have backups available when you need to recover.  WastedLocker and other ransomware strains understand that your backups are your savior, and they work hard to eliminate this recovery path.

To ensure that ransomware cannot delete (or encrypt) your backups, you need to lock-down your backups in some form of “backup vault.”  You used to send tapes offsite, but most people aren’t doing that anymore.  Instead, you need to look at your computing environment and figure out the right strategy to securely store your data backups where no bad actor can access them.

Ransomware-Proof Disaster Recovery in AWS

If your computing environment runs in AWS, securely storing backups means copying them into another AWS account.  This account should be locked down, with minimal access.  Your colleagues who maintain perpetual access to your production account don’t need to use this “vault” account, and you can limit access to a small number of senior team members.

The major data services in AWS, such as EBS and RDS, enable cross-account copies of backups and snapshots.  Unfortunately, the built-in backup solutions like AWS Backup and DLM do not take advantage of those features.  To achieve this protection, you’ll need to build your own automation or look for a 3rd party solution where it’s built-in (hint: scroll down to learn about your best option).

Finally, once you’ve established vaulted backups for your AWS data, you need to test your recovery.  If your AWS account has been compromised, you’ll want to rebuild everything in a clean and secure environment.  This is a complex process, and the wrong time to work out the kinks is when you’re in the midst of a ransomware attack.

About Arpio

Arpio provides comprehensive disaster recovery for AWS environments so that you don’t have to build it yourself.  Our software automates Amazon’s best practices for disaster recovery, including locked-down backups and fully automated environment recovery.  If your AWS environment ever falls victim to ransomware or any other IT disaster, Arpio makes it quick and easy to recover your business.

Learn more at www.arpio.io.