Ransomware: More often an indiscriminate attacker! – Part 1
A collapse in the provision of customer services, a five-day breakdown in communications, a possible loss of $10 million in ransom money. These were only some of the consequences of the recent ransomware attack on fitness tracker and navigation software maker Garmin in July 2020, demonstrating the growing severity of the threat ransomware poses and the risk that firms such as Garmin face by not taking proper precautions.
Customers first became aware of the issue on 23rd July when they found themselves unable to use their Garmin applications, but information was limited to a brief public statement from the company about an ongoing outage. Only after four days of Garmin employees going to their social media accounts to release details of the situation ad hoc did the company officially admit what most users already knew; that it had been the victim of a cyberattack which had encrypted much of its data, preventing employees from accessing their own files to disable Garmin’s services and threatening to not restore this until the company paid the ransom.[3,4] Unable to function, Garmin appears to have succumbed to the pressure to pay the ransom, which may have amounted to $10 million, to the Russia-based cybercriminals EvilCorp known to be behind the attack.[1,5]
The attack on Garmin is only one example of a type of cyberattack that in 2019 cost over $7.5 billion in 2019 in the US alone, making understanding and countering the threat of ransomware a priority for firms.
What is ransomware?
What above all distinguishes a ransomware attack from other types of cybercrime is that the theft and sale online of a company’s data, is not its primary objective. Groups using ransomware instead, attempt to profit by blackmailing their victims. Primarily, they do so by infecting a firm’s computer system with software that will encrypt the data it finds, rendering it unusable and bringing the firm’s activity to a halt until a ransom is paid. A more recent, but less common, pattern of attack is to simultaneously encrypt and steal sensitive data which cyber criminals either threaten to leak online unless the ransom is paid or simply sell on the dark web to make an additional profit.[7, 8]
In those cases where ransomware attacks involve data theft, the damage to firms extends beyond the immediate consequences of the attack, to include fines for data loss. Under the General Data Protection Regulation (GDPR) the regulatory authority for data in the UK, the Information Commissioner’s Office, is authorised to impose penalties of a fine of up to 20 million Euros or 4% of total global turnover (whichever is the greatest) for firms which fail to protect their clients’ sensitive data, including where this data is stolen simultaneous to a ransomware attack. [9, 10] Examples of firms being punished after cyberattacks include:
- A fine of £500,000 to Cathay Pacific Airways in March 2020.
- A proposed fine of £9.22 million for Marriott International from July 2019, with the possibility of additional penalties after a second data breach in March the following year.[9, 10, 12]
- A fine of £500,000 for retailer DSG Retail Limited, owner of Curry’s, PC World and Dixon’s, imposed in January 2020 which would have been much higher had the breach not occurred before GDPR became enforceable.
Firms that do not protect themselves against ransomware, therefore, risk becoming both the victims of a cyberattack and unintentional perpetrators of an infringement of GDPR.
What makes firms vulnerable?
While their exact form and consequences vary, ransomware attacks rely on firms having at least one of two easily recognisable vulnerabilities.
Human error – Over 90% of known malware attacks relied on individuals mistakenly opening infected emails, and ransomware is no exception. Ransomware attacks rely heavily on social engineering, the manipulation of their targets into downloading malware or giving away security information such as passwords through several methods including:
- Mass phishing attempts – social engineering at its simplest. Examples include sending untargeted spam emails to multiple recipients or placing malware on websites (‘water-hole’ attacks) to infect users.[14, 15, 16]
- ‘Spear phishing’– more elaborate form of attack targeting a specific individual with personalised emails claiming to be from a legitimate company or trusted contact.[14, 15, 16]
- Physical breaches – for especially desired targets, ransomware users may even enter a company in person to access a secure system, using methods ranging from claiming to be legitimate individuals (sometimes after having approached and gained the trust of a company’s employee) to tailgating.[14, 15, 16]
- Unprotected software – The remainder of malware, including ransomware attacks, enter a company’s system through flaws in its software. This is especially the case for ransomware variants such as the WannaCry software that can spread automatically. In 2017, Wannacry did so on approximately 230,000 computers through such a fault, dubbed EternalBlue, in the Microsoft Windows operating system that acted as a back door to firms’ networks.
With firms greatly reliant on holding data, ransomware attacks have become a frequent occurrence with the incident at Garmin being only one of many examples across a wide range of industries in the last month alone.
Better known as the makers of Jack Daniel’s whiskey, manufacturer of alcoholic beverages, Brown-Forman, was targeted by a ransomware attack using the REvil malware on 14th August. While few details are currently publicly available, the firm is known to have had its corporate data both encrypted and stolen, with attackers threatening to leak 1 terabyte (containing file samples that date back at least ten years) if the ransom were not paid.[8, 18]
As the world’s largest cruise operator and owner of lines, Carnival accumulates the personal information of millions of customers per year. On the weekend of 15th August, the firm was subjected to a ransomware attack. This is believed to have been made possible through vulnerabilities in Carnival’s edge software and involved both the encryption and threat of publishing stolen data. The data in question is believed to have contained customer personal details, putting Carnival at risk of prosecution under data protection laws.[19, 20]
Subscribe to our Newsletter to get a notification about Part 2, where Tony explains how firms can respond to ransomware, and how GDFM can help.
 Garmin Risks Repeat Attack If It Paid $10 Million Ransom, Barry Collins, Forbes, 28 July 2020.
 Garmin services and production go down after ransomware attack, Catalin Cimpanu, ZDNet, 23 July 2020.
 Experts: Devastating ransomware attack on Garmin highlights danger of haphazard breach responses, Jonathan Greig, TechRepublic, 28 July 2020;
 New WastedLocker ransomware demands payments of millions of USD, Catalin Climpanu, ZDNet, 23 June 2020.
 Garmin Reportedly Paid a Ransom, Doug Olenick, Data Breach Today, 5 August 2020.
 Ransomware may have cost the US more than $7.5 billion in 2019, MIT Technology Review, 2nd January 2020.
 Anatomy of a Breach: Criminal Data Brokers Hit Dave, Matthew J. Schwartz, Info Breach Today, 28 July 2020.
 US liquor giant hit by ransomware – what the rest of us can do to help, Paul Ducklin, Sophos, 18 August 2020.
 Guide to Law Enforcement Processing, Penalties, Information Commissioner’s Office;
 GDPR: Data just got personal, Anthony Fraser, GDFM, 9th October 2019.
 International airline fined £500,000 for failing to secure its customers’ personal data, Information Commissioner’s Office, 4th March 2020
 Marriott International hotel chain in second data breach, Alex Scroxton, Computer Weekly, 31st March 2020.
 National retailer fined half a million pounds for failing to secure information of at least 14 million people, Information Commissioner’s Office, 9th January 2020.
 Data Breaches, Thomson Reuters;
 Human-operated ransomware attacks: A preventable disaster, Microsoft Threat Protection Intelligence Theme, Microsoft, 5th March 2020;
What is Social Engineering?, Kaspersky.
 What is WannaCry ransomware?, Kaspersky.
 Jack Daniel’s Manufacturer Was Target of Apparent Ransomware Attack, Jordan Robertson, Bloomberg, 14th August 2020.
 World’s largest cruise line operator Carnival hit by ransomware, Lawrence Abrams, Bleeping Computer, 17th August 2020;
 Carnival cruise lines hit by ransomware, customer data stolen, Alex Scroxton, Computer Weekly, 18th August 2020.