Ben Auton | August 10th, 2020

News of the WastedLocker Ransomware attack on Garmin, the GPS and aviation specialist, continues to spread. According to reports, Garmin originally contacted the primary ransomware payment negotiation firm in the industry, who immediately declined to transact the payment due to the U.S. Treasury sanctions issued by the Office of Foreign Assets Control (OFAC). Garmin then appears to have contacted a newly formed “Ransom Paying Service” that negotiated and paid a ransom directly to Evil Corp, a nation-state affiliated hacking group of Russian’s Federal Security Service – Federal’naya Sluzhba Bezopasnosti (FSB).

SpearTip’s analysis along with multiple threat research teams show a strong consensus that WastedLocker is in fact operated by the sanctioned hacking group, Evil Corp. Although without specific public source intelligence attribution can never be definitive, the entire industry and SpearTip finds this evidence compelling. With relatively simple analysis techniques the comparisons of WastedLocker and Dridex, as well as BitPaymer, it is clear these malware variants were most likely developed by the same group. As an investigator disassembles malware, it is easy to spot not only common tactics but also identical subroutines within the modules and executables leveraged by the malware. Although there were major changes, this is more of an evolution of the malware than something completely new.

One of the most comprehensive analyses published to date was by NCC Group. SpearTip has been able to validate much of these findings. As observed by NCC Group, after the US Treasury sanctions were issued, the group began changing tactics. Most of their banking fraud operation had been rendered mostly ineffective throughout 2019. The release of the public indictment likely further pushed Evil Corp to develop alternative methods of attack. Evil Corp was already, to varying degrees, participating in Locky, BitPaymer, and DopplePaymer, appearing to sell the use of Dridex or sell access to networks already infected with Dridex. It is likely that WastedLocker is an attempt to operate more independently from other cybercriminal groups.

Simply developing a new malware executable, utilizing an updated but similar phishing method, and creating a new bitcoin wallet is the natural progression for cyber criminals as they update their own tools, tactics, and procedures; it is not sufficient evidence to dispute industry accepted attribution. One key indicator of the continuity between WastedLocker and earlier versions of Evil Corp malware is the use of the SocGholish fake update framework that is used on compromised websites. This is very consistent with Dridex techniques in the past. In addition, as stated by Sophos Labs, and validated by SpearTip, the abuse of alternate data streams, customized API resolving method, UAC bypass, and even early versions of the ransom note appears to be extremely close to BitPaymer ransomware alluding to more than just a coincidence.

SpearTip’s experience in investigating this group and affiliated entities stems from our involvement with responding to Bogachev’s criminal activity since 2014, United States of America, Complaint v. Evgeniy Bogachev, filed Ex Parte & Under Seal.  SpearTip was the responding incident response firm. During the investigation and recovery of the $7 Million fraudulent wire and the analysis of the Dridex malware, it was determined they blended new various attack methods. For example, there was a new entity in Cyprus used to pivot the funds to Zurich, and a new bank account created receiving the fraudulent funds. Bogachev utilized the services of a “money mule” to extract the fraudulent funds because he himself could not easily travel to Switzerland – nor would someone of his stature be relegated to such menial tasks.  As the money mule was attempting to gain access to the fraudulent funds, a well-known Russian criminal, was detained and the funds were returned to the U.S.  Upon analysis of the previous actions taken by Bogachev, it follows the most recent modus operandi of Yakubets and Evil Corp as further evidence, along with the technical signatures from the malware analysis, that there is a high likelihood that Wastedlocker is attributed to Evil Corp.

Attribution can be difficult and eventually definitive information will surface. The current industry accepted attribution is critical for organizations struggling through how to respond to a WastedLocker attack. SpearTip’s analysis and our federal contacts have validated that the facilitation of the transfer of funds to a sanctioned group by a third party is a violation of law and OFAC sanctions, although it remains unclear whether any actions will be taken at this time. (Source) SpearTip suggests that any future VICTIM company should request official permission to ignore the prohibition or a formal agreement not to prosecute/sanction. With this in mind, SpearTip still does not recommend paying WastedLocker ransoms.

From SpearTip’s perspective this presents an interesting industry dilemma for “Ransomware Negotiation and Payment” companies when dealing with sanctioned entities, such as Evil Corp, especially with such widespread acknowledgement/agreement of attribution. SpearTip understands some companies have no choice but to pay a ransom and, in many cases, no official link to foreign intelligence operations exists. The Garmin incident raises many troubling concerns, namely the sanctions being present for months, other firms declining to participate in the transaction, and the larger implication/question of why did Evil Corp target Garmin. This will be covered in SpearTip’s next article, as we explore the relationship between Evil Corp, Maksim Yakubets, Evgeniy Bogachev, and the Russian FSB.

The legal and ethical aspects surrounding the willful knowledge of profiting from this transaction will be debated and judged by the marketplace, to include the possible condemnation by the U.S. Treasury for facilitating these transactions. Evil Corp’s link to the FSB is not a superficial concern and targeting of Garmin was not happenstance. There are significant national security concerns with this cyber-attack against the premier civilian GPS and mapping firm in the world. Nation-State directed espionage operations and funding attained through these payments have real-world consequences for the US and our nation’s interests.

SpearTip will continue to advocate for and protect organizations from these types of ransomware attacks. Most of these attacks are absolutely devastating to a company and many are still forced to pay ever growing prices to decrypt their data, because they do not have a robust on-going protection platform deployed. We continue to advocate for a comprehensive government policy discussion, while implementing a proactive cybersecurity framework and appropriate risk transfer through insurance to solve this problem.

24/7 Breach Response: 833.997.7327