EvilCorp: The Criminal Hackers Behind The Garmin Ransomware Attack

Now I have spent a lot of time talking about the Garmin ransomware attack that has pretty much crippled Garmin and pretty much infuriated users of of their products. And I’ve mentioned that the word on the street is that the people behind this want $10 million in ransom. But now that Garmin’s services appear to be coming back on line, it’s time to talk about who the people are behind this ransomware attack?

The ransomware that is apparently being used is “WastedLocker” made by a group of hackers calling themselves “Evil Corp.” MalwareBytes has more info on both:

The ransomware name is derived from the filename it creates which includes an abbreviation of the victim’s name and the string “wasted”.

For each encrypted file, the attackers create a separate file that contains the ransomware note. The ransom note has the same name as the associated file with the addition of “_info”.

The ransom demands are steep, ranging from $500,000 to over $10 million in Bitcoin. Given that the operators make every effort to go after any backups, some organizations may feel the need to pay up. Where other ransomware operators are adding the exfiltration and even auction of stolen data to their arsenal, the Evil Corp gang has shown no inclination in that direction yet.

Historically the Evil Corp gang targets mostly US organizations and it looks like they are staying on that track with a few victims in Europe. The main players in the group are believed to be Russian.

The ransomware itself is very interesting in terms of how it operates:

The ransomware itself is custom built for each client so there is nothing to be gained by doing a full analysis. The attacks do have some commonalities though which we will discuss here.

  • Deletes shadow copies, which are the default backups made by the Windows OS.
  • The main executable for the ransomware is copied to the system folder and gets elevated permissions
  • A service is created that runs during encryption.
  • During encryption the encrypted files are renamed, and the ransom notes are created.
  • A log file is created that lists the number of targeted files, the number of encrypted files, and the number of files that were not encrypted due to access rights issues.
  • The service is stopped and deleted.

This is very crafty and would almost be worthy of praise were it not for the damage that it causes.

Now over to Evil Corp. Their top guy is said to be a fellow by the name of Maksim Yakubets according to the FBI. His right hand man is said to be Igor Olegovich Turashev and both are Russian nationals wanted by the FBI. And if you’re interested in why the FBI wants to get them into a jail cell, this Wired article can help you with that. They’ve been around for a while and have become increasingly more sophisticated, which makes them a threat to computer users everywhere. And if they are truly behind the Garmin ransomware attack, they’ve now got the eyeballs of a whole lot of people behind them who would love to take them down. Especially if the rumors are true that Garmin paid the ransom to get themselves out of this. Thus I would not want to be them as there’s not a whole lot of places outside of Russia that they can go without the FBI being able to nab them. Plus with this latest attack, the FBI is going to work double time to get them into a nice cosy jail cell.

One Response to “EvilCorp: The Criminal Hackers Behind The Garmin Ransomware Attack”

  1. […] claiming that Garmin had paid the people behind their ransomware attack. The people behind this are likely Evil Corp for the record as the ransomware that was used was reportedly “wasted locker”. In that story I said […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: