It’s been over a week since hackers crippled Garmin with a ransomware attack, and five days since its services started flickering back to life. The company still hasn’t fully recovered, as syncing issues and delays continue to haunt corners of the Garmin Connect platform. Two things, though, are clear: It could have been worse for Garmin. And it’s only a matter of time before ransomware’s big game hunters strike again.
By this point, the world has seen a few large-scale meltdowns stem from ransomware-style attacks, where hacker groups encrypt sensitive files and shake down the owners for money. In 2017, WannaCry swept the globe before intrepid hacker Marcus Hutchins found and activated its kill switch. That same year, NotPetya caused billions of dollars of damage at multinational corporations like Maersk and Merck, although the ransomware aspect turned out to be a front for a vicious data-wiper. Time appears to have emboldened some hackers, however, as large companies take their place on the list of popular targets, alongside hospitals and local governments.
Recent victims include not just Garmin but Travelex, an international currency exchange company, which ransomware hackers successfully hit on New Year’s Eve last year. Cloud service provider Blackbaud—relatively low-profile, but a $3.1 billion market cap—disclosed that it paid a ransom to prevent customer data from leaking after an attack in May. And those are just the cases that go public. “There are certainly rather large organizations that you are not hearing about who have been impacted,” says Kimberly Goody, senior manager of analysis at security firm FireEye. “Maybe you don’t hear about that because they choose to pay or because it doesn’t necessarily impact consumers in a way it would be obvious something is wrong.”
Bigger companies make attractive ransomware targets for self-evident reasons. “They’re well-insured and can afford to pay a lot more than your little local grocery store,” says Brett Callow, a threat analyst at antivirus company Emsisoft. But ransomware attackers are also opportunistic, and a poorly secured health care system or city—neither of which can tolerate prolonged downtime—has long offered better odds for a payday than corporations that can afford to lock things down.
The gap between big business defenses and ransomware sophistication, though, is narrowing. “Over the last two years, we’ve seen case after case of vulnerable corporate networks, and the rise of malware designed for the intentional infection of business networks,” says Adam Kujawa, a director at security firm Malwarebytes Labs. And for hackers, success breeds success; Emsisoft estimates that ransomware attackers collectively took in $25 billion last year. “These groups now have huge amounts to invest in their operations in terms of ramping up their sophistication and scale,” Callow says.
Even ransomware attacks that start without a specific high-profile target in mind—who knows what a phishing campaign might turn up?—have increasingly focused on spotting the whales in the net. One actor associated with Maze ransomware, FireEye’s Goody says, specifically sought to hire someone whose sole job would be to scan the networks of compromised targets to determine not only the identity of the organization but its annual revenues.
The Garmin incident proves especially instructive here. The company was reportedly hit by a relatively new strain of ransomware called WastedLocker, which has been tied to Russia’s Evil Corp malware dynasty. For much of the past decade, the hackers behind Evil Corp allegedly used banking-focused malware to pilfer more than $100 million from financial institutions, as outlined in a Department of Justice indictment last year. In 2017, Evil Corp began incorporating Bitpaymer ransomware into its routine. After the indictment, it apparently retooled and set its sights much higher.
“When you see them hitting governments, cities, hospitals, these more common targets that we’ve seen over the past couple of years, the ransom that they’re asking in those is usually in the hundreds of thousands. With WastedLocker, the amount of ransom that we’re seeing is definitely on the uptick. We’re seeing them ask for millions,” says Jon DiMaggio, a senior threat intelligence analyst at Symantec. “With Evil Corp, there’s no doubt that it’s a big change that they’re hitting Fortune 500–type companies now.”