Garmin users noticed their devices were not working on July 22, 2020, upon visiting the Garmin website, the below image was shown. It would not be until a week later that most Garmin services were operational again. As more information was made public, we found out the attack was attributed to a threat group known as Evil Corp and they leveraged a fairly new ransomware called WastedLocker. This blog post will dive deeper into the Garmin attack, extract TTPs from Cyber Threat Intelligence, create a MITRE ATT&CK Navigator Layer and adversary emulation plan, emulate the attack with Cobalt Strike (like Evil Corp used) and then drop a synthetic WastedLocker built with SCYTHE, and discuss how to defend against ransomware attacks with Olaf Hartong. This blog post is a summary of the DEF CON Red Team Village talk, slides available here and the video of the presentation is below.
News of the Garmin attack started coming in on July 22, 2020. Eventually we learned all Garmin services were down for about a week:
We found, through Cyber Threat Intelligence, the group responsible for the attack is Evil Corp and they used a ransomware called WastedLocker. This group is not documented in the MITRE ATT&CK site so we had to review the below Cyber Threat Intelligence, extract the TTPs, and map it to MITRE ATT&CK:
Evil Corp, as a threat group, is more sophisticated than the standard ransomware attack in that they manually interact with the target, move laterally through a number of systems, and then drop the ransomware. In this case, they dropped WastedLocker. At a high level, this is how the attack works:
Here is a screenshot of what the end user would see:
While the Cyber Threat Intelligence by NCC Group and Symantec has good detail, it is not mapped to MITRE ATT&CK so we did the mapping using ATT&CK Navigator and shared the JSON in the SCYTHE Community Threats Github. Here is a direct link to the Navigator Layer show below:
Is emulating ransomware even possible? Of course it is! The secret is to not encrypt or destroy production data. Instead create new files before emulating typical ransomware steps of encrypting, exfiltrating, and obtaining a ransom note. This method ensures no data is ever at risk of being encrypted, destroyed, or leaked.
First, we start by creating by first building a threat profile for Evil Corp and WastedLocker:
Given Evil Corp used Cobalt Strike for manual, lateral movement, we demo how to get a Cobalt Strike Beacon using PowerShell, just as Evil Corp did. Then we use Cobalt Strike to drop the WastedLocker ransomware we created with SCYTHE. The synthetic malware is available on our Community Threats Github for Evil Corp and was created with the below steps:
We had the pleasure of sitting down with industry thought leader and just awarded Microsoft MVP, Olaf Hartong, to discuss how to defend against ransomware attacks. Given there are many strains of ransomware in the wild, it is important to focus on the behaviors that ransomware has shown in the past and continue to monitor as these criminal gangs evolve.
Olaf gives us an introduction to Sysmon, a Windows system service and device driver that monitors and logs system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time. By collecting the events it generates using Windows Event Collection or SIEM agents and subsequently analyzing them, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network.
Ransomware is evolving and getting more sophisticated. Evil Corp uses a number of tools to gain initial access, manually move laterally around the target environment, and then drop the ransomware. In this post, we consumed the Cyber Threat Intelligence as it came out, extracts TTPs, mapped to MITRE ATT&CK and created a Navigator Layer, created an adversary emulation plan and shared it on our GitHub, demoed the emulation, and discussed defending against ransomware with Olag Hartong. We hope you enjoyed this blog post that is a summary of the DEF CON Red Team Village talk, slides available here.
This Threat Thursday post discusses active research by SCYTHE and other cited third parties into an ongoing threat. The information in this post should be considered preliminary and may be updated as research continues. This information is provided “as-is” without any warranty or condition of any kind, either express or implied.
SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors. For more information email info@scythe.io, visit https://scythe.io, or follow on Twitter @scythe_io.