Garmin Ransom
On July 23rd, 2020, Garmin was reported to have been victim to a wastedlocker ransomware attack. The reported cost of the data decryption key was estimated to be about $10 million. Aside from a demand that’s about 10x the size of the average ransomware attack, WastedLocker is notable due to how the attack was designed: escalate privilege, persist during the encryption process, and prevent data recovery.
Privilege escalation on Windows systems is done through bypassing User Account Control (UAC) - the prompt that asks the user to grant administrator privileges. With admin privileges, the malware can perform more changes to the system with less friction.
Persistence is achieved through establishing a Windows service that runs until the entire encryption process completes. The significance of this is users cannot easily interrupt the unwanted encryption process. For example, a user cannot simply logout to interrupt the encryption process. During encryption, AES with unique keys for each file is used. This makes large scale data recovery more difficult.
Recovery of the user’s encrypted data is inhibited through deleting volume shadow copies - snapshots of data backups Windows create. This removes the easiest way for users to restore their data to its unencrypted state.
From a web developer’s perspective, ransomware is relevant because it can leverage compromised websites as an attack entrypoint. For example, an attacker could send zipped files through download buttons on a website. Once executed and bypassed UAC, the malware could hide in your system through techniques including NTFS Alternate Data Streams (ADS) and by copying itself to random paths and filenames within the `%APPDATA%` directory