Yesterday Connext weather wouldn’t work in my plane. After landing I found out that they got hacked. Watches, talking scales, their website and so on.
Aviation databases gone too.
Some virus got into their systems, encrypted the storage, and is demanding a ransom.
It looks like a successful ransomware attack unfortunately, this can play out in several different ways. I hope they have their continuity management and recovery plans in order.
Pure speculation, but if the attackers got hold of all user data, which contains zillions of location tracking data from all wearables and sports tech, it will be easy to sell most likely and will cost them as well.
For those interested, here is an interesting read from Maersk and their “extinction event” – https://gvnshtn.com/maersk-me-notpetya/
martin-esmi wrote:
Pure speculation, but if the attackers got hold of all user data, which contains zillions of location tracking data from all wearables and sports tech, it will be easy to sell most likely and will cost them as well.
It would be quite unusual for a ransomware attack that they also collect data. Typically two very different kind of attacks (also with different attack vectors).
Indeed, hence speculation, but I would not rule it out. Hopefully we will get a clearer picture from Krebs or other sources in the near future.
I know the “Garmin empire” is vastly bigger than just one virtual server, but I would have thought anybody can always restore the previous day’s working system. Automated image backups are standard on virtual servers. I realise they probably don’t want to lose a day’s transactions (which is the worst that would happen on EuroGA) so they will try hard to clean up and get their trashed systems working again. This is also why you need really good security (physical tokens, etc) on the virtual server control panel.
Ransomeware-attacks are typically run on a file system level – therefore the rollback-images often are also encrypted and it’s not only about loosing a day of business (which is also more significant than it sounds because e.g. tax authorities don’t like the idea that you can’t tell how much money you made/lost on this one day and therefore only are able to pay taxes for 364 days this year).
Lot depends on where the malware came in and on which OS-level it gained access. In many cases rolling back is not such a simple solution as professional ransomware for exactly this reason stays dormant for multiple days/weeks or even months so that every rollback will be infected immediately.
And it depends how professional the hacker actually is. If they were caught by a true professional, paying the ransom is by far the most effective way to get back control. If it was a Script-Kiddy, it is not even sure if there is a way of restoring anything (as there are cases where even the hacker lost the decryption keys…).
The image backups I refer to are not accessible from the running server. The attacker would have to get inside the hosting company, or access your control panel.
Sure one needs to keep a journal of transactions during the day which you are about to lose 
But yes if the attack has been running for days or weeks, and that got image-backed-up also, you have a big problem… One needs to run other backups also.
It depends on the ransomware. This assumes the ransomware ‘locks’ the system the moment it gets in, which probably isn’t a good assumption. The ransomware might be present in months worth of backups and it evidently got past whatever Garmin uses for malware detection. Unless they can be sure that they have cleaned it off the backups, they could restore them only to be locked out again a few days later.
A customer of my wife’s company got hit by a ransomware attack. It took them months to get everything fully fixed, despite virtualisation (although hopefully much of those months were putting in measures to harden against future attacks, e.g. proper privilege separation, proper policies on keeping machines up to date, proper control over network access, proper control over USB ports/removable storage)
alioth wrote:
A customer of my wife’s company got hit by a ransomware attack. It took them months to get everything fully fixed, despite virtualisation (although hopefully much of those months were putting in measures to harden against future attacks, e.g. proper privilege separation, proper policies on keeping machines up to date, proper control over network access, proper control over USB ports/removable storage)
Some companies sign every dll and binary inside the Citrix client, so if it’s infected (or WebEx applies new update!), some parts of the client stop working and it is very visible.
Some companies install anti-malware protection for all virtual servers (typically 85%-95% in big companies), and that protection detects how much data (%-wise) has changed over one day and shouts if it is too much.
Some companies install 2FA to get access to the server side of the DC (not the client/Citrix), that way you would really struggle to infect anything.
And some companies align the OPS management bonus to the % of all servers patched in 15-30-45-60 days. No patching, no bonus.
