U.S. charges Russian hackers blamed for Ukraine power outages and the NotPetya ransomware attack

Six Russian intelligence officers accused of launching some of the “world’s most destructive malware” — including an attack that took down the Ukraine power grid in December 2015 and the NotPetya global ransomware attack in 2017 — have been charged by the U.S. Justice Department.

Prosecutors said the group of hackers, who work for the Russian GRU, are behind the “most disruptive and destructive series of computer attacks ever attributed to a single group.”

“No country has weaponized its cyber capabilities as maliciously or irresponsibly as Russia, wantonly causing unprecedented damage to pursue small tactical advantages and to satisfy fits of spite,” said John Demers, U.S. U.S. assistant attorney general for national security. “Today the Department has charged these Russian officers with conducting the most disruptive and destructive series of computer attacks ever attributed to a single group, including by unleashing the NotPetya malware. No nation will recapture greatness while behaving in this way.”

The six accused Russian intelligence officers. (Image: FBI/supplied)

In charges laid out Monday, the hackers are accused of developing and launching attacks using the KillDisk and Industroyer (also known as Crash Override) to target and disrupt the power supply in Ukraine, which left hundreds of thousands of customers without electricity two days before Christmas. The prosecutors also said the hackers were behind the NotPetya attack, a ransomware attack that spread across the world in 2017, causing billions of dollars in damages.

The hackers are also said to have used Olympic Destroyer, designed to knock out internet connections during the opening ceremony of the 2018 PyeongChang Winter Olympics in South Korea.

Prosecutors also blamed the six hackers for trying to disrupt the 2017 French elections by launching a “hack and leak” operation to discredit the then-presidential frontrunner, Emmanuel Macron, as well as launching targeted spearphishing attacks against the Organization for the Prohibition of Chemical Weapons and the U.K.’s Defense Science and Technology Laboratory, tasked with investigating the use of the Russian nerve agent Novichok in Salisbury, U.K. in 2018, and attacks against targets in Georgia, the former Soviet state.

The alleged hackers — Yuriy Sergeyevich Andrienko, 32; Sergey Vladimirovich Detistov, 35; Pavel Valeryevich Frolov, 28; Anatoliy Sergeyevich Kovalev, 29; Artem Valeryevich Ochichenko, 27; and Petr Nikolayevich Pliskin, 32 — are all charged with seven counts of conspiracy to hack, commit wire fraud, and causing computer damage.

The accused are believed to be in Russia. But the indictment serves as a “name and shame” effort, frequently employed by Justice Department prosecutors in recent years where arrests or extraditions are not likely or possible.

Healthcare giant UHS hit by ransomware attack, sources say

Universal Health Services, one of the largest healthcare providers in the U.S., has been hit by a ransomware attack.

The attack hit UHS systems early on Sunday morning, according to two people with direct knowledge of the incident, locking computers and phone systems at several UHS facilities across the country, including in California and Florida.

One of the people said the computer screens changed with text that referenced the “shadow universe,” consistent with the Ryuk ransomware. “Everyone was told to turn off all the computers and not to turn them on again,” the person said. “We were told it will be days before the computers are up again.”

It’s not immediately known what impact the ransomware attack is having on patient care.

An executive who oversees cybersecurity at another U.S. hospital system, who asked not to be named as they were not authorized to speak to the press, told TechCrunch that patient medical data is “likely safe” as UHS relies on Cerner, a healthcare technology company, to handle its patients’ electronic health records.

UHS has 400 hospitals and healthcare facilities in the U.S. and the U.K., and serves millions of patients each year.

A spokesperson for UHS did not immediately respond to a request for comment.

The Ryuk ransomware is linked to a Russian cybercrime group, known as Wizard Spider, according to security firm Crowdstrike. Ryuk’s operators are known to go “big game hunting” and have previously targeted large organizations, including shipping giant Pitney Bowes and the U.S. Coast Guard.

Some ransomware operators said earlier this year that they would not attack health organizations and hospitals during the COVID-19 pandemic, but Ryuk’s operators did not.

Last week, police in Germany launched a homicide investigation after a woman died after she was redirected to another hospital following a ransomware attack.

We’ll have more on the UHS incident as we get it.


Send tips securely over Signal and WhatsApp to +1 646-755-8849 or send an encrypted email to: [email protected]

Imran Khan’s Verishop adds Verified Shops, a way for emerging brands to set up shop in its digital mall

Verishop, the Los Angeles online retailer founded by former Snap executive Imran Khan, launched a little over a year ago to change the way people shop online. Now the company is launching a new initiative called “Verified Shops” which looks to change the way that up-and-coming retail brands can sell their wares. 

As direct-to-consumer and upstart brands look for new ways to sell, they’re increasingly turning to online partners to grow their businesses. Chiefly, the concern is that some retailers have been overrun with counterfeit products or unauthorized sellers that undercut pricing and dilute the brand’s value with knock-off products, the company observed.

So Khan set out to change the selling experience for these new companies that want to have a better way to communicate with their potential customers… a way to really tell their story online.

“We started with the big brands,” Khan said. “[Now] we’re launching ‘Verified Shop’ where any DTC brands can sell on our platform. They have to get through an approval process and verify that you’re a real direct to consumer brand you can sell on the platform.”

That pitch appealed to retailers like David Manshoory, the founder of the popular cosmetics brand Alleyoop.

“Right now we don’t work with any other e-commerce retailers,” said Manshoory. “Verishop was the first online-only retail partner, because they’ve got a really large audience of customers that are in our demographic.”

The year-old cosmetics brand went with Verishop because the number of retailers and types of sellers on the platform “seemed very curated,” according to Manshoory. “There are brands in there that we recognized and respected.”

The revenue share program that Verishop has created for the newer, smaller consumer brands that join the platform is also straightforward, Manshoory said. Brands in the Verified Shops channel only pay when they make a sale  and it’s just 10% to 15%, depending on the category, according to the company. 

“Because they’re not buying inventory upfront they take a lower cut… which was a reason why I was attracted to it,” said the cosmetics company founder. “We can get started right off the bat once the integration is up… we have full control over our store.”

Verishop also managed to win over other online direct-to-consumer darlings like Greats (which was recently acquired by Steve Madden), Dagne Dover, Athletic Propulsion Labs, Judy and The Ridge.

“E-commerce still starts in 1990,” said Khan of the traditional shopping experience. “It’s a search-based experience that’s phenomenal if you know what you’re looking for.” However, as brands proliferate and consumers look to identify with particular brands and brand stories more closely, the question becomes how to find those new companies that are selling the types of products that resonate with particular shoppers.

It’s the question that Verishop has set out to solve and the company is hoping that Verified Shops can be the onramp for the newest consumer brands to reach a millennial audience. Think of it as an online mall where a curated shopping ecosystem exists for each brand to develop its own digital storefront and tell its own story.

“Right now we sell fashion and home and beauty, but long-term why can’t you buy a car?” Khan asked. “It’s this virtual mall or virtual shopping strip that you can walk through and discover and learn and hang out. We let the brands tell the story and let the consumers discover the stories.”

Unlike other attempts to create a front-end digital storefront experience for brands, Khan said that Verishop is differentiated by its focus on a back-end e-commerce infrastructure and logistics capabilities that other virtual malls can’t match.

Brands can apply to appear on Verishop and once they’re selected as verified shops they’ll have the chance to tap into a customer base that’s mostly comprised of Gen Z and millennial shoppers.

Imran Khan’s Verishop adds Verified Shops, a way for emerging brands to set up shop in its digital mall

Verishop, the Los Angeles online retailer founded by former Snap executive Imran Khan, launched a little over a year ago to change the way people shop online. Now the company is launching a new initiative called “Verified Shops” which looks to change the way that up-and-coming retail brands can sell their wares. 

As direct-to-consumer and upstart brands look for new ways to sell, they’re increasingly turning to online partners to grow their businesses. Chiefly, the concern is that some retailers have been overrun with counterfeit products or unauthorized sellers that undercut pricing and dilute the brand’s value with knock-off products, the company observed.

So Khan set out to change the selling experience for these new companies that want to have a better way to communicate with their potential customers… a way to really tell their story online.

“We started with the big brands,” Khan said. “[Now] we’re launching ‘Verified Shop’ where any DTC brands can sell on our platform. They have to get through an approval process and verify that you’re a real direct to consumer brand you can sell on the platform.”

That pitch appealed to retailers like David Manshoory, the founder of the popular cosmetics brand Alleyoop.

“Right now we don’t work with any other e-commerce retailers,” said Manshoory. “Verishop was the first online-only retail partner, because they’ve got a really large audience of customers that are in our demographic.”

The year-old cosmetics brand went with Verishop because the number of retailers and types of sellers on the platform “seemed very curated,” according to Manshoory. “There are brands in there that we recognized and respected.”

The revenue share program that Verishop has created for the newer, smaller consumer brands that join the platform is also straightforward, Manshoory said. Brands in the Verified Shops channel only pay when they make a sale  and it’s just 10% to 15%, depending on the category, according to the company. 

“Because they’re not buying inventory upfront they take a lower cut… which was a reason why I was attracted to it,” said the cosmetics company founder. “We can get started right off the bat once the integration is up… we have full control over our store.”

Verishop also managed to win over other online direct-to-consumer darlings like Greats (which was recently acquired by Steve Madden), Dagne Dover, Athletic Propulsion Labs, Judy and The Ridge.

“E-commerce still starts in 1990,” said Khan of the traditional shopping experience. “It’s a search-based experience that’s phenomenal if you know what you’re looking for.” However, as brands proliferate and consumers look to identify with particular brands and brand stories more closely, the question becomes how to find those new companies that are selling the types of products that resonate with particular shoppers.

It’s the question that Verishop has set out to solve and the company is hoping that Verified Shops can be the onramp for the newest consumer brands to reach a millennial audience. Think of it as an online mall where a curated shopping ecosystem exists for each brand to develop its own digital storefront and tell its own story.

“Right now we sell fashion and home and beauty, but long-term why can’t you buy a car?” Khan asked. “It’s this virtual mall or virtual shopping strip that you can walk through and discover and learn and hang out. We let the brands tell the story and let the consumers discover the stories.”

Unlike other attempts to create a front-end digital storefront experience for brands, Khan said that Verishop is differentiated by its focus on a back-end e-commerce infrastructure and logistics capabilities that other virtual malls can’t match.

Brands can apply to appear on Verishop and once they’re selected as verified shops they’ll have the chance to tap into a customer base that’s mostly comprised of Gen Z and millennial shoppers.

Decrypted: Uber’s former security chief charged, FBI’s ‘vishing’ warning

A lot happened in cybersecurity over the past week.

The University of Utah paid almost half a million dollars to stop hackers from leaking sensitive student data after a ransomware attack. Two major ATM makers patched flaws that could’ve allowed for fraudulent cash withdrawals from vulnerable ATMs. Grant Schneider, the U.S. federal chief information security officer, is leaving his post after more than three decades in government. And, a new peer-to-peer botnet is spreading like wildfire and infecting millions of machines around the world.

In this week’s column, we look at how Uber’s handling of its 2016 data breach put the company’s former chief security officer in hot water with federal prosecutors. And, what is “vishing” and why should companies take note?


THE BIG PICTURE

Uber’s former security chief charged with data breach cover-up

Joe Sullivan, Uber’s former security chief, was indicted this week by federal prosecutors for allegedly trying to cover up a data breach in 2016 that saw 57 million rider and driver records stolen.

Sullivan paid $100,000 in a “bug bounty” payment to the two hackers, who were also charged with the breach, in exchange for signing a nondisclosure agreement. It wasn’t until a year after the breach that former Uber chief executive Travis Kalanick was forced out and replaced with Dara Khosrowshahi, who fired Sullivan after learning of the cyberattack. Sullivan now serves as Cloudflare’s chief security officer.

The payout itself isn’t the issue, as some had claimed. Prosecutors in San Francisco took issue with how Sullivan allegedly tried to bury the breach, which later resulted in a massive $148 million settlement with the Federal Trade Commission.

Border wall crowdfunding scheme leads to Trump ally Steve Bannon’s arrest

One of President Trump’s former top political advisors was arrested in connection with a crowdfunding scheme to build a U.S. border wall, according to charges unsealed by federal prosecutors Thursday. Steve Bannon is one of four individuals named in the indictment who now face charges for conspiracy to commit money laundering and conspiracy to commit wire fraud for their work on a campaign known as We Build the Wall.

We Build the Wall began in late 2018 as a GoFundMe campaign launched by U.S. Air Force veteran Brian Kolfage. The ill-fated effort to privately fund a border wall with Mexico quickly attracted many high-profile Trump allies, including Bannon, Kansas Secretary of State Kris Kobach, former Boston Red Sox pitcher Curt Schilling and Erik Prince, a defense contractor and the brother of Education Secretary Betsy DeVos.

gofundme webuildthewall

Original GoFundMe campaign.

While those names don’t appear in the indictment, Bannon and Kolfage are now on the hook for what happened to the more than $25 million the campaign raised. The campaign’s website and team page remain online.

“As alleged, the defendants defrauded hundreds of thousands of donors, capitalizing on their interest in funding a border wall to raise millions of dollars, under the false pretense that all of that money would be spent on construction,” Acting U.S. Attorney for Southern District of New York Audrey Strauss said in a statement.

“While repeatedly assuring donors that Brian Kolfage, the founder and public face of We Build the Wall, would not be paid a cent, the defendants secretly schemed to pass hundreds of thousands of dollars to Kolfage, which he used to fund his lavish lifestyle.”

The indictment details how Bannon and the other men allegedly took in hundreds of thousands of dollars while representing the We Build the Wall campaign as a volunteer effort that in no way would benefit them. Kolfage made repeated claims that he would “not take a penny in salary or compensation.”

Bannon allegedly siphoned off more than a million dollars from the $25 million the scheme drummed up, using hundreds of thousands for personal use. Kolfage is accused of putting $350,000 from the campaign toward his own personal expenses. The men attempted to conceal their payouts through a nonprofit, shell companies and a series of falsified invoices and fake vendor relationships.

In a timely twist, the U.S. Attorney’s office named the United States Postal Inspection Service, the law enforcement arm of the USPS, as a key player in the investigation.

“We thank the USPIS for their partnership in investigating this case, and we remain dedicated to rooting out and prosecuting fraud wherever we find it,” Strauss said.

Decrypted: Hackers show off their exploits as Black Hat goes virtual

Every year hackers descend on Las Vegas in the sweltering August heat to break ground on security research and the most innovative hacks. This year was no different, even if it was virtual.

To name a few: Hackers tricked an ATM to spit out cash. A duo of security researchers figured out a way to detect the latest cell site simulators. Car researchers successfully hacked into a Mercedes-Benz. A Windows bug some two decades old can be used to plant malware. Cryptocurrency exchanges were extremely vulnerable to hackers for a time. Internet satellites are more insecure than we thought and their data streams can contain sensitive, unencrypted data. Two security researchers lived to tell the tale after they were arrested for an entirely legal physical penetration test. And, a former NSA hacker revealed how to plant malware on a Mac using a booby-trapped Word document.

But with less than three months until millions of Americans go to the polls, Black Hat sharpened its focus on election security and integrity more so than any previous year.

Here’s more from the week.


THE BIG PICTURE

A major voting machine maker is finally opening up to hackers

The relationship between hackers and election machine manufacturers has been nothing short of fraught. No company wants to see their products torn apart for weaknesses that could be exploited by foreign spies. But one company, once resistant to the security community, has started to show signs of compromise.

Election equipment maker ES&S is opening up its voting machines to hackers — willingly — under a new vulnerability disclosure program. That will see the company embrace hackers for the first time, recognizing that hackers have knowledge, insight and experience — rather than pushing them away and ignoring the problems altogether. Or, as the company’s security chief told Wired: “Hackers gonna hack, researchers gonna research.”

Decrypted: How a teenager hacked Twitter, Garmin’s ransomware aftermath

A 17-year-old Florida teenager is accused of perpetrating one of the year’s biggest and most high-profile hacks: Twitter.

A federal 30-count indictment filed in Tampa said Graham Ivan Clark used a phone spearphishing attack to pivot through multiple layers of Twitter’s security and bypassed its two-factor authentication to gain access to an internal “admin” tool that let the hacker take over any account. With two accomplices named in a separate federal indictment, Clark — who went by the online handle “Kirk” — allegedly used the tool to hijack the accounts of dozens of celebrities and public figures, including Bill Gates, Elon Musk and former president Barack Obama, to post a cryptocurrency scam netting over $100,000 in bitcoin in just a few hours.

It was, by all accounts, a sophisticated attack that required technical skills and an ability to trick and deceive to pull off the scam. Some security professionals were impressed, comparing the attack to one that had the finesse and professionalism of a well-resourced nation-state attacker.

But a profile in The New York Times describes Clark was an “adept scammer with an explosive temper.”

In the teenager’s defense, the attack could have been much worse. Instead of pushing a scam that promised to “double your money,” Clark and his compatriots could have wreaked havoc. In 2013, hackers hijacked the Associated Press’ Twitter account and tweeted a fake bomb attack on the White House, sending the markets plummeting — only to quickly recover after the all-clear was given.

But with control of some of the world’s most popular Twitter accounts, Clark was for a few hours in July one of the most powerful people in the world. If found guilty, the teenager could spend his better years behind bars.

Here’s more from the past week.


THE BIG PICTURE

Garmin hobbles back after ransomware attack, but questions remain

Build products that improve the lives of inmates

Those of us who work in technology should always be asking ourselves, “Who we are really building for?” Do we design products to make ourselves more comfortable, or do we innovate to be the change in the world we want to see? One group perennially left out of tech conversations — moved out of sight and out of mind — is the 2.3 million people in the U.S. prison system. As tech becomes such a critical driver of progress in the world, we should be building products that improve inmates’ lives and help them reintegrate into society without the risk of relapse.

I recently stumbled across an essay I wrote following my work at the Stanford Criminal Justice Center, analyzing Norway’s humane prison systems and asking, “Could they work here?” These prisons are designed to replicate life outside their walls. They incorporate features like yoga classes and recording studios. They give inmates a chance to pursue higher education so that they can be meaningfully employed when they reenter the outside world. Anyone who has seen the documentary 13th knows that American prisons are very different. Why?

(Quick disclaimer: This is a fraught and emotional topic. It is hard to appreciate the complexity of incarceration and recidivism in a 1,000-word op-ed. I appreciate the input and forbearance of those with different perspectives.)

Writ-large, the corrections system has five goals:

  1. Punish offenders.
  2. Incapacitate them (keep them off the streets).
  3. Deter crime.
  4. Repay society.
  5. Rehabilitate people so that they don’t commit more crimes.

But sadly, per criminologist Bob Cameron, “Americans want their prisoners punished first and rehabilitated second.”

This is why Norway has a recidivism rate of 20% while the U.S. rate hovers at around 75%. That is staggering. Three out of every four former inmates is at-risk of committing a crime after leaving prison. This is a huge deadweight loss for society. How much lower could that rate be if we invested in prisoners’ potential? If we gave them the tools to seamlessly reenter the world? Is there a role for private, for-profit enterprises here, and if so, how could technology be used to help people exit the corrections system permanently?

What’s being done today

Most tech coverage just focuses on tools used to predict recidivism and keep past offenders, many of whom are trying to reform their lives, behind bars. But there are many startups building products to help them successfully move on.

New York-based APDS recently raised a $5 million Series B to provide tablets that inmates can use for learning purposes. The tablets are now in-use in 88 correctional facilities in 17 states. Inmates can use the software to learn English, get their GEDs or learn entrepreneurship. North Carolina startup Pokket helps inmates plan for life outside of prison in the six months leading up to their release date.

Mission: Launch is an organization that hosts demo days and hackathons for inmates. They teach financial literacy, entrepreneurship and community engagement. Hackathon participants so far have built an app to convert online messages from friends and family into written postcards for inmates (who are shut off from social media) and an app to help people leaving the corrections system to seal their records so that they can get hired again.

Maintaining connections with friends and loved ones outside of prison makes a significant difference when it comes to reentering society. Technology company Securus recently announced free messaging on its 290,000 tablets so that inmates can communicate with relatives without having to pay exorbitant fees. Prison Voicemail in the U.K. provides a cheap phone service that families can pay. In all cases when it comes to implementing technology to reduce recidivism, the financial burden should not fall on inmates, a captive population with limited agency and earning potential.

Prison Scholars, a nonprofit founded by a former inmate, teaches entrepreneurship to inmates and helps them create post-incarceration business plans. They estimate that inmates who receive education are 43% less likely to return to prison, an implied ROI of $18.36 to society for every dollar invested. Defy Ventures boasts of 82% employment for program graduates and a 7.2% recidivism rate. Other programs to teach digital literacy and coding, which make resources like textbooks and Wikipedia available offline, have found similar success.

There are many similar examples of tech and education directly lowering recidivism. But why stop here? What else could tech do to make an impact?

What we could still do

The U.S. spends $80 billion to keep inmates behind bars. This creates an enormous financial incentive for taxpayers to reduce recidivism. Two related questions need to be addressed: Can tech companies actually make money on products to improve the lives of those in the prison system? And should they?

To answer the first question — and at the risk of sounding crass — a very simplified business model could look like this: State governments pay companies somewhere between $0 and the cost of keeping an inmate in jail for one year (~$81,000) for each inmate who successfully uses an educational product to prep for leaving prison.

The payment could be split across multiple years, so that the longer someone is able to go without reoffending, the more the provider makes. If taxpayers paid tech providers just 50% of the cost to house an inmate for one year, the tech company would make a per-user LTV of over $40,000 (!). This kind of financial incentive could easily attract more talented entrepreneurs to the goal of improving the lives of people in the corrections system. (The opposite of the for-profit prison business model, which creates a perverse incentive to maintain a constant prison population.)

The question of whether it is morally permissible for for-profit tech companies to sell products built for this demographic is a more difficult one. While there is no right answer, there are guidelines that companies could follow:

  1. Don’t charge inmates or their families. Taxpayers have the largest financial incentive to reduce recidivism — and all the associated costs of the prison — so it is to state corrections budgets that tech companies should look for revenue opportunities.
  2. No Goodhart’s law or perverse incentives. Products have to be designed and sold based on principles, e.g., “help former inmates reintegrate into society and live full lives,” and not numeric targets, e.g., “keep former inmates from committing a felony within three years of leaving prison.” Numbers-based targets can always be gamed. Force companies to keep the end-goal in mind of giving people the tools to improve their lives.
  3. Collect user feedback. Award contracts only to the companies with high user affinity. Unlike standard consumers, inmates experience a principal/agent problem: The purchaser of the services (taxpayers) is not the user (the inmate). States should require tech providers to collect anonymous feedback from the users of their products, and only award contracts to those that get the highest ratings.
  4. Your product’s job-to-do does not end when the sentence does. If products built to reduce recidivism are truly successful, it means that the providers of those products will be slowly eliminating their own markets as prison populations go down. These products should be built not just to get people out of prison, but to help them build meaningful lives for the years after they leave.

There are so, so many great products yet to be built for this demographic. A LinkedIn or Craigslist Jobs equivalent populated by the employers who hire former inmates. Live-streamed religious services so that inmates can continue to participate in their community faith organizations. Nonvocational hobby education platforms. Limited versions of MasterClass or Udemy or Coursera . Closed-loop online games.

Lastly — and needless to say — tech doesn’t even begin to scratch the surface when it comes to righting the wrongs of our corrections system. The reinstatement of voting rights, employment on-ramps and limits to background checks, the elimination of for-profit private prisons, adjustments to prison wages that tacitly amount to indentured servitude … the list of things we could improve is long. But tech can still play a critical role in improving the lives of fellow citizens in the corrections system.

Mohandas Gandhi quipped that “The true measure of any society can be found in how it treats its most vulnerable members.” Almost one-third of Americans have some criminal history. The U.S. accounts for 25% of the world’s prison population. Let’s stop ignoring this demographic and build tools that really make the world better for those who need it most.

Garmin global outage caused by ransomware attack, sources say

An ongoing global outage at sport and fitness tech giant Garmin was caused by a ransomware attack, according to two sources with direct knowledge of the incident.

The incident began late Wednesday and continued through the weekend, causing disruption to the company’s online services for millions of users, including Garmin Connect, which syncs user activity and data to the cloud and other devices. The attack also took down flyGarmin, its aviation navigation and route-planning service.

Portions of Garmin’s website were also offline at the time of writing.

Garmin has said little about the incident so far. A banner on its website reads: “We are currently experiencing an outage that affects Garmin.com and Garmin Connect. This outage also affects our call centers, and we are currently unable to receive any calls, emails or online chats. We are working to resolve this issue as quickly as possible and apologize for this inconvenience.”

The two sources, who spoke on the condition of anonymity as they are not authorized to speak to the press, told TechCrunch that Garmin was trying to bring its network back online after the ransomware attack. One of the sources confirmed that the WastedLocker ransomware was to blame for the outage.

One other news outlet appeared to confirm that the outage was caused by WastedLocker.

Garmin’s online services have been down for days. The cause is believed to be ransomware, according to two sources with direct knowledge of the incident. (Screenshot: TechCrunch)

WastedLocker is a new kind of ransomware, detailed by security researchers at Malwarebytes in May, operated by a hacker group known as Evil Corp. Like other file-encrypting malware, WastedLocker infects computers, and locks the user’s files in exchange for a ransom, typically demanded in cryptocurrency.

Malwarebytes said that WastedLocker does not yet appear to have the capability to steal or exfiltrate data before encrypting the victim’s files, unlike other, newer ransomware strains. That means companies with backups may be able to escape paying the ransom. But companies without backups have faced ransom demands as much as $10 million.

The FBI has also long discouraged victims from paying ransoms related to malware attacks.

Evil Corp has a long history of malware and ransomware attacks. The group, allegedly led by a Russian national Maksim Yakubets, is known to have used Dridex, a powerful password-stealing malware that was used to steal more than $100 million from hundreds of banks over the past decade. Later, Dridex was also used as a way to deliver ransomware.

Yakubets, who remains at large, was indicted by the Justice Department last year for his alleged part in the group’s “unimaginable” amount of cybercrime during the past decade, according to U.S. prosecutors.

The Treasury also imposed sanctions on Evil Corp, including Yakubets and two other alleged members, for their involvement in the decade-long hacking campaign.

By imposing sanctions, it’s near-impossible for U.S.-based companies to pay the ransom — even if they wanted to — as U.S. nationals are “generally prohibited from engaging in transactions with them,” per a Treasury statement.

Brett Callow, a threat analyst and ransomware expert at security firm Emsisoft, said those sanctions make it “especially complicated” for U.S.-based companies dealing with WastedLocker infections.

“WastedLocker has been attributed by some security companies to Evil Corp, and the known members of Evil Corp — which purportedly has loose connections to the Russian government — have been sanctioned by the U.S. Treasury,” said Callow. “As a result of those sanctions, U.S persons are generally prohibited from transacting with those known members. This would seem to create a legal minefield for any company which may be considering paying a WastedLocker ransom,” he said.

Efforts to contact the alleged hackers were unsuccessful. The group uses different email addresses in each ransom note. We sent an email to two known email addresses associated with a previous WastedLocker incident, but did not hear back.

A Garmin spokesperson could not be reached for comment by phone or email on Saturday. (Garmin’s email servers have been down since the start of the incident.) Messages sent over Twitter were also not returned. We’ll update if we hear back.