Garmin Reportedly Paid a RansomCompany Says 'Temporary Limitations' on Services Continue
Garmin, a fitness tracker and navigation device firm, apparently paid a ransom to recover from a July 23 security incident that encrypted several of its systems, according to two news reports as well as expert analysis.
BleepingComputer, citing unnamed sources, reports that Garmin apparently paid for the decryption key. Meanwhile, Sky News also reports Garmin paid a ransom using the services of Arete IR, a cyber response, remediation and monitoring services company.
Garmin responded to a request for additional information by referring ISMG to a July 27 statement. Arete IR did not respond to Information Security Media Group’s request for comment.
Recovering From WastedLocker
WastedLocker, a ransomware strain that reportedly shut down Garmin's operations for several days in July, is designed to avoid security tools within infected devices, according to a technical analysis from Sophos. In June and July, several research firms published reports on WastedLocker, noting that the ransomware appears connected to the Evil Corp cybercrime group, originally known for its use of the Dridex banking Trojan.
"Because WastedLocker has no known security vulnerabilities in how it performs its encryption, it's unlikely that Garmin obtained a working decryption key that fast in any other way but by paying the ransom," Chris Clements, vice president of solutions architecture for Cerberus Sentinel, tells ISMG.
Fausto Oliveira, principal security architect at the security firm Acceptto, adds: "What I believe happened is that Garmin was unable to recover their services in a timely manner. Four days of disruption is too long if they are using any reliable type of backup and restore mechanisms. That might have been because their disaster recovery backup strategy failed or the invasion was to the extent that backup sources were compromised as well."
Caroline Thompson, head of underwriting at Cowbell Cyber, a risk assessment firm, says Garmin may have concluded it was cheaper to pay a ransom than to deal with damage repair costs, business interruption, revenue loss and other expenses.
"Evil Corp has in the past shown their software to be free from easily identified security vulnerabilities. This combined with the short timeframe strongly suggests that Garmin paid the ransom fee to obtain the decryption key," Clements says.
Garmin Offers Sketchy Details
In days following the July 23 attack, Garmin reported the incident had disrupted company website functions, customer support, customer-facing applications and company communications. On July 24 the company's website was again accessible but displayed this message: "We are currently experiencing an outage that affects Garmin.com and Garmin Connect."
Four days later, Garmin issued its first official statement, saying it was victimized by a "cyberattack" that encrypted some of its systems.
A note displayed on its homepage Wednesday states: "We are happy to report that many of the systems and services affected by the recent outage, including Garmin Connect, are returning to operation. Some features still have temporary limitations while all of the data is being processed. We'd like to thank all of our customers for your patience and understanding.”
The company says no customer data, including payment information from Garmin Pay, was accessed, lost or stolen. This lack of data exfiltration is common in WastedLocker attacks (see: Evil Corp's 'WastedLocker' Campaign Demands Big Ransoms).
Tracking the Payment
If Garmin continues to be tight-lipped about the details of the incident, verifying how much of a cryptocurrency ransom it paid could prove difficult, says Oliveira of Acceptto.
Some companies offer cryptocurrency transaction tracking services to help legal agencies pinpoint where the money has gone, but cybercriminals can use tools to thwart such tracking, he says.
"This includes using money mules to distribute the money further and create air gaps between the sender and the receiver of those funds,” Oliveira says. “On top of that, services, such as Monero and Zcash, have built-in options to improve the anonymization of the transactions. This makes a legal investigation harder, if not impossible."