Multiple reports are claiming that Garmin paid the ransomware for the cyberattack it faced last month. Sky Sports reports that the American wearables and navigation company hired a negotiator to pay the ransom and obtain a decryption key.
On 23 July, Garmin suffered an outage wherein customers could not access their online services. The affected services extended to Garmin Connect, flyGarmin, Strava, and inReach solutions. The outage also affected Garmin’s call centers, making them out of reach of concerned customers. The online services were down for a couple of days disallowing users to access or sync during that timeframe.
On 27 July, Garmin released a statement confirming speculations that “It was the victim of a cyber attack.” The press release does not reveal the cyberattack’s nature but does say that some of their systems was encrypted. To ease their customers, Garmin has also added that they had “no indication that any customer data, including payment information from Garmin Pay™, was accessed, lost, or stolen.” The release also states that the cyber attack only affected the ability to access online services.
BleedingComputer confirmed that the cyber attack faced by Garmin was from ransomware called WastedLocker. Multiple sources have linked the relatively new ransomware to the infamous hacker group, Evil Corp. Similar to other file-encrypting malware, WastedLocker infects computers and locks user files. The ransomware has a command-line interface that can be used by attackers to control operations. WastedLocker can target specific directories and prioritize encrypting sets of files.
As of now, WastedLocker is not known to have a weakness that can bypass the ransom demanded. Due to the lack of flaws of this ransomware, victims usually have to pay to get the decryption key so that they can get access to the encrypted files. The only workaround is if the company has working backups of the files encrypted.
But it seems that Garmin paid the ransom to the attackers to get the description key. According to Sky Sports, the company did not pay the ransom themselves and instead hired Arete IR’s ransomware negotiation services. Due to the confidentiality agreements between the companies, the ransom amount remains unknown. Although, a source had told BleedingComputer that the ransom demanded was $10 million.
There is a chance that the ransom may impose a financial penalty on Garmin. The US Department of the Treasury has sanctioned Evil Corp, which prohibits engaging in transactions with Evil Corp and any of its members. As mentioned before, the WastedLocker ransomware may have connections with the Evil Corp.
Due to these sanctions, reports say that one company declined to work with Garmin when approached as the ransomware negotiator. On the other hand, Arete IR declined to comment but did say that it “follows all recommended and required screenings to ensure compliance with US trade sanctions laws.”
On 24 July, Arete had also taken to Twitter to state that WastedLocker and Evil Corp are not associated.
WastedLocker is a new variant of #ransomware that was initially reported in May and is rumored to have come from the "Evil Corp" group. In this insight, we discuss the four main reasons why Arete experts determined this theory to be inconclusive. (https://t.co/fZUmHCXMMn) pic.twitter.com/hvdMNEEVpe
— Arete Incident Response (@Arete_Advisors) July 24, 2020