Incident Of The Week: Garmin Pays $10 Million To Ransomware Hackers Who Rendered Systems Useless

Seth Adler | 08/14/2020

[Records Exposed: N/A  |  Industry: Technology  |  Type Of Attack: Ransomware]

On July 23, Garmin users went to Twitter to express their concern over inaccessible website features. Four days later, Garmin released an official statement confirming that a cyber attack had taken place. Garmin assured its users that no PII (personal identifying information) was compromised.

The Facts:

Garmin is most commonly known for its fitness tracking capabilities in the form of GPS wearables, but the corporation also operates in the aviation space. Consequently, some planes whose aviation infrastructure relies on Garmin technology were also affected by the hack.

Hackers deployed the ransomware tool WastedLocker, which encrypts key data on a company’s digital infrastructure. In the case of Garmin, website functions, customer support, and user applications were all affected. Unlike typical ransomware software, WastedLocker does not steal identifying information and hold it for ransom. Instead, it renders programs useless until decrypted. The hacking organization then demands a fee for the decryption key. In the case of Garmin, although not verified by the U.S. corporation, it is believed that Garmin paid the $10 million ransom.

In the world of cyber crime, however, nothing is cut and dry. Cyber security experts have linked this young ransomware tool with the Russian hacking group known as Evil Corp. If this is the case, assuming the WastedLocker attack occurred under Evil Corp’s authority and not as a ransomware-for-hire event, Garmin had a difficult choice to make. To return their systems to working order, they had to risk breaking U.S. sanctions against Evil Corp.

Related: Critical Communications For Enterprise Cyber Security Incident Response

Third-party negotiators can act as intermediaries between the hacked and the hackers. It appears that Garmin paid a cyber security firm in New Zealand to assist with the hack, meaning it is likely that they worked as the go-between to legally pay the $10 million ransom without breaking U.S. sanction laws. Garmin has declined to discuss the cyber event beyond its bare-bones press release on the 27th.

Lessons Learned:

While ransomware attacks are nothing new, they are rapidly growing in sophistication and scale. It is believed that organized cyber crime entities are investing their “earnings” back into their hacking infrastructure much the way a startup grows by investing its profits. They’re building out specialized teams in order to run their operation on a larger scale, target larger entities, and decrease their rate of detection.

Traditionally, government organizations, cities, hospitals, and universities are most commonly targets of ransomware attacks. Those ransoms averaged around $100,000. Now, however, it appears threat actors like Evil Corp has moved their sites to Fortune 500 companies with random demands in the millions. Garmin may be just the beginning of a new ransomware era that specifically targets large U.S. corporations. That isn’t to say SMBs are off the hook. As Evil Corp and the likes go after bigger fish, the pond opens up for young hackers to come in and take their place.

To pay or not to pay a ransomware ransom comes down to personal choice. A Tripwire article by Graham Cluley offers this perspective: “That ultimately is a decision that only you can make. Bear in mind that the more companies that pay a ransom, the more the criminals are likely to launch similar attacks in the future. At the same time, you may feel that your business needs to make the difficult but pragmatic decision to pay the criminals if you feel your company cannot survive any other way.”

Related: The Cost Of An Enterprise Ransomware Attack

Quick Tips:

At its core, preventing ransomware attacks is about deploying a holistic cyber security solution. A hacking organization has nothing to ransom if it can’t breach enterprise systems. Most enterprise breaches start as basic phishing schemes. That is why organizations of all sizes must invest the time and money into strong cyber security policies and best practices such as:

  • Making it easy to report suspicious emails by embedding a “report phishing” button into all incoming emails which triggers a cyber security incident response
  • Giving employees the least amount of access they need to do their job, i.e. implementing a zero-trust strategy
  • Practicing and testing anti-phishing awareness internally or with the assistance of a cyber security third party vendor
  • Reducing workplace stress and creating a slower-paced environment, as cyber criminals pray on psychological human responses such as carelessness and hurriedness 

Read More: Incident Of The Week

Upcoming Events

Big Data for Defence

27 - 28 September, 2021
London, United Kingdom
Register Now | View Agenda | Learn More