‘Millions’ Paid to Hackers in Garmin Ransomware Attack

October 20, 2020

6 min read

Tracy Rock

Director of Marketing @ Invenio IT
Garmin Ransomware

‘Millions’ Paid to Hackers in Garmin Ransomware Attack

by Oct 20, 2020Security

Cybercriminals may have banked millions of dollars in the recent Garmin ransomware attack that shuttered some of the company’s operations for days.

The hackers behind the attack had reportedly demanded $10 million to restore Garmin’s data after the attack took down several of the company’s online services. And according to reports, Garmin paid up – to the tune of several million dollars.

Experts say the incident is a sign that attackers are going after even bigger targets and that more high-profile attacks are yet to come. It’s yet another example of the seriousness of ransomware and the need for stronger data backup systems at businesses of all sizes.

Here’s what we know about the Garmin attack.

What happened in the Garmin ransomware attack?

The Garmin ransomware attack occurred on Thursday, July 23, as a strain of ransomware known as WastedLocker encrypted data across the company’s networks.

The first signs of trouble were apparent when the company’s India division tweeted at 5:12 a.m. that its servers were “down for maintenance,” limiting the performance of Garmin’s online services, such as Garmin Express. The company added, “We are trying our best to resolve it asap,” making it clear that the incident was probably not a planned maintenance.

A few hours later, Garmin’s primary social accounts released similar messages, adding that the incident “also affects our call centers, and we are currently unable to receive any calls, emails or online chats.”

Later in the day, some tech news sites began reporting that the incident was a result of a ransomware attack. Garmin confirmed the attack a few days later in a company statement.

How did the attack happen?

Details are still scant on how the Garmin ransomware attack occurred, but most ransomware attacks hinge on human error: via phishing scams that fool company employees into entering their credentials into fake login pages, or with spam emails containing malicious attachments or links.

BleepingComputer reported that the attack was already underway when Garmin’s U.S. employees arrived to work on the morning of the incident. Garmin’s IT teams unsuccessfully attempted to “remotely shut down all computers on the network as devices were being encrypted, including home computers connected via VPN.” Employees were also instructed to shut down their connected devices.

Finally, the company shut down devices in one of its data centers to prevent the infection from spreading further. This forced shutdown is ultimately why Garmin’s services went offline.

Some reports said the attack originated at the company’s offices in Taiwan.

How was Garmin affected?

The attack primarily disrupted Garmin’s online services and call center systems. In its statement, Garmin said the attack interrupted website functions, customer support, customer facing applications and company communications.

The outage affected several online services used by millions of Garmin customers around the globe, including:

  • Garmin Connect: the service that syncs activity from users’ fitness devices to the cloud.
  • Garmin Express: the desktop software that syncs data with Garmin Connect, and keeps maps updated.
  • flyGarmin: an aviation navigation and route-planning application / service.
  • inReach: Garmin’s satellite technologies, for which service activation and billing services were knocked offline.

Additionally, with its call center systems knocked offline, the company was unable to provide support or receive any messages via phone, email or chat.

Since the incident affected users, it likely also dinged Garmin’s reputation. The New York Times reported, “Fitness enthusiasts took to social media to vent their frustrations about not being able to use the service. Runners said that while the outage doesn’t stop them from training, not being able to use Garmin Connect means they can’t track their workout data or share their routes on Strava, a social network for runners and cyclists.”

Others shared the frustration about the Garmin’s lack of communication during the incident.

Garmin’s stock price also fell during the outage from $102 to $94 per share, but mostly recovered over the following week.

How long did the attack last?

The brunt of the Garmin ransomware attack lasted 5 days, from July 23 through July 27, 2020. However, by early August, the company hadn’t yet fully recovered. Reporters from WIRED wrote on August 1 that some services were still “flickering back to life,” as some users continued to report problems: “Syncing issues and delays continue to haunt corners of the Garmin Connect platform.”

When Garmin released a statement a few days after the attack, the company admitted it would take a bit longer to complete the full recovery, saying it expected its services to “return to normal operation over the next few days.”

As of August 3, some Garmin Connect services were still “limited” and experiencing issues, according to the company’s status page.

How much was the ransom demand?

The impetus behind a ransomware attack is to extort money from victims in exchange for restoring their encrypted data (though hackers are notorious for taking the money and running).

According to reports, hackers behind the Garmin ransomware attack initially requested $10 million in ransom. By comparison, the average ransom demand was $13,000 in 2019 – though this number has been increasing exponentially over the last few years, and it tends to be much higher for high-profile targets.

Initial reports from Sky News said that Garmin had “obtained the decryption key” to unlock their files, but it wasn’t immediately clear how. Since then, new reports say that Garmin paid a multi-million-dollar sum to the hackers through an intermediary company, Arete IR.

Why do companies like Garmin pay so much to their attackers?

Garmin isn’t the first large company to pay a huge ransom, and it won’t be the last.

In July, U.S. travel management firm CWT reportedly paid $4.5 million to its ransomware attackers.

The month before, The University of California shelled out $1.14 million to hackers following a ransomware attack.

So, why do organizations give in?

Simple. It’s because the disruption from a ransomware attack often costs far more than the ransom demand, even when that demand is millions of dollars.

When businesses lose their data, it can cause a cascade of operational disruptions across the organization. From idle workers to blocked revenue streams, the costs of an attack balloon with each passing minute.

Figures from Datto show that the downtime caused by ransomware can cost large companies up to $5 million per hour. With losses like that, it may make more financial sense for companies to negotiate with their attackers – although law enforcement agencies strongly discourage it, unless as a last resort.

What do we know about WastedLocker ransomware?

WastedLocker is a strain of ransomware associated with a Russian-based cybercriminal group known as Evil Corp.

While the group has been active since at least 2007, WastedLocker is a relatively new ransomware strain that surfaced in 2020. WastedLocker specifically goes after businesses by going after file servers, database services, virtual machines and cloud environments.

Evil Corp delivers the ransomware by hacking into websites, inserting code that fools users into processing fake software updates. The downloaded files allow Evil Corp to gain access to the user’s device and deploy the full ransomware payload across a network.

The U.S. Department of Justice sanctioned Evil Corp in December 2019 for previous cyberattacks, and the group’s leader, Maksim Viktorovich Yakubets, is on the FBI’s Most Wanted list.

Did hackers steal Garmin’s data?

High-profile ransomware attacks are increasingly using a two-pronged approach to extort money from victims: data encryption coupled with data theft.

What’s the difference?

In a traditional ransomware attack, data is encrypted by the ransomware software, but the hackers themselves don’t usually see the data. They simply cross their fingers and hope for a cryptocurrency payday.

But with newer strains of ransomware, the malware allows hackers to actually see and copy the data. So even if the victim manages to successfully restore its data without paying the ransom, hackers can threaten to publicly release stolen data unless the ransom is paid.

So far, it appears that hackers did not steal Garmin’s data during the attack. In its statement, Garmin noted, “We have no indication that any customer data, including payment information from Garmin Pay, was accessed, lost or stolen.”

Did Garmin have backups?

While reports have not specified whether Garmin had any data backups, it is very likely they did, especially since the company noted that no data had been lost. What kind of backup is another matter.

Even with backups, companies may decide that paying a ransom is more prudent if their backups cannot be restored quickly enough. If the recovery will take days, for example, or if data in the backups is corrupted, then the costs of the disruption are going to continue to skyrocket, leaving companies with little choice but to open up their wallets.

This is why it’s critical for businesses to deploy the strongest possible data backup and disaster recovery solutions.

What’s the best data backup protection for ransomware?

The Datto SIRIS is a robust BC/DR solution that provides dependable backups with instant recovery capabilities and additional, built-in ransomware protection.

SIRIS protects physical, virtual and cloud infrastructure running on Windows, MAC or Linux. Hybrid cloud backups and instant virtualization enable businesses to restore systems in seconds, from the on-premise backup device or the cloud. Backups can be performed as often as every 5 minutes, and each backup is automatically scanned for signs of a ransomware infection, helping businesses respond even faster to an attack.

Request a free demo

Learn more about protecting your organization from a ransomware attack with BC/DR solutions from Datto. Request a free demo or speak to our business continuity experts at Invenio IT today. Call (646) 395-1170 or email success@invenioIT.com.

New call-to-action

Director of Marketing @ Invenio IT