Navtech supplier Garmin may have given in to the demands of cyber criminals who encrypted its systems with ransomware, according to news reports that suggest the firm has obtained a decryption key to recover its files, strongly suggesting it has either paid up, or brokered some kind of deal.
In a statement issued on the evening of Monday 27 July, four days after its services first went offline, Garmin finally confirmed it had been the victim of a cyber attack, having previously limited its response to saying it was experiencing an outage. It has not yet confirmed it was the victim of a ransomware incident, although this is now all but certain.
A spokesperson said: “Garmin today announced it was the victim of a cyber attack that encrypted some of our systems on July 23, 2020. As a result, many of our online services were interrupted including website functions, customer support, customer-facing applications, and company communications. We immediately began to assess the nature of the attack and started remediation,” said the firm.
“We have no indication that any customer data, including payment information from Garmin Pay, was accessed, lost or stolen. Additionally, the functionality of Garmin products was not affected, other than the ability to access online services.
“Affected systems are being restored and we expect to return to normal operation over the next few days. We do not expect any material impact to our operations or financial results because of this outage. As our affected systems are restored, we expect some delays as the backlog of information is being processed.
“We are grateful for our customers’ patience and understanding during this incident, and look forward to continuing to provide the exceptional customer service and support that has been our hallmark and tradition,” they said.
John Hentrich, CEO of Identité, said that the attack had already caused severe damage to Garmin. “[It] … shows the large-scale effects a major attack can have for companies. Having to shut down business for multiple days not only affects the bottom line, but Garmin’s reputation with their customers who rely on them,” he said.
“This breach should be yet another wake-up call for companies to evaluate security protocols that protect against ransomware, malware, phishing, and man-in-the-middle attacks. Exploring options like passwordless authentication can remove a significant attack surface that hackers use to inject malware and ransomware.”
Stuart Reed, UK director at Orange Cyberdefense, said the days-long outage had a huge impact on Garmin users, particularly given it has onboarded significant numbers of new users during the Covid-19 lockdown.
“Garmin’s own data shows a steep increase in the number of people exercising indoors and engaging in social distancing-friendly sports such as running and cycling,” he said.
“What is particularly significant about this alleged breach is the nature of the data involved – extremely personal information about the daily habits of users. This data is collected using a simple wrist watch worn by millions of people – a watch connected to the internet, collecting huge amounts of data of significant value to adversaries.
“These type of high-profile incidents underline once again that data is valuable and, as such, cyber criminals will look to capitalise on exploiting it. The growing trend of these incidents will likely mean users think carefully about what they share and who they trust to process their personal data. For brands, it means they must adopt a layered approach to reach a cyber security maturity level that is essential in the changing threat landscape.”
The attack was almost certainly conducted using WastedLocker, a relatively new ransomware developed by the Russia-based advanced persistent threat (APT) group known as Evil Corp. It is a sophisticated piece of software used in highly targeted attacks, although the Evil Corp gang is not yet known to have taken to exfiltrating and leaking data.
Known by several names in the security community, including double extortion, exfiltration and encryption, or post-intrusion encryption attacks, such attacks are particularly dangerous because they place additional pressure on the victim to pay up, and all but guarantee they will be subject to sanctions for breaking data protection regulations.
Denis Legezo, senior security researcher at Kaspersky, said: “Technically speaking, WastedLocker is a targeted ransomware, which means its operators come for selected enterprises instead of every random host they can reach.
“This is not the only ransomware used in such a manner – a similar scheme is used by Maze and some other ransomware families. The encryption algorithms in use are nothing special for ransomware: modern and strong. The ransomware’s operators add the victim company’s name in the ransom messages – the messages with information about how to contact the malefactors through secure email services and the like. So it’s pretty obvious they know who they came after.”
Kaspersky currently monitors dozens of web domains related to targeted malware strains, and on many of them, it has registered the server as part of Cobalt Strike, the legitimate commercial penetration-testing service that is also widely used by cyber criminals.
Legezo said that this, and other techniques used by cyber criminals, was similar to the more classical kind of data-seeking targeted attack – however, he noted, in WastedLocker’s case so far, he has observed no signs of anything besides encryption and ransom demands.