Published by Tom Jowitt, July 28, 2020
Did they pay and how much? Garmin regains control of its systems after obtaining ransomware decrypt key from Russian hackers
Fitness and navigation specialist Garmin has finally admitted that it was the victim of a ransomware attack, after its systems were impacted late last week by what it initially described as an ‘outage’.
But now Garmin has admitted in a corporate statement on Monday that media reports of its suffering a ransomware attack were true. It says it expects to return to normal operations over the next couple of days.
But worryingly, media reports are suggesting that Garmin obtained the decryption key to recover its computer files, but the firm “did not directly make a payment to the hackers.”
Garmin attack
“Garmin Ltd today announced it was the victim of a cyber attack that encrypted some of our systems on July 23, 2020,” the firm stated. “As a result, many of our online services were interrupted including website functions, customer support, customer facing applications, and company communications.”
“We immediately began to assess the nature of the attack and started remediation,” Garmin added. “We have no indication that any customer data, including payment information from Garmin Pay, was accessed, lost or stolen. Additionally, the functionality of Garmin products was not affected, other than the ability to access online services.”
“Affected systems are being restored and we expect to return to normal operation over the next few days,” Garmin added. “We do not expect any material impact to our operations or financial results because of this outage.”
“As our affected systems are restored, we expect some delays as the backlog of information is being processed,” it concluded. “We are grateful for our customers’ patience and understanding during this incident and look forward to continuing to provide the exceptional customer service and support that has been our hallmark and tradition.”
But the fact that Garmin is recovering its systems comes amid media reports that the firm obtained the decryption key. And it could have only have done this if it paid the hackers (said to be Russia-based Evil Corp), who reportedly used the ransomware malware known as WastedLocker.
Garmin payout?
According to Sky News, which quoted sources with knowledge of the Garmin incident, the firm “did not directly make a payment to the hackers.”
This means that Garmin may have made a payment via a third party, but if that is the case, the company could be at risk of violating US Treasury sanctions against Evil Corp. Garmin’s representatives declined to respond to repeated offers by Sky News to challenge the sources’ claims, stating the company “does not comment on rumour and speculation”.
A representative for Garmin told Sky News that they did not have any information to share regarding the ransom payment.
Don’t pay
Security expert always advise ransomware victims not to pay the ransom, as there is no guarantee they will actually receive the decrypt key from the hackers. Instead firms are advised to regularly backup systems and files and then restore systems after an attack.
Most ransomware attacks occur via phishing emails, a point noted by Max Heineymeyer, director of threat hunting at Darktrace.
“Reports suggest that the initial infection took place via email,” said Heineymeyer. “Phishing emails remain a low-cost and highly efficient way to distribute ransomware and are increasingly indistinguishable from genuine communication.”
“Getting this initial foothold is hardly rocket science for attackers – once a malicious attachment is activated, it takes only minutes for an attacker to infiltrate the victim’s organisation,” said Heineymeyer. “From there on, it becomes a cat-and-mouse game trying to evict the attacker. Human teams are being outpaced.”
“A little over a week after reports that Russia are trying to steal Britain’s research into a Covid-19 vaccine in an ongoing cyber-attack, it would appear that we are truly in an age of cyber warfare and it’s not just governments who need to watch their backs – businesses are also being targeted,” Heineymeyer cautioned.
“To put a stop to these fast-moving and widespread impact attacks, governments and businesses must adopt cutting edge defences like AI in order to spot and automatically block malicious emails before they reach a user – preventing malware from ever taking hold in the first place,” Heineymeyer concluded.
Comments