Enterprise Security

Garmin Confirms Services Upended by Ransomware Attack

ransomware

Garmin on Monday confirmed that many of its online services have been disrupted by a cyberattack on its systems that occurred on July 23, 2020.

Services disrupted by the attack, which encrypted data on the systems, included website functions, customer support, customer facing applications, and company communications, the company noted in a statement.

“We have no indication that any customer data, including payment information from Garmin Pay, was accessed, lost or stolen,” the company stated. “Additionally, the functionality of Garmin products was not affected, other than the ability to access online services.

Garmin specializes in GPS technology development of navigation and communications products. It serves the auto, aviation, fitness, marine, and outdoor markets.

The company estimated that operations would be back to normal “in a few days.” Garmin cautioned, however, that as systems are restored, there may be delays as backlogged information is processed.

No material impact is expected on operations or financial results due the outage, the company added.

Garmin’s damage assessment may be overly optimistic, though. “If the average data breach costs the victim [U.S.] $8.9 million, then in this case, it’s probably more than that,” asserted Chlo Messdaghi, vice president of strategy at Point3 Security, a provider of training and analytic tools to the security industry in Baltimore, Md.

“With WastedLocker, the attack also cripples the network and getting it up and running again becomes extremely expensive,” she told TechNewsWorld. WastedLocker is the ransomware believed to be used in the Garmin attack.

Customized Payload

The sortie on Garmin has the characteristics of a typical ransomware attack.

“The usual ransomware tactic by cybercriminals is to gain initial access to an organization, perform privilege escalation attacks to gain administrator access to the entire environment, find and delete backups if possible, then run their ransomware to encrypt as many computers as possible,” explained Chris Clements, vice president of solutions architecture at Cerberus Sentinel, a cybersecurity consulting and penetration testing company in Scottsdale, Ariz.

“Without confirmation, it’s impossible to say if the attackers here were able to locate and delete Garmin’s backups, but the resulting multi-day outage demonstrates that even with a highly secure backup strategy, ransomware attacks can be massively disruptive to victims,” he told TechNewsWorld.

While common tactics were used by the attackers, their software appears to be customized for Garmin. “The ransomware payloads are customized per each individual client, so Garmin ransomware extensions were ‘garminwasted,'” explained Tom Pace, vice president for global enterprise solutions at BlackBerry.

“They are also selective in the assets they tend to target within victim environments to maximize damage and probability of a client making the ransom payment,” he told TechNewsWorld.

Although there have been a few high-visibility ransomware attacks, most of them are kept on the Q.T. That wasn’t the case with the Garmin intrusion. “The most notable distinguishing feature of this attack is how visible it is to the outside world,” observed Saryu Nayyar, CEO of Gurucul, a threat intelligence company in El Segundo, Calif.

“Garmin provides numerous services related to their devices and mapping software, and this attack had a substantial impact on those services, which is why people worldwide have taken notice,” Nayyar told TechNewsWorld.

Russian Connection

Reports on the ransomware attack have linked it to Russian hackers, primarily because of the malicious software used in the intrusion.

“Attribution is always a tricky issue, but in the case of WastedLocker, the ransomware actually signs itself as WastedLocker,” explained Ben Dynkin,co-founder and CEO of Atlas Cyber Security, a provider of cybersecurity services in Great Neck, N.Y.

“While third parties can deploy this ransomware variant, it is a very reasonable assumption to attribute the activity to the Evil Corp cybercriminal syndicate,” he told TechNewsWorld. “The U.S. Treasury Department has clearly and unambiguously attributed the conduct of Evil Corp to Russian nationals in other operations.”

“We cannot make a definitive attribution that this is state sanctioned activity — even though there is some evidence that Russian military officials are involved with Evil Corp.,” he continued. “That means we can attribute this activity to Russian criminals, but not the Russian state.”

Garmin would be a typical target for Evil Corp, added Point3’s Messdaghi. “We haven’t seen any indications that Evil Corp has attacked small businesses or individuals,” she said. “They’re going after corporations with the wherewithal and motivation to pay to prevent business losses.”

$10 Million Ransom

It’s also been reported that the ransomware raiders have asked for $10 million to undo what they’ve done to Garmin’s system. So far, Garmin has been mum on making any ransom payments.

“It’s never recommended that companies pay extortion demands to cybercriminals, if at all possible,” Cerberus Sentinel’s Clements said. “Extortion payments both strengthen the cybercriminal operations responsible and encourage other organizations to attempt the same attacks.”

He acknowledged, however, that victims have little recourse but to pay the demands. “A common tactic employed by ransomware gangs is to find and delete any backups before running their encryption,” he explained. “This leaves the victim with the choice of paying the ransom or having to rebuild their environment and data from scratch.”

“In the best case of this scenario, rebuilding from scratch can takes months to complete and cost many times more than the ransom payment demand,” he continued. “In the worse cases, mission critical data that is encrypted can’t be restored and the only option for recovery is paying the extortion demands.”

However, paying off Evil Corp is more complicated than paying off the typical online extortionist. “Back in December 2019, the U.S. Treasury department delivered sanctions against the Evil Corp cybercriminal organization,” explained James McQuiggan, security awareness advocate at KnowBe4, a security awareness training provider in Clearwater, Fla.

“As part of those sanctions, no U.S. organizations are allowed to conduct transactions with the group,” he told TechNewsWorld. “Even if Garmin wanted to pay the ransom, they would have to collaborate with the U.S. Treasury, FBI, and other government agencies to send the funds.”

Those government agencies, though, may come under pressure to turn a blind eye to any sanction violations should Garmin not get all its systems online without the cooperation of Evil Corp.

“The problem is Garmin controls and maintains significant critical infrastructure and services used by pilots and others, perhaps even by the U.S. and other militaries,” BlackBerry’s Pace explained.

“If they can’t recover the data on their own and it will have a significant bearing on national security or critical infrastructure, the proverbial rock and a hard place dilemma would seem to present itself.”

John P. Mello Jr.

John P. Mello Jr. has been an ECT News Network reportersince 2003. His areas of focus include cybersecurity, IT issues, privacy, e-commerce, social media, artificial intelligence, big data and consumer electronics. He has written and edited for numerous publications, including the Boston Business Journal, theBoston Phoenix, Megapixel.Net and GovernmentSecurity News. Email John.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Enterprise Security

E-Commerce Times Channels