Early on July 23rd, 2020, navigation and smart device maker Garmin became the victim of a new strain of ransomware known as WastedLocker.
Scope of the Attack
The attack shut down a variety of services offered by Garmin, including Garmin Connect, which allows users to track and upload biometric data, distances traveled during a workout, and a variety of other information collected by their Garmin smart devices, and flyGarmin, a flight planning software leveraged by pilots who utilize a Garmin navigation device in their aircraft.
Fitness enthusiasts woke up on the morning of the 23rd to find they could not upload not upload data from their latest workouts, and even worse, many pilots found themselves unable to update to the latest version of Garmin’s aviation database. Planes without the latest version of this database were grounded due to the Federal Aviation Association’s rules requiring planes to use the most up to date version of this database. Customers of these services looking for answers as to why their products weren’t functioning properly were met with silence as the attack also compromised Garmin’s customer service functions.
A Familiar Enemy
This attack appears to have been orchestrated by the Russian hacker organization known as Evil Corp (aliases include: INDRIK SPIDER, TA505, and SectorJ04). This is the same group of hackers who developed Dridex malware, Bitpaymer ransomware, and the aforementioned WastedLocker ransomware that is allegedly affecting Garmin. The group reportedly demanded $10M in ransom from Garmin in order to free the company’s files from the encryption.
While a recent Garmin press release claims no data has been stolen, the attack does have some very serious implications regarding data security within the fitness tracker and GPS navigation domains. As we’ve seen in some cases, such as the Maze ransomware, criminals are not only encrypting data for ransom but also copying the data for their own use.
Garmin’s health and fitness devices record very specific biometric data that can be transformed into identifying information alarmingly fast. On top of that Garmin houses navigational data collected from those using Garmin devices for aviation as well as fitness. If this data is not properly secured by those who are gathering it, it becomes a matter of when, not if, the data will be stolen.
A Look at Garmin’s Response
The first step in any disaster recovery is restoring services and ensuring business continuity. In the case of ransomware, the best chance at recovery is often through careful restoration from offline backups. Schneider Downs recommends companies work with an experienced digital forensics and incident response (DFIR) team to ensure ransomware is not reintroduced into the recovery environment from infected backups. Companies without reliable backups are often forced to pay the criminal’s ransom demands in order to restore service.
Although Garmin’s systems were down for around four days after the attack, the company now reports that the majority of their services are back up and running. It is unclear at this time how Garmin restored their systems and undisclosed if they ultimately paid any ransom.
When a security breach occurs it is important to be transparent with how the company plans to prevent this type of event in the future, as well as mitigating any potential harm to customers. A four day outage surrounding very personal data is something that can have lasting harm to a company’s reputation, but releasing broad and incomplete information about any cybersecurity incident can leave a company with a black eye when they later reveal the incident had a greater impact than initially reported.
Garmin has the opportunity to win back trust from its customers, but that window is closing. The company has thus far put out only a limited press release regarding the incident on July 27th. Moving forward we would like to see them include how the weapon was delivered, a brief overview of how the issue was resolved, and finally, some specifics on how they plan on preventing this in the future. The question now becomes what lasting reputational impact Garmin will face.
About Schneider Downs Cybersecurity
The Schneider Downs cybersecurity practice consists of experts in multiple technical domains. We offer a comprehensive set of information technology security services including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments, and a robust digital forensics and incident response team. For more information, visit www.schneiderdowns.com/cybersecurity.
In addition, our Incident Response Team is available around the clock at 1-800-993-8937 if you suspect your organization is experiencing a network incident.
You’ve heard our thoughts… We’d like to hear yours
The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].
Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.