Garmin Hit with $10M Ransomware Attack

Early on July 23rd, 2020, navigation and smart device maker Garmin became the victim of a new strain of ransomware known as WastedLocker.

Scope of the Attack

The attack shut down a variety of services offered by Garmin, including Garmin Connect, which allows users to track and upload biometric data, distances traveled during a workout, and a variety of other information collected by their Garmin smart devices, and flyGarmin, a flight planning software leveraged by pilots who utilize a Garmin navigation device in their aircraft.

Fitness enthusiasts woke up on the morning of the 23rd to find they could not upload not upload data from their latest workouts, and even worse, many pilots found themselves unable to update to the latest version of Garmin’s aviation database. Planes without the latest version of this database were grounded due to the Federal Aviation Association’s rules requiring planes to use the most up to date version of this database. Customers of these services looking for answers as to why their products weren’t functioning properly were met with silence as the attack also compromised Garmin’s customer service functions.

A Familiar Enemy

This attack appears to have been orchestrated by the Russian hacker organization known as Evil Corp (aliases include: INDRIK SPIDER, TA505, and SectorJ04). This is the same group of hackers who developed Dridex malware, Bitpaymer ransomware, and the aforementioned WastedLocker ransomware that is allegedly affecting Garmin. The group reportedly demanded $10M in ransom from Garmin in order to free the company’s files from the encryption.

Broader Implications

While a recent Garmin press release claims no data has been stolen, the attack does have some very serious implications regarding data security within the fitness tracker and GPS navigation domains. As we’ve seen in some cases, such as the Maze ransomware, criminals are not only encrypting data for ransom but also copying the data for their own use.

Garmin’s health and fitness devices record very specific biometric data that can be transformed into identifying information alarmingly fast. On top of that Garmin houses navigational data collected from those using Garmin devices for aviation as well as fitness. If this data is not properly secured by those who are gathering it, it becomes a matter of when, not if, the data will be stolen.

A Look at Garmin’s Response

The first step in any disaster recovery is restoring services and ensuring business continuity. In the case of ransomware, the best chance at recovery is often through careful restoration from offline backups. Schneider Downs recommends companies work with an experienced digital forensics and incident response (DFIR) team to ensure ransomware is not reintroduced into the recovery environment from infected backups. Companies without reliable backups are often forced to pay the criminal’s ransom demands in order to restore service.

Although Garmin’s systems were down for around four days after the attack, the company now reports that the majority of their services are back up and running. It is unclear at this time how Garmin restored their systems and undisclosed if they ultimately paid any ransom.

When a security breach occurs it is important to be transparent with how the company plans to prevent this type of event in the future, as well as mitigating any potential harm to customers. A four day outage surrounding very personal data is something that can have lasting harm to a company’s reputation, but releasing broad and incomplete information about any cybersecurity incident can leave a company with a black eye when they later reveal the incident had a greater impact than initially reported.

Garmin has the opportunity to win back trust from its customers, but that window is closing. The company has thus far put out only a limited press release regarding the incident on July 27^th. Moving forward we would like to see them include how the weapon was delivered, a brief overview of how the issue was resolved, and finally, some specifics on how they plan on preventing this in the future. The question now becomes what lasting reputational impact Garmin will face.

About Schneider Downs Cybersecurity

The Schneider Downs cybersecurity practice consists of experts in multiple technical domains. We offer a comprehensive set of information technology security services including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments, and a robust digital forensics and incident response team. For more information, visit www.schneiderdowns.com/cybersecurity. 

In addition, our Incident Response Team is available around the clock at 1-800-993-8937 if you suspect your organization is experiencing a network incident.