Report: Garmin secured decryption key, paid ransom to hackers
More than a week after Garmin was crippled by a ransomware attack, the company’s services continue to return to normality. Activities are said to be syncing, the company’s store and customer support are open for business, and Garmin’s factories are starting to hum to life again.
But there are lingering questions that remain from Garmin’s ordeal.
Last week, CyclingTips looked into how the Garmin cyber attack happened, and what it means for users, with an industry specialist – Oren T. Dvoskin, of Israeli IT security firm SASA Software – providing insight into the circumstances that led to Garmin’s downfall and the ripples that continue to spread from it.
But perhaps the central issue that remains isn’t how it happened, but how Garmin got it to stop.
Reporting in the wake of the ransomware attack revealed that Garmin had been hit by the WastedLocker strain of ransomware, a tool of the matter-of-fact-ly named Russian criminal hacking gang, Evil Corp. Ransomware, where malicious hackers encrypt a company’s data and hold it hostage until a ransom has been paid – usually in cryptocurrency – is on the rise, and Garmin is one of the more high profile companies to have fallen prey to it. In this case, the price to unlock the encrypted data was reported to be US$10 million.
Evil Corp has been sanctioned by the US Treasury, which means it would have been illegal for Garmin to pay the ransom – either directly or indirectly. However, Sky News reported mid-week that Garmin had “obtained the decryption key” to recover its files, suggesting that Garmin had coughed up.
Fresh reporting from BleepingComputer has now confirmed that to be the case. The site obtained an executable file created by the Garmin IT department, and from that was able to demonstrate that Garmin had paid the ransom on either July 24 or 25 – within a couple of days of the attack.
BleepingComputer was also able to uncover references in the file to ransomware negotiation firm Coveware, and cybersecurity firm Emsisoft, indicating that Coveware may have negotiated a deal with Evil Corp and Emsisoft may have assisted Garmin in streamlining the decryption. Neither company offered specific comment, although it seems plausible that Coveware – acting on Garmin’s behalf – negotiated with and paid Evil Corp, then billed Garmin for services performed.
US travel management firm CWT was the victim of a similar attack last week, using Ragnar Locker rather than WastedLocker ransomware. In that case, Reuters reports that the hackers offered a generous discount for timely payment of the ransom and were cordial and customer-service oriented throughout the process – CWT’s data was held hostage for the same amount of US$10 million, but the company ultimately negotiated payment of just US$4.5 million.
Over the past week and a half, CyclingTips has been in contact with Garmin, but the company has declined to comment on specific questions asking firstly, whether Garmin paid the hackers the ransom, and secondly, whether that took place directly or through a third party.
At this stage, there has been no announcement of fines imposed on Garmin by the US Treasury. Given Garmin’s 2019 revenue was US$3.75 billion, perhaps any punishment that follows can be chalked up as a drop in the ocean, and part of the company’s tough lesson in cybersecurity.
The post Report: Garmin secured decryption key, paid ransom to hackers appeared first on CyclingTips.