Report: Garmin secured decryption key, paid ransom to hackers
More than a week after Garmin was crippled by a ransomware attack, the company’s services continue to return to normality. Activities are said to be syncing, the company’s store and customer support are open for business, and Garmin’s factories are starting to hum to life again.
But there are lingering questions that remain from Garmin’s ordeal.
Last week, CyclingTips looked into how the Garmin cyber attack happened, and what it means for users, with an industry specialist – Oren T. Dvoskin, of Israeli IT security firm SASA Software – providing insight into the circumstances that led to Garmin’s downfall and the ripples that continue to spread from it.
Perhaps the central issue that remains isn’t how it happened, but how Garmin got it to stop.
Reporting in the wake of the ransomware attack revealed that Garmin had been hit by the WastedLocker strain of ransomware, a tool of the matter-of-fact-ly named Russian criminal hacking gang, Evil Corp. Ransomware, where malicious hackers encrypt a company’s data and hold it hostage until a ransom has been paid – usually in cryptocurrency – is on the rise, and Garmin is one of the more high profile companies to have fallen prey to it. In this case, the price to unlock the encrypted data was reported to be US$10 million.
Evil Corp has been sanctioned by the US Treasury, which means it would have been illegal for Garmin to pay the ransom – either directly or indirectly. However, Sky News reported mid-week that Garmin had “obtained the decryption key” to recover its files, suggesting that Garmin had coughed up.
Fresh reporting from BleepingComputer now indicates that to be the case. The IT security and tech-focussed site claims to have obtained an executable file created by the Garmin IT department, and from that, says it was able to demonstrate that Garmin had paid the ransom on either July 24 or 25 – within a couple of days of the attack.
BleepingComputer also states that it was able to uncover references in the file to ransomware negotiation firm Coveware, and cybersecurity firm Emsisoft, indicating that Coveware may have negotiated a deal with Evil Corp and Emsisoft may have assisted Garmin in streamlining the decryption. Neither company offered specific comment, although it seems plausible that a third party like Coveware – acting on Garmin’s behalf – negotiated with and paid Evil Corp, then billed Garmin for services performed.
Meanwhile, Sky News reports that sources have told it that Coveware passed on Garmin’s request due to the risk of sanctions, with Garmin instead pursuing the services of Arete IR, a similar ransomware negotiation firm that does not recognise a link between WastedLocker and the Evil Corp group. Arete IR also declined specific comment from Sky News.
US travel management firm CWT was the victim of a similar attack last week, using Ragnar Locker rather than WastedLocker ransomware. In that case, Reuters reports that the hackers offered a generous discount for timely payment of the ransom and were cordial and customer-service oriented throughout the process – CWT’s data was held hostage for the same amount of US$10 million, but the company ultimately negotiated payment of just US$4.5 million.
Over the past week and a half, CyclingTips has been in contact with representatives of Garmin, but the company has declined to comment on specific questions asking firstly, whether Garmin paid the hackers the ransom, and secondly, whether that took place directly or through a third party.
At this stage, there has been no announcement of fines imposed on Garmin by the US Treasury. Given Garmin’s 2019 revenue was US$3.75 billion – with a gross margin of US$2.23 billion, and an after-tax profit of US$557 million – perhaps any punishment that follows can be chalked up as a relative drop in the ocean, and part of the company’s tough lesson in cybersecurity.