- Garmin was recently the victim of a WastedLocker ransomware attack that took a majority of its systems offline. Attackers demanded $10 million dollars. On July 23rd, customers found they could not access their connected services.
- Garmin ultimately ended up paying for decryption key using a 3rd party service and quickly decrypted systems to get services back online, however it may have not been done as recommended.
- Paying ransomware criminals puts orgs in a hard place of having to decide between encouraging more of this behavior but also needing to get systems back online quickly, which is why security should be placed as a higher priority in this new “normal”
On July 23rd, Garmin was recently the victim of WastedLocker ransomware attack that took a majority of its systems offline. The attackers demanded $10 million dollars in exchange for the decryption keys and to prevent further leaks of data. This quickly caused a lot of public outcry as Garmin is one of the leaders in connected wearables and health devices and even avionic devices. Customers soon took to online and social media as they were surprised to find they no longer had access to their connected services including the Garmin connect, flyGarmin, Strava, and inReach solutions.
Photo of encrypted Garmin workstation
Garmin ultimately ended up paying for decryption keys through a third-party company called Arete Incident Response to regain access to its files and systems. It appears that instead of first wiping all affected computers to do a clean image install as recommended, Garmin is just simply decrypting workstations and installing security software. This may leave them liable for future incidents as you are never sure what attackers have changed once they have gotten access to your systems. In the future, one of the ways to prevent attackers from causing significant downtime from encrypting your data is to create air gapped backups. This means creating backups of your data offline and that can’t be remotely hacked or corrupted but several orgs shy away from this as it tends to be costly. Orgs who want to focus on security will have to focus on the cost of a future incident or data breach compared to the creation and maintenance of these air gapped backups.
This also creates an interesting dilemma from organizations that have not focused enough on their security posture. If significantly affected by a ransomware incident such as this, orgs will be scrambling to get services back online as quickly as possible. The quickest method is often paying off the ransom in order to get their data back, however this may only encourage more of this behavior from these malicious attackers. This trend of ransomware incidents is only due to increase as the sudden shift to remote work has caused an increase in the attack surface as more orgs encourage the use of bring your own device (BYOD) and the degradation of the traditional identity perimeter. Orgs should place a higher priority on security and focus on getting to a Zero Trust Architecture as quickly as possible.