On July 23, Garmin’s entire network went offline in what was later confirmed to be a cyberattack. Now, Sky News is reporting that the company paid millions in ransom via Arete IR, a ransomware negotiation firm, to get its services up and running again.
Over the weekend, BleepingComputer reported it had confirmed the ransomware in question was in fact, WastedLocker. BleepingComputer managed to get access to an executable from Garmin’s IT department. Included were several “security software installers, a decryption key, a WastedLocker decrypted, and a script to run them all.” Not only did BleepingComputer independently test if the decryptor key worked, but it was also able to ascertain that Garmin likely paid the ransom on either July 24th or July 25th based on a timestamp in the script.
Sky News reports that Garmin initially tried to pay the ransom via another firm, but that the threat of sanctions led that firm to decline. The sanction, in this case, refers to one the U.S. Treasury placed on Evil Corp earlier in December. Evil Corp is a Russia-based hacking group that’s widely thought to be behind the WastedLocker ransomware. That sanction says that U.S. persons are not allowed to engage in any sort of transaction with any business or individual associated with Evil Corp—even if they are being extorted. Arete IR, the firm that Garmin reportedly went with, posted via Twitter on July 24th that it believed there was inconclusive evidence linking WastedLocker to Evil Corp—a reason why it may have been comfortable taking Garmin’s case. According to Sky News, Garmin did not pay the ransom directly itself, but instead had Arete IR make the payment as “part of its ransomware negotiation services.”
Generally speaking, the only way for Garmin to have gotten the decryption key was to have paid the ransom. In this case, based on BleepingComputer’s report, it would also appear Garmin reached out to cybersecurity firms to obtain a custom decryptor that would be faster and safer than one provided by the bad actors.
While it’s unknown the exact amount Garmin paid, it’s been widely reported that the hackers demanded $10 million. As for Garmin, the company issued an official statement on July 27 confirming it had been the victim of “a cyber attack that encrypted some of [its] systems” but did not go so far to say which ransomware was responsible.
Currently, most of Garmin’s services are back online and the company says it has seen no indication that customer data was compromised. (Still, probably a good idea to change your password!) But not everything is fully functional, yet. As of this writing, Garmin Connect still had limited connectivity with regard to activity uploads exported from the web, challenge leaderboards, and third-party syncing. Its Garmin Dive service also cannot upload new dives at this time.
If you know anything with regard to Garmin outage, you can reach me at victoria.song@protonmail.com, DM me on Twitter for Signal, or reach out anonymously via Gizmodo’s SecureDrop.