Garmin ‘paid multi-million dollar ransom’ via Arete IR intermediaries

Garmin paid a multi-million-dollar ransom in order to obtain the decryption key and recover its files after it was reportedly attacked by WastedLocker, a ransomware strain deployed by EvilCorp.

The smart devices maker paid the sum through a ransomware negotiation business known as Arete IR, according to Sky News, which claims to have spoken to people with knowledge of the matter.

How to beat ransomware Six universities among those hit by Blackbaud ransomware attack The most popular ransomware strains targeting UK businesses

The company had initially sought to pay the ransom using an intermediary specialising in ransomware negotiations, although that company told Sky News it doesn’t negotiate ransom payments in WastedLocker ransom due to the potential sanctions involved.

After being turned down by this company, Garmin then approached Arete IR. Sources added that Garmin didn’t directly make a payment to the hackers, but that Arete IR made the payment as part of its negotiation services.

27/07/20: Garmin hackers demand $10 million following ‘ransomware attack’

Cyber attackers with EvilCorp are reportedly demanding a $10 million ransom from the wearable maker Garmin following an attack that crippled its systems and knocked services offline last week.

Hackers deployed the WastedLocker malware to encrypt systems on Garmin’s network leading to a global outage of various services and products, according to BleepingComputer, having spoken to several sources.

The outage even extended to flyGarmin, the company’s aviation database services, with EvilCorp promising to return data at the cost of $10 million.

A source told BleepingComputer they first learned of the attack on Thursday morning, with Garmin’s IT department trying to remotely shut down all computers on the network while devices were being encrypted. A photograph showed that encrypted files were then shared with the .garminwasted extension, alongside ransom notes.

The company first reported the outage following these events, but without any confirmation that it had suffered a ransomware attack. Reports from Thailand suggested the shutdown of Garmin services was due to a “virus”, with the company also shutting down its production lines for two full days.

Garmin has since published an update on the “outage” suggesting there is no indication the outage affected customer data, including activity, payment information or other personal data. Customers are also being assured data collected during the outage are stored on their devices and uploaded to company servers once services are fully restored.

As of now, all services are back up-and-running in some capacity, with many experiencing “limited” uptime. There has still been no confirmation from the company as to whether or not it suffered a ransomware attack last week.

This story has been updated to reflect new information. The original story is published below.

24/07/20 - Garmin services offline after suspected ransomware attack

Smartwatch and wearable devices manufacturer Garmin has had its internal systems knocked offline in what many speculate is the result of a ransomware attack.

The company reported last night that its services were down as a result of the company “experiencing an outage”, following user complaints of an inability to synchronise their apps with Garmin servers.

The company released a statement confirming and Garmin Connect, an online fitness community, were down, with the outage also affecting its call centres, with staff unable to receive any calls, emails or online chats.

Reports circulating online, however, suggest the lengthy outage is the result of a cyber attack, namely ransomware, although the company hasn’t confirmed whether or not it’s been targeted by cyber criminals. IT Pro approached Garmin to gain further clarification.

BBC News cyber reporter Joe Tidy, for example, was told that Evil Corp, an international cyber crime network with ties to Russia, targeted the smartwatch maker last night. This group only last month targeted at least 31 US companies, aiming to cripple their networks and demand ransoms, according to BBC News.

Thaiwanese publication IThome, meanwhile, has reported that Garmin’s production line has been hit, with operations set to be suspended for two full days due to IT servers being attacked by “a virus”, according to an internal company memo.


Keep your data available with snapshot technology

Synology’s solution to your data protection problem


Speculating that the outage is the result of a cyber attack, Carl Weam, head of e-crime at Mimecast, suggested it would not come as a surprise, given that the use of ransomware continues to grow in popularity.

“The key thing is that as long as organisations continue to pay, attackers will view this attack approach as being financially viable,” Weam said. “This particular attack is also worrying because of the type of data that could be lost, including both location and personal health data. When consumers trust organisations with this data, it is vital that it is kept secure.”

“In this instance, the victim has experienced lengthy downtime as a result of this attack, which will of course have a massive impact upon the business. Our research found that the average downtime an organisation suffers from a ransomware attack is three days, but this can of course be indefinite and lead to failure of a business.”

Businesses and the security community will be on particularly high alert given the recent ransomware attack against Blackbaud, the database services company, which led to the compromise of data belonging to at least a dozen international clients.

Keumars Afifi-Sabet

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.