Garmin Reportedly Paid Millions To Obtain Decryption Key, Resolve Recent Ransomware Attack

Garmin has reportedly paid a ransom to receive a decryption key to recover its files, after they were hit by the WastedLocker Ransomware last month. Digital Trends reports: [BleepingComputer] found that the attackers used the WastedLocker Ransomware and reported that they demanded $10 million as a ransom. Now, it also uncovered that Garmin is using a decryption key to regain access to its files, suggesting that the company may have paid that ransom demand or some other amount. The WastedLocker software uses encryption which has no known weaknesses, so the assumption is that to break it, the company must have paid the attackers for the decryption key. [...] The company reassured customers that no customer data was stolen, and that no payment information from the Garmin Pay payment system was accessed or stolen either.

On Twitter, the company announced last week, "We are happy to report that many of the systems and services affected by the recent outage, including Garmin Connect, are returning to operation. Some features still have temporary limitations while all of the data is being processed."

Re:A bargain at twice the price...

[AvitarX]

Probably as easy as deciding not to worry about backups.

Garmin programmers are idiots

[Okian Warrior]

I'm not surprised by any of this. Garmin has never cared about privacy/security, so they get breached. Of course their IT dept. is so incompetent that on top of that, they don't keep backups.

I purchased a Garmin just this year, and this weekend inserted a memory card for the first time...

And that was enough to brick the device, hard. And I mean *literally* bricked the device, it will not boot and cannot be reset by any means short of sending it back to the factory. And yes, the system will not boot into reset mode either.

Garmin gets no more money from me, ever. They're idiots.

I have no idea what went wrong. Absolutely *nothing* wrong was done to the device, the card was a normally formatted 8GB

Re: Garmin programmers are idiots

[pdxmax]

This is exactly the kind of high-minded commentary I seek so I can really understand the hows and whys behind events in our complicated world. NOT. Whatâ(TM)s wrong you you people? Could there not be an explanation other than that Garmin programmers are idiots? Do you really think that a leading consumer products company like Garmin is routinely incompetent? Might the failure of your one product upon inserting that memory card be a random occurrence of the type that is no more or less likely with any c

Re:

[Anne Thwacks]

could there not be an explanation other than that Garmin programmers are idiots?

No.

We have known for over 30 years that Windows is not capable of the level of security required to manage data that is not just downloads of Youtube videos/porn. Even with porn, you probably want a degree of security against ransom demands.

If you have to pay a ransom, its because you used Windows and either did not have backups, or didn't test your backup system properly.

Even if it was some other failure, if you use Windo

Re:

[leptons]

Wow, are you even aware that the topic is Garmin, and not Windows?? Are you just frothing at the mouth to bash Windows any way you can? I guess this is shasldot so it's expected to have Windows-hating-cranks, but your comment is quite out of gamut for the topic of this post.

Re:

[AK Marc]

Or 10 online backups, but no offline backups. The backups were corrupted in real time, as designed...

Re:

[vux984]

Do you know if they had a persistent threat?
Do you know they didn't have offline backups?

For all you know they'd infiltrated the systems a few months ago and tampered with the backups; added a few exclusions to the rules for example; or modified the encryption keys.

Now all your offline backups for the last couple months are useless. Sure you could go back even further, but a LOT of businesses are exponentially dependent on the last 30-60 days, new customers, travel, A/R data, A/P, payroll, orders places but

Re:

[hjf]

I really like ZFS Snapshots for my home storage server

Re:

[thogard]

You know your ZFS snapshots of your backups start to get real big when you have encrypting malware on your network.

I wonder if Garmin needs a new CISO. Too bad their HQ is in Kansas.

Re:

[hjf]

That's another advantage: set up storage alarms when the volume is growing faster than usual and you have a way to detect the ransomware before damage spreads further.

Re:

[AK Marc]

For all you know they'd infiltrated the systems a few months ago and tampered with the backups; added a few exclusions to the rules for example; or modified the encryption keys.

What ransomware has done that? In none, then making up lies to play Devil's Advocate just makes you an asshole.

Stick to reality, not making up impossible "what if"s.

Re:A bargain at twice the price...

[vux984]

What ransomware has done that?

"Ransomware" doesn't do that. Hackers do that. Launching the ransomware to encrypt the live data is just the FINAL act they take.

You think these breaches on cities and hospitals is just some nurse or city employee clicking on an malware attachment in his email that launches a ransomware attack? Ok, yep, in some cases, that's exactly what happens. And yes, any half decent backup system will save those people, but that's child's play.

In a lot of the big high profile ones the breach is orchestrated by people not a simple "ransomware". Where they've compromised an IT admins account, or a 3rd party IT contractor with admin access (maybe phishing/social engineering, or brute forcing, password reuse from breaches, etc, etc) and once in they use that explore the systems, tamper with things, delete cloud backups, uninstall backup agents, modify backup scripts and disable other antivirus and RMM alerts, and even breach and monitor the email and messenger apps so they can see if anyone's onto them. Once they've got things setup for maximum damage; they pull the trigger and let the ransomware loose on the network. Or if they get wind that IT thinks something's up they'll pull the trigger early to do what damage they can before they're locked out.

Here's a pretty tragic post by a Datto reseller:
https://www.reddit.com/r/msp/c... [reddit.com]

There, the hackers appear to have breached the reseller; used that to breach several customers, and wipe their datto backup appliances, and delete their cloud backups, and THEN let loose a ransomware product on each customers actual servers. The datto siris line has a "cloud-to-cloud" replication feature, where the replica can't be deleted by the customer for precisely this scenario.

In some respects he was lucky, the hackers appear to have it it all in one night; in worst case scenarios, the hackers bide their time: poisoning the backups first so that even offline and unreachable cloud-cloud replicas are not complete when they recover them

Stick to reality, not making up impossible "what if"s.

I sincerely WISH i was making up impossible "what ifs" but these attacks are going on NOW. This is reality. You need to think about how you are mitigating these attacks, because "ZFS snapshots" are great, but that isn't going to cut it against a real attack.

Re:

[AK Marc]

I didn't mention snapshots. I had mentioned offline backups.

snapshots are good, if used with backups and secure storage. When I worked for a F500, the weekly backups were picked up by an armed guard every Monday, placed in a locked box the guard company didn't have a key for, then transported to an offsite vault. The box contained 7 years of backups, rotated according to a policy designed by lawyers to retain sufficient records for any legal or tax action that might happen, then tweaked by IT for usabil

Why don't these companies do backups?

[wakeboarder]

Is it really that hard? Probably cheaper than ransomware insurance. Or paying the ransom.

Couldn't we formalize and regulate it?

[lessSockMorePuppet]

There could be a Bureau of Ransomware, with yearly taxes and standardized ransom fees.

Re:

[minorproblem]

You've read too much discworld!

Re:

[Areyoukiddingme]

You've read too much discworld!

No such thing.

Re:

[sdinfoserv]

It depends on the backups:
The backup servers get encrypted and are no longer functional. If data is taken off site, those backups are frequently bad. . The hackers use spearphishing to gain entry into the network. Once there, they drop in a trojan time bomb. When backups are restored, the time bomb goes off re-encrypting the data. It's a whack-a-mole game. The City of Atlanta had off site backups, their ransomware attack took them down for months. As a business, can you be down for month extracti

Re:

[WaffleMonster]

It depends on the backups:
The backup servers get encrypted and are no longer functional. If data is taken off site, those backups are frequently bad. . The hackers use spearphishing to gain entry into the network. Once there, they drop in a trojan time bomb. When backups are restored, the time bomb goes off re-encrypting the data. It's a whack-a-mole game. The City of Atlanta had off site backups, their ransomware attack took them down for months. As a business, can you be down for month extracting data or do you pay and get it all back.

The correct answer is no backups are not hard and there is no possible excuse for these fuckups. Computer viruses have been thing for decades.

Re:

[sdinfoserv]

Either you didn't read what I wrote, or you didn't comprehend it. Let me put it in small concepts for you. Todays attack vectors are intelligent enought that we live in a world were backups don't matter. Backups save you from hardware failures, but if you need your data back fast from an encryption attack - you pay. period. Unless you work in the security information technology field, you have nothing to say of substance.
To restore, you have to rebuild the infrastructre machine by machine - restorti

Re:

[hjf]

Or use a proper IT infrastructure.

Re-image all affected computers. This is a breeze with stuff like Norton Ghost which has also been a thing for, literally, decades now.

And since your user data is stored in a centralized server, which has proper snapshotting and backups, ransomware attack is as easy to recover as doing a rollback.

It's REALLY not that difficult. But companies won't spend in that. Because they won't go for a homegrown solution, and commercial solutions necessarily cost millions, which compan

Re:

[timeOday]

I don't see how an enterprise that is doing thousands of transactions all the time can just "roll back" to a prior state. Imagine if the bank said "we had a problem so we just lost all the debits and credits to your account for the last 72 hours."

Re:

[hjf]

So, since you can't "roll back" 72 hours then you just can't back up at all?

Filesystem snapshots are almost free. You can have 1 snapshot a minute if you want.

Re:

[JesseMcDonald]

In addition to the snapshots you're also logging all transactions to an append-only journal on an air-gapped computer, over a simple serial-style connection using a protocol which doesn't allow for executable code or anything else besides the raw transaction data. So after rolling back the servers as far as necessary to deal with the ransomware problem you can just replay the transaction log to restore all the missing entries.

Ideally all your live data would go through this logging system first so that you

Re:

[hcs_$reboot]

Depends. No backup for 20 years, no maintenance contract / staff / data center... saves certainly more than $10m.

No backups?

[OneHundredAndTen]

Way to go, Garmin. I am not buying any products from a company that is as sloppy as all this.

Re:

[hcs_$reboot]

Maybe they "do" backups, only to realize that the saved data is not there when they need it, as it happens in many companies all the time. They also need to test the backup system on a regular basis.

incompetent and yet they know the data is safe

[bloodhawk]

"The company reassured customers that no customer data was stolen, and that no payment information from the Garmin Pay payment system was accessed or stolen either." how can a company so incompetent in managing their IT make any such statement with certainty?

Re:

[HungWeiLo]

When has a hacker attack EVER resulted in lost customer data? (rolls eyes)

Re:

[hcs_$reboot]

Maybe because their own data was encrypted?
;-)

Incompetence strikes again

[grasshoppa]

I can't believe all these big name companies that pay the ransom. That kind of gross incompetence needs to be punished with firings. Start at the top and go down until you hit the level of folks that don't have access or say in the backup process.

Unreal. The first thing you do when you start a new IT job is find out about the backups, and test them yourself so you know they're working. Then you continually test them. I would expect that from an intern, nevermind an admin or the managers above them.

Re:

[Dunbal]

Or even better - admit to it...

Terrible trend

[mi]

Bush Senior's Foundation just cowered similarly [washingtontimes.com].

This is a terrible trend, that finances criminals enabling them to target more and more victims... I'd go as far as to suggest, this makes them an accessory, however unwilling, to future crimes by the same assholes...

Re:

[JeffOwl]

That wasn't exactly the same thing. The Bush Center paid to have the criminals destroy and not leak the personal information of donors.

Re:Terrible trend

[mi]

That wasn't exactly the same thing.

Of course, it was. They surrendered to the criminals' demand — paying them money to avoid additional harm.

The Bush Center paid to have the criminals destroy and not leak the personal information of donors.

Distinction without difference. Criminals were still rewarded for their crimes, making new crimes more likely.

Re:

[youngone]

The George W. Bush Presidential Center sounds like the opening line to a joke.

Re:

[pacman on prozac]

...for presidents who don't lead so good and want to learn to do other stuff good too

Re:

[geekmux]

The Bush Center paid to have the criminals destroy and not leak the personal information of donors.

Distinction without difference. Criminals were still rewarded for their crimes, making new crimes more likely.

Well, that was a kind response.

I was more thinking along the lines of "And you were stupid enough to believe them?"

(Hackers) "Pay us and we'll delete that uber-sensitive private data. We pinky swear!"

Fucking seriously? This is a whole new level of ignorant. Rest assured we'll see this data for sale soon, which will reward them again.

Re:

[JeffOwl]

So to you, there is no merit in doing something to protect someone else vs. doing something for your own convenience. Good to know.

Re:

[mi]

"Protect own convenience" is what Garmin did. In order to protect someone else they should've refused to pay the ransom...

Smart move

[Yurka]

Yes, I know, Dane-geld and all that. And I agree. But no one who is a victim of a crime is obligated to take the fight to the criminals in order to theoretically deter other criminals in other places, especially not when that also involve letting your business go belly-up in the process.
Their security and backup procedures are crap, no argument, but if you want to punish them, punish them for that, not for the payout.

Re:

[WaffleMonster]

Yes, I know, Dane-geld and all that. And I agree. But no one who is a victim of a crime is obligated to take the fight to the criminals in order to theoretically deter other criminals in other places, especially not when that also involve letting your business go belly-up in the process.
Their security and backup procedures are crap, no argument, but if you want to punish them, punish them for that, not for the payout.

Why I can go to jail for selling shit to various countries and organizations and yet people knowingly aiding and abeding a criminal enterprise are immune from being fined and or hauled off to prison? This makes no sense to me and I don't support it. Anyone who pays deserves to be fined and or rot in jail.

Re:

[Corbets]

Someone puts a gun to your daughter’s head and demands your wallet. Would you pay?

I’m not saying the scenarios are functionally equivalent, but these situation so are shades of grey, not black and white. Survival of the company may be on the line. Does it make more sense for the company to collapse and all their employees to lose their jobs?

I don’t know, and I suspect you don’t either.

Re:

[Anne Thwacks]

urvival of the company may be on the line.

That is easily fixed: if they pay, the company should be dissolved for supporting criminal activity. Survival should not be an option.

Re:

[Dunbal]

The payout is a direct consequence of their (lack of a sensible) backup policy. What should have been a loss of a few hours, a day, a week turned into holding the entire corporation hostage. You cannot get more irresponsible than that. Well hopefully they will learn from this mistake and re-design their contingency plans because they just painted a big bullseye on themselves.

The lesson from Kipling

[sconeu]

And that is called paying the Dane-geld;
But we've proved it again and again,
That if once you have paid him the Dane-geld
You never get rid of the Dane.

Re:

[account_deleted]

Comment removed based on user account deletion

BS, they're still down

[ThumpBzztZoom]

Garmin Connect is still down. You can get the login screen, but no further, it goes to the "Garmin Maintenance" screen.

It's been a full week since they announced that "services affected by the recent outage, including Garmin Connect, are returning to operation." This was, and still is, complete bullshit.

So is Garminâ(TM)s security trash or...?

[Dixie_Flatline]

So did Garmin really drop the ball here or are these hackers really that sophisticated? It seems crazy to me that both their internal network and all the user data were taken down simultaneously. Like, itâ(TM)s one thing for all the workers to get taken out, but all their online data and critical manufacturing information as well?

Can you not make sufficiently comprehensive backups to avoid this? What about using a cloud service? Or does Garmin run itâ(TM)s own data centre? Itâ(TM)s worrying t

Re:

[bill_mcgonigle]

Yes, they were that good.

Most aren't but this group only targets deep pockets and does extensive APT analysis, ready to react to any defenses.

You better have your backup systems OOB and deeply rotated offline.

Garmin may have been remiss in their security but only perfect will cut it if you've been targeted by wealthy organized crime (civilian or public sector).

Also, Garmin may have violated sanctions by paying this, so somebody could be looking at jail time. Hopefully not the kid they're planning to pin i

I wish...

[hcs_$reboot]

I wish one day will come with a story about these thugs being arrested.

I can sort of see the logic...

[AxisOfPleasure]

We either lose $15m recovering the last known backups from 60-90 days ago and have to put the whole of our IT back together ( overtime payments, hire in new people, etc ).

OR

We just pay these guys their $10m and get back on track with only a week or two of lost revenue and data.

They're still the scum of the earth of for pulling this scam and Garmin have now legitimized a company paying a ransom to save itself. This will only spur on other scammers to toughen up their game and push for bigger targets. Howeve

Contradictions?

[LostMyBeaver]

So, they believe that had the security controls in place to track and identify data theft, but they lacked either the tools to prevent it... or simply to have reliable backups of the data?

I see this crap online all the time. If your company has ever lost data, it is because your IT staff is stupid. There is absolutely no possible reason that satisfactorily justifies poor backups. This is 2020 and any production system anywhere should have transactional based backups. This is not a challenge. If you run any

Maybe it should be banned

[The Creator]

I'm starting to think the best option is to make it illegal to pay these kinds of ransoms.

Police?

[RobinH]

I love how the police are nowhere to be seen in any of these stories. They wouldn't even know how to begin investigating something like this. Such incompetence everywhere. (Our company had a ransomware infection, and we restored from backups. Took about 2 days to clean it all up.)