Garmin Reportedly Paid Millions To Obtain Decryption Key, Resolve Recent Ransomware Attack (digitaltrends.com) 61
Garmin has reportedly paid a ransom to receive a decryption key to recover its files, after they were hit by the WastedLocker Ransomware last month. Digital Trends reports: [BleepingComputer] found that the attackers used the WastedLocker Ransomware and reported that they demanded $10 million as a ransom. Now, it also uncovered that Garmin is using a decryption key to regain access to its files, suggesting that the company may have paid that ransom demand or some other amount. The WastedLocker software uses encryption which has no known weaknesses, so the assumption is that to break it, the company must have paid the attackers for the decryption key. [...] The company reassured customers that no customer data was stolen, and that no payment information from the Garmin Pay payment system was accessed or stolen either.
On Twitter, the company announced last week, "We are happy to report that many of the systems and services affected by the recent outage, including Garmin Connect, are returning to operation. Some features still have temporary limitations while all of the data is being processed."
On Twitter, the company announced last week, "We are happy to report that many of the systems and services affected by the recent outage, including Garmin Connect, are returning to operation. Some features still have temporary limitations while all of the data is being processed."
Re:A bargain at twice the price... (Score:5, Funny)
Garmin programmers are idiots (Score:2)
I'm not surprised by any of this. Garmin has never cared about privacy/security, so they get breached. Of course their IT dept. is so incompetent that on top of that, they don't keep backups.
I purchased a Garmin just this year, and this weekend inserted a memory card for the first time...
And that was enough to brick the device, hard. And I mean *literally* bricked the device, it will not boot and cannot be reset by any means short of sending it back to the factory. And yes, the system will not boot into reset mode either.
Garmin gets no more money from me, ever. They're idiots.
I have no idea what went wrong. Absolutely *nothing* wrong was done to the device, the card was a normally formatted 8GB
Re: Garmin programmers are idiots (Score:1)
Re: (Score:3)
No.
We have known for over 30 years that Windows is not capable of the level of security required to manage data that is not just downloads of Youtube videos/porn. Even with porn, you probably want a degree of security against ransom demands.
If you have to pay a ransom, its because you used Windows and either did not have backups, or didn't test your backup system properly.
Even if it was some other failure, if you use Windo
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Do you know if they had a persistent threat?
Do you know they didn't have offline backups?
For all you know they'd infiltrated the systems a few months ago and tampered with the backups; added a few exclusions to the rules for example; or modified the encryption keys.
Now all your offline backups for the last couple months are useless. Sure you could go back even further, but a LOT of businesses are exponentially dependent on the last 30-60 days, new customers, travel, A/R data, A/P, payroll, orders places but
Re: (Score:2)
I really like ZFS Snapshots for my home storage server
Re: (Score:2)
You know your ZFS snapshots of your backups start to get real big when you have encrypting malware on your network.
I wonder if Garmin needs a new CISO. Too bad their HQ is in Kansas.
Re: (Score:2)
That's another advantage: set up storage alarms when the volume is growing faster than usual and you have a way to detect the ransomware before damage spreads further.
Re: (Score:2)
For all you know they'd infiltrated the systems a few months ago and tampered with the backups; added a few exclusions to the rules for example; or modified the encryption keys.
What ransomware has done that? In none, then making up lies to play Devil's Advocate just makes you an asshole.
Stick to reality, not making up impossible "what if"s.
Re:A bargain at twice the price... (Score:5, Informative)
What ransomware has done that?
"Ransomware" doesn't do that. Hackers do that. Launching the ransomware to encrypt the live data is just the FINAL act they take.
You think these breaches on cities and hospitals is just some nurse or city employee clicking on an malware attachment in his email that launches a ransomware attack? Ok, yep, in some cases, that's exactly what happens. And yes, any half decent backup system will save those people, but that's child's play.
In a lot of the big high profile ones the breach is orchestrated by people not a simple "ransomware". Where they've compromised an IT admins account, or a 3rd party IT contractor with admin access (maybe phishing/social engineering, or brute forcing, password reuse from breaches, etc, etc) and once in they use that explore the systems, tamper with things, delete cloud backups, uninstall backup agents, modify backup scripts and disable other antivirus and RMM alerts, and even breach and monitor the email and messenger apps so they can see if anyone's onto them. Once they've got things setup for maximum damage; they pull the trigger and let the ransomware loose on the network. Or if they get wind that IT thinks something's up they'll pull the trigger early to do what damage they can before they're locked out.
Here's a pretty tragic post by a Datto reseller:
https://www.reddit.com/r/msp/c... [reddit.com]
There, the hackers appear to have breached the reseller; used that to breach several customers, and wipe their datto backup appliances, and delete their cloud backups, and THEN let loose a ransomware product on each customers actual servers. The datto siris line has a "cloud-to-cloud" replication feature, where the replica can't be deleted by the customer for precisely this scenario.
In some respects he was lucky, the hackers appear to have it it all in one night; in worst case scenarios, the hackers bide their time: poisoning the backups first so that even offline and unreachable cloud-cloud replicas are not complete when they recover them
Stick to reality, not making up impossible "what if"s.
I sincerely WISH i was making up impossible "what ifs" but these attacks are going on NOW. This is reality. You need to think about how you are mitigating these attacks, because "ZFS snapshots" are great, but that isn't going to cut it against a real attack.
Re: (Score:2)
snapshots are good, if used with backups and secure storage. When I worked for a F500, the weekly backups were picked up by an armed guard every Monday, placed in a locked box the guard company didn't have a key for, then transported to an offsite vault. The box contained 7 years of backups, rotated according to a policy designed by lawyers to retain sufficient records for any legal or tax action that might happen, then tweaked by IT for usabil
Why don't these companies do backups? (Score:2)
Is it really that hard? Probably cheaper than ransomware insurance. Or paying the ransom.
Couldn't we formalize and regulate it? (Score:3)
There could be a Bureau of Ransomware, with yearly taxes and standardized ransom fees.
Re: (Score:2)
You've read too much discworld!
Re: (Score:2)
You've read too much discworld!
No such thing.
Re: (Score:2)
The backup servers get encrypted and are no longer functional. If data is taken off site, those backups are frequently bad. . The hackers use spearphishing to gain entry into the network. Once there, they drop in a trojan time bomb. When backups are restored, the time bomb goes off re-encrypting the data. It's a whack-a-mole game. The City of Atlanta had off site backups, their ransomware attack took them down for months. As a business, can you be down for month extracti
Re: (Score:2)
It depends on the backups:
The backup servers get encrypted and are no longer functional. If data is taken off site, those backups are frequently bad. . The hackers use spearphishing to gain entry into the network. Once there, they drop in a trojan time bomb. When backups are restored, the time bomb goes off re-encrypting the data. It's a whack-a-mole game. The City of Atlanta had off site backups, their ransomware attack took them down for months. As a business, can you be down for month extracting data or do you pay and get it all back.
The correct answer is no backups are not hard and there is no possible excuse for these fuckups. Computer viruses have been thing for decades.
Re: (Score:2, Interesting)
To restore, you have to rebuild the infrastructre machine by machine - restorti
Re: (Score:2)
Or use a proper IT infrastructure.
Re-image all affected computers. This is a breeze with stuff like Norton Ghost which has also been a thing for, literally, decades now.
And since your user data is stored in a centralized server, which has proper snapshotting and backups, ransomware attack is as easy to recover as doing a rollback.
It's REALLY not that difficult. But companies won't spend in that. Because they won't go for a homegrown solution, and commercial solutions necessarily cost millions, which compan
Re: (Score:2)
Re: (Score:2)
So, since you can't "roll back" 72 hours then you just can't back up at all?
Filesystem snapshots are almost free. You can have 1 snapshot a minute if you want.
Re: (Score:2)
In addition to the snapshots you're also logging all transactions to an append-only journal on an air-gapped computer, over a simple serial-style connection using a protocol which doesn't allow for executable code or anything else besides the raw transaction data. So after rolling back the servers as far as necessary to deal with the ransomware problem you can just replay the transaction log to restore all the missing entries.
Ideally all your live data would go through this logging system first so that you
Re: (Score:2)
No backups? (Score:2)
Re: (Score:3)
incompetent and yet they know the data is safe (Score:5, Insightful)
Re: (Score:2)
When has a hacker attack EVER resulted in lost customer data? (rolls eyes)
Re: (Score:3)
Incompetence strikes again (Score:2)
I can't believe all these big name companies that pay the ransom. That kind of gross incompetence needs to be punished with firings. Start at the top and go down until you hit the level of folks that don't have access or say in the backup process.
Unreal. The first thing you do when you start a new IT job is find out about the backups, and test them yourself so you know they're working. Then you continually test them. I would expect that from an intern, nevermind an admin or the managers above them.
Re: (Score:2)
Terrible trend (Score:5, Informative)
Bush Senior's Foundation just cowered similarly [washingtontimes.com].
This is a terrible trend, that finances criminals enabling them to target more and more victims... I'd go as far as to suggest, this makes them an accessory, however unwilling, to future crimes by the same assholes...
Re: (Score:2)
Re:Terrible trend (Score:5, Informative)
Of course, it was. They surrendered to the criminals' demand — paying them money to avoid additional harm.
Distinction without difference. Criminals were still rewarded for their crimes, making new crimes more likely.
Re: (Score:2)
Re: (Score:2)
...for presidents who don't lead so good and want to learn to do other stuff good too
Re: (Score:3)
Distinction without difference. Criminals were still rewarded for their crimes, making new crimes more likely.
Well, that was a kind response.
I was more thinking along the lines of "And you were stupid enough to believe them?"
(Hackers) "Pay us and we'll delete that uber-sensitive private data. We pinky swear!"
Fucking seriously? This is a whole new level of ignorant. Rest assured we'll see this data for sale soon, which will reward them again.
Re: (Score:2)
Re: (Score:2)
"Protect own convenience" is what Garmin did. In order to protect someone else they should've refused to pay the ransom...
Smart move (Score:2)
Yes, I know, Dane-geld and all that. And I agree. But no one who is a victim of a crime is obligated to take the fight to the criminals in order to theoretically deter other criminals in other places, especially not when that also involve letting your business go belly-up in the process.
Their security and backup procedures are crap, no argument, but if you want to punish them, punish them for that, not for the payout.
Re: (Score:2)
Yes, I know, Dane-geld and all that. And I agree. But no one who is a victim of a crime is obligated to take the fight to the criminals in order to theoretically deter other criminals in other places, especially not when that also involve letting your business go belly-up in the process.
Their security and backup procedures are crap, no argument, but if you want to punish them, punish them for that, not for the payout.
Why I can go to jail for selling shit to various countries and organizations and yet people knowingly aiding and abeding a criminal enterprise are immune from being fined and or hauled off to prison? This makes no sense to me and I don't support it. Anyone who pays deserves to be fined and or rot in jail.
Re: (Score:2)
Someone puts a gun to your daughter’s head and demands your wallet. Would you pay?
I’m not saying the scenarios are functionally equivalent, but these situation so are shades of grey, not black and white. Survival of the company may be on the line. Does it make more sense for the company to collapse and all their employees to lose their jobs?
I don’t know, and I suspect you don’t either.
Re: (Score:2)
That is easily fixed: if they pay, the company should be dissolved for supporting criminal activity. Survival should not be an option.
Re: (Score:3)
The lesson from Kipling (Score:2)
Re: (Score:2)
BS, they're still down (Score:1)
Garmin Connect is still down. You can get the login screen, but no further, it goes to the "Garmin Maintenance" screen.
It's been a full week since they announced that "services affected by the recent outage, including Garmin Connect, are returning to operation." This was, and still is, complete bullshit.
So is Garminâ(TM)s security trash or...? (Score:2)
So did Garmin really drop the ball here or are these hackers really that sophisticated? It seems crazy to me that both their internal network and all the user data were taken down simultaneously. Like, itâ(TM)s one thing for all the workers to get taken out, but all their online data and critical manufacturing information as well?
Can you not make sufficiently comprehensive backups to avoid this? What about using a cloud service? Or does Garmin run itâ(TM)s own data centre? Itâ(TM)s worrying t
Re: (Score:2)
Yes, they were that good.
Most aren't but this group only targets deep pockets and does extensive APT analysis, ready to react to any defenses.
You better have your backup systems OOB and deeply rotated offline.
Garmin may have been remiss in their security but only perfect will cut it if you've been targeted by wealthy organized crime (civilian or public sector).
Also, Garmin may have violated sanctions by paying this, so somebody could be looking at jail time. Hopefully not the kid they're planning to pin i
I wish... (Score:2)
I can sort of see the logic... (Score:2)
We either lose $15m recovering the last known backups from 60-90 days ago and have to put the whole of our IT back together ( overtime payments, hire in new people, etc ).
OR
We just pay these guys their $10m and get back on track with only a week or two of lost revenue and data.
They're still the scum of the earth of for pulling this scam and Garmin have now legitimized a company paying a ransom to save itself. This will only spur on other scammers to toughen up their game and push for bigger targets. Howeve
Contradictions? (Score:2)
I see this crap online all the time. If your company has ever lost data, it is because your IT staff is stupid. There is absolutely no possible reason that satisfactorily justifies poor backups. This is 2020 and any production system anywhere should have transactional based backups. This is not a challenge. If you run any
Maybe it should be banned (Score:2)
I'm starting to think the best option is to make it illegal to pay these kinds of ransoms.
Police? (Score:2)