Garmin outage prompts ransomware attack speculation

A loss of service to parts of Garmin’s website and Garmin Connect service has been ongoing for almost 24 hours, but details of the incident are thin on the ground,  prompting speculation that the navigation tech specialist has fallen victim to a ransomware attack, which Garmin is not contradicting.

In a brief statement released on its website, a Garmin spokesperson said: “We are currently experiencing an outage that affects Garmin.com and Garmin Connect. This outage also affects our call centres, and we are currently unable to receive any calls, emails or online chats. We are working to resolve this issue as quickly as possible and apologise for this inconvenience.”

It is also understood the outage is affecting Garmin’s flyGarmin service, which supports some aircraft navigation systems used by commercial pilots, while production at the firm’s facility in Taiwan appears to have been suspended for at least two days, according to local media reports.

However, the story as per Garmin employees strongly implies that the cause of the outage is WastedLocker, a relatively new strain of ransomware that is spreading fast around the world, and as previously reported by Computer Weekly, is highly likely to be a new project by the Evil Corp cyber crime group. Russia-based Evil Corp is the same organisation behind Dridex and Bit Paymer.

Pieter Arntz, a malware researcher at Malwarebytes, described WastedLocker as a sophisticated and highly targeted type of ransomware, and noted that its operators go to great lengths to assess active defences and how to bypass them during their penetration attempts, as well as targeting backups, which he suggested may make victims more likely to pay up. Their ransom demands are also higher than average, ranging from between $500,000 and $10m in Bitcoin – although, unlike others, they have not yet taken to exfiltrating and leaking data.

KnowBe4 security awareness advocate Javvad Malik, said that if confirmed as a fully-fledged cyber attack, the incident could be uniquely damaging to Garmin.

“Details around the Garmin incident are scarce at the moment, but initial reports are suggesting it is related to ransomware. If it is, then the concern is whether or not data was stolen at the time where the ransomware was installed,” he said.

“Wearable devices gather a lot of information about their owners, and having this data stolen could have wide-ranging implications,” said Malik.

Carl Wearn, head of e-crime at Mimecast, elaborated: “This particular attack is … worrying because of the type of data that could be lost, including both location and personal health data. When consumers trust organisations with this data, it is vital that it is kept secure. Incidents like this can have devastating consequences for the reputation of an organisation.

“In this instance, the victim has experienced lengthy downtime as a result of this attack, which will have a massive impact on the business. Our research found that the average downtime an organisation suffers from a ransomware attack is three days, but this can be indefinite and lead to failure of a business,” he added.

Gurucul CEO Saryu Nayyar said: “You just don’t know when the bad guys are going to attack and who will be their next victim. However, what we do know is every organisation is susceptible to ransomware attacks. So do what you can to prepare and respond.

“Hopefully, Garmin has a daily backup regimen for the company’s systems and data. That’s table stakes. If you get hit, at least you can recover your data

“If you can get ahead of the attackers, even better. Behaviour analytics monitors every user and entity in the environment in real-time, to detect and stop bad actors before they can execute their payload. Machine-based responses are becoming table stakes to machine-based threats these days,” she said.

Don Smith, senior director of the Secureworks Counter Threat Unit, commented: “If Garmin have been the subject of a post-intrusion ransomware attack, then they are not alone. They will be one of many who have fallen prey to such cyber criminals.

“What’s troubling is that attacks of this form are on the increase. Over the past two years, our incident response teams have been engaged to help increasing numbers of victims. We have seen a 100% year-on-year increase in such engagements over the past two years.

“The reason for this increase and the assessment that we are only going to see more of this criminality is plain. Post-intrusion ransomware is a highly profitable and effective way to extort money from large enterprises. Given a network intrusion, the return on investment of post-intrusion ransomware makes it a compelling route to monetisation for cyber criminals.”