I’m a runner and Garmin user. My current watch is a ForeRunner 645M. I love their devices and services. I first noticed that Garmin was having technical issues when a run wouldn’t sync with the app on my phone and their Garmin Connect website. I soon saw a number of tweets about the outage.
After a day or so, I saw speculation about a ransomware attack, and that Garmin was refusing to pay. Unfortunately, it appears the bad guys may have gotten their payday. This was a bad situation that could have been much worse. Thankfully, it appears only Garmin’s commercial fitness business was compromised. That at least shows they are compartmentalizing the affected systems from their military, aviation, and marine products.
As the situation dragged on, more users were noticing, and after a couple of days many were complaining on social media, especially Twitter. However, I was surprised to see a number of users cheering on Garmin. These users were under the impression that Garmin was refusing to pay the ransom and, instead, was rebuilding the affected databases. Many users seemed to prefer a prolonged outage to rewarding the hackers.
Unfortunately, it has been reported that Garmin paid the ransom. While this has gotten Garmin’s services up and running and without a loss of customer data, it rewards the hackers. From a public relations view of how these situations are handled, this episode certainly makes it appear that the best course of action is to avoid paying ransoms, even if it leads to downtime.
Of course, it isn’t as simple as not paying. Service providers need to have back up systems that are secured separately, updated frequently to minimize data loss, and the means to quickly move that back up data into production systems. Depending on the hack, that can be extremely difficult, and it will almost always be costly.
There are other wrinkles in the story that make this hack troubling. In particular, it looks like the hackers may already be subject to sanctions imposed by the U.S. government. That could put Garmin, or it’s third-party contractor, Arete IR, that validated the decryption keys and paid the ransom, in violation of those sanctions. It also highlights the odd incentives creates for companies like Arete IR.
These companies provide a service in the event of a ransomware hack. While that puts them in a position of benefiting from these crimes, that doesn’t bother me too much. Someone has to serve as a mutually trusted go-between. What did get my attention was the white paper Arete IR published the day after the attack started. The ransomeware was identified as WastedLocker, which some have tied to Evil Corp, a Russian group that has been under U.S. sanctions. The brief paper attempts to throw cold water on the connection, but does not do so convincingly. It read like a defensive piece written quickly to allow Arete IR and Garmin to claim they had a good faith belief that whoever was attacking Garmin with WastedLocker was not the sanctioned entity.