Alexa metrics
Live Chat

Welcome to UKFast, do you have a question? Our hosting experts have the answers.

Chat Now
Sarah UKFast | Account Manager

What can we learn from the Garmin ransomware attack?

3 August 2020 by Laura Valentine

Ransomware hackerWhat a week for Garmin. If you’ve been following the news, you’ll know that on Thursday 23rd July several of its services became unavailable as a result of a rumoured ransomware attack by Russian hackers Evil Corp. Whilst Garmin has been selective in the information it’s shared about the attack, the majority of its platforms and services are once again online, or available with limited functionality, at the time of writing.   

What happened? 

Whilst confirmed details are limited, its believed that Garmin’s Connect platform and other networks were infected with a ransomware virus known as WastedLockerFirst deployed in May 2020, this is a highly targeted form of ransomware. It works by gathering system and network information to identify ways to circumvent security measures, breach the perimeter and encrypt an organisation’s files. The virus then presents the user with a ransom demand message – for Garmin this was reported to be a sum of $10 million for the decryption of its files.  

Was the ransom paid? 

Services began resuming on Monday last week and the system status message currently displayed on Garmin’s website reports that only a few services are still running at limited capacity. This would suggest that the ransom payment has been made, although it’s understandable that Garmin would be reluctant to confirm this, so it’s still undetermined. 

So, why pay the ransom? In similar cases, it has been known for the threat actors to implement a countdown timer to provide a deadline before files are deleted. While we don’t know the specifics of this attack, we know that WastedLocker is custom built for each business targeted, so its hold on Garmin’s systems may have been extensive. Past attacks have demonstrated this form of ransomware typically hits file servers and databases, along with virtual machines and cloud environments.  

If Garmin has decided to pay the ransom, either directly or indirectly, it may have been because the company was aware that its backup was compromised or insufficient to allow it to resume operations.  

Pay now and pay for it later 

If you read any advice about ransomware you’ll notice a general theme – never pay the hackers. For starters, you must consider who you’re dealing with. These are cybercriminals, and just because you pay up doesn’t mean they’ll follow through on their promises. There are several other reasons why paying a ransom is problematic: 

  • You may pay and they may leave your files encrypted, causing additional downtime. 
  • You may pay and they may delete your files anyway. 
  • The hackers could leave a time bomb in your system. Once you pay you may face a secondary attack later.  
  • The original attack could inspire other threat actors to target your organisation 
  • While inside your system the attackers could be harvesting data to sell later, causing a data breach that may cost your business even more 

The biggest problem is that paying up perpetuates this kind of attack. If businesses continupaying ransoms, there remains a profit in this type of cyber-attack. According to Sophos’ The State of Ransomware in 2020 report, 51% of organisations became victims over the last year. Of the businesses whose files were successfully encrypted, 26% paid the ransom. It’s important to bear in mind that, due to the nature of ransomware attacks, not all incidents are reported, so actual figures may be even higher 

Interestingly, Sophos’ report also shows that it may well be cheaper to absorb the costs of retrieving data from your backup and all the associated costs of downtime, rather than pay the ransom. The average cost of restoring systems and operations manually is half of the average ransom demand.  

How to stay protected 

As always, prevention is better than cure. Make sure your business is protected by following these steps: 

  • Ensure you have cybersecurity insurance that covers ransomware attacks. 
  • Backup business-critical data not only in the cloud but also in a physical off-site location 
  • Invest in a robust security solution that provides full network visibility, monitors and responds to threats.  
  • Choose a secure hosting partner who can help support you in the event that your business becomes a target of a cyber-attack of any nature. 

Discover how UKFast’s expert security solutions keep your business protected from 2020’s biggest cyber-threats.