What a week for Garmin. If you’ve been following the news, you’ll know that on Thursday 23rd July several of its services became unavailable as a result of a rumoured ransomware attack by Russian hackers Evil Corp. Whilst Garmin has been selective in the information it’s shared about the attack, the majority of its platforms and services are once again online, or available with limited functionality, at the time of writing.
Whilst confirmed details are limited, it’s believed that Garmin’s Connect platform and other networks were infected with a ransomware virus known as WastedLocker. First deployed in May 2020, this is a highly targeted form of ransomware. It works by gathering system and network information to identify ways to circumvent security measures, breach the perimeter and encrypt an organisation’s files. The virus then presents the user with a ransom demand message – for Garmin this was reported to be a sum of $10 million for the decryption of its files.
Services began resuming on Monday last week and the system status message currently displayed on Garmin’s website reports that only a few services are still running at limited capacity. This would suggest that the ransom payment has been made, although it’s understandable that Garmin would be reluctant to confirm this, so it’s still undetermined.
So, why pay the ransom? In similar cases, it has been known for the threat actors to implement a countdown timer to provide a deadline before files are deleted. While we don’t know the specifics of this attack, we know that WastedLocker is custom built for each business targeted, so its hold on Garmin’s systems may have been extensive. Past attacks have demonstrated this form of ransomware typically hits file servers and databases, along with virtual machines and cloud environments.
If Garmin has decided to pay the ransom, either directly or indirectly, it may have been because the company was aware that its backup was compromised or insufficient to allow it to resume operations.
If you read any advice about ransomware you’ll notice a general theme – never pay the hackers. For starters, you must consider who you’re dealing with. These are cybercriminals, and just because you pay up doesn’t mean they’ll follow through on their promises. There are several other reasons why paying a ransom is problematic:
The biggest problem is that paying up perpetuates this kind of attack. If businesses continue paying ransoms, there remains a profit in this type of cyber-attack. According to Sophos’ The State of Ransomware in 2020 report, 51% of organisations became victims over the last year. Of the businesses whose files were successfully encrypted, 26% paid the ransom. It’s important to bear in mind that, due to the nature of ransomware attacks, not all incidents are reported, so actual figures may be even higher.
Interestingly, Sophos’ report also shows that it may well be cheaper to absorb the costs of retrieving data from your backup and all the associated costs of downtime, rather than pay the ransom. The average cost of restoring systems and operations manually is half of the average ransom demand.
As always, prevention is better than cure. Make sure your business is protected by following these steps:
Discover how UKFast’s expert security solutions keep your business protected from 2020’s biggest cyber-threats.