Garmin confirms ransomware attack.
US-based GPS company Garmin sustained a ransomware attack on July 23rd that knocked most of its services offline for five days, Ars Technica reports. The company confirmed the attack on Monday, stating that "many of our online services were interrupted including website functions, customer support, customer facing applications, and company communications....We have no indication that any customer data, including payment information from Garmin Pay, was accessed, lost or stolen. Additionally, the functionality of Garmin products was not affected, other than the ability to access online services. Affected systems are being restored and we expect to return to normal operation over the next few days."
BleepingComputer and TechCrunch reported that the attack involved WastedLocker, a new strain of ransomware operated by the Evil Corp cybercriminal gang (which was sanctioned by the US Treasury Department late last year). Some reports claimed the criminals demanded a $10 million ransom, according to the BBC. Sky News cites sources as saying Garmin was able to obtain the decryption key but "did not directly make a payment to the hackers," leading to speculation that the company may have paid the ransom through a third party. Garmin didn't respond to these claims, telling Sky News that the company "does not comment on rumour and speculation."
The incident raised questions about the legality of paying a ransom to a sanctioned entity, even if the payment is made through a third party. Sky News says the US Treasury Department "did not respond to questions about whether the general prohibition applied in the circumstances of extortion." Brett Callow from Emsisoft told TechCrunch that the sanctions "seem to create a legal minefield for any company which may be considering paying a WastedLocker ransom."
It's also worth noting, as Motherboard does, that while Evil Corp is notably absent from the growing list of ransomware gangs that use data theft as an extortion tactic, Garmin stores highly sensitive GPS data from its customers, including fitness tracking information and shipping, aviation, and route-planning navigation data. Garmin maintains that there's no indication of any data being stolen, but Emsisoft's Callow told Sky News, "Absence of indication is not indication of absence."