Garmin ransomware attack confirmed – WastedLocker

Update 07/27: Garmin Ltd. was the victim of a cyber attack that encrypted some of its systems on July 23, 2020. Garmin gradually started to bring back online its services, the outage caused by a ransomware cyberattack seems to end soon!

Garmin services are down two days already. Our sources informed us that the attackers are requesting $10 million to free Garmin systems from the cyberattack that has taken them down, causing the outage. Although the company didn’t confirm, sources from inside told that the Garmin was hacked by a ransomware attack by WastedLocker, having all files encrypted. Orange SA was hit also by a ransomware attack recently.

Garmin Fenix 6 Pro

Garmin is not selling only watches and fitness devices, they have also a navigation company. Garmin was hit by a ransomware attack on Thursday, leaving customers unable to log fitness sessions in Garmin apps (Garmin Connect) but also the pilots are unable to download flight plans for aircraft navigation systems, amid other serious problems. The company’s communication systems have also been taken offline, leaving it unable to respond to unhappy customers.

Garmin employees have told BleepingComputer that the company was struck down by the WastedLocker ransomware. Screenshots sent to BleepingComputer show long lists of the company’s files encrypted by the malware. There is also a ransom note attached to each file.

The ransom note tells the recipient to email one of two email addresses to “get a price for your data”. That price, Garmin’s sources have told BleepingComputer, is $10 million.

Garmin Employee confirmed WastedLocker ransomware attack, unofficially

A source close to the Garmin incident response and a Garmin employee confirmed to BleepingComputer that the WastedLocker ransomware attacked Garmin. This explains the reason why their services are down. The Garmin employees found that they have been attacked on Thursday morning. The Garmin IT department tried to remotely shut down all computers on the network as the devices were already being encrypted. The encryption was made also on personal computers connected using VPN.

BeelingComputer shared a photo of a Garmin computer with encrypted files. You can see there that the .garminwasted extension was appended to the file’s name. More than that, there are ransom notes that were created for each file.

Source: BleepingComputer

The problem is even more serious for Garmin’s aviation device customers. Pilots told ZDNet that they are unable to download a version of Garmin’s aviation database onto their airplane navigation systems. Keep in mind that this is an FAA requirement and Garmin could have more problems.

“We are currently experiencing an outage that affects Garmin Connect.” They also said that the outage “also affects our call centers and we are currently unable to receive any calls, emails, or online chats.”

Garmin tweet on Thursday

Garmin company confirmed today, 07/28 the information provided above, regarding the Outage.

What is WastedLocker ransomware?

WastedLocker is a new type of ransomware, described in depth by security researchers at Malwarebytes. The well-known hackers Evil Corp are behind the WastedLocker, run by Russian hacker Maksim Yakubets. According to the US Federal Bureau of Investigation (FBI) records, Maksim works under pseudo-name “AQUA”. The FBI had also announced that there is a $5 million reward for any information leading to the arrest or conviction of Yakubets. Maksim Yakubets may be behind the Garmin hack.

Similar to other file-encrypting malware, WastedLocker infects computers. It locks the user’s files in exchange for a ransom. Usually, the hackers request the ransom to be paid in cryptocurrency, so it couldn’t be tracked. Remember the Twitter hack when the hackers requested using personalities and billionaires accounts to be paid in cryptocurrency, at that time in Bitcoin.

Malwarebytes said that WastedLocker does not yet appear to be able to steal or export data before encrypting the victim’s files. This is good for the companies with backups as they may be able to restore the fails without paying the ransom. However, companies without backups have faced ransom demands as much as $10 million.

The FBI has also discouraged victims from paying ransoms related to malware attacks to avoid perpetuating this type of hack.

Update 07/26: Garmin posted an update regarding the outage

Although Garmin didn’t say directly what caused the outage, the company posted an update on their website Garmin.com

Garmin is currently experiencing an outage that affects Garmin services including Garmin Connect. As a result of the outage, some features and services across these platforms are unavailable to customers. Additionally, our product support call centers are affected by the outage and as a result, we are currently unable to receive any calls, emails or online chats.

We are working to restore our systems as quickly as possible and apologize for the inconvenience. Additional updates will be provided as they become available.

Garmin update on garmin.com
Garmin outage FAQ
Source: screenshot on garmin.com

08/27 Outage update: Garmin gradually starts to be back online, although limited.

Users from across the world are saying that the sync seems to be recovering. Although the percentage is pretty low, it is great to see that Garmin is able to bring back the services online. Also, the Connect online platform seems to work although not syncing well.

08/27 update 2: Garmin is back online

We are happy to announce that Garmin managed to bring back online its services.

Garmin Connect app
Garmin message on Connect app

07/28: Garmin confirms that they were victims of a cyberattack that encrypted systems on July 23, 2020.

Featured image credits: BleepingComputer

Leave a Reply