Garmin services specifically their Connect App, their aviation focused apps and products were down from 24th July to 27 July. This outage also affected all their call centers, emails and support rooms.
The attack started on Wednesday, 23 July, with multiple users being unable to sync and use the Garmin Connect app on their phones.
Reports on Wednesday also suggested outages and problems with the Garmin suite of marine, aviation and navigation services. The Garmin Pilot app, which allows pilots to copy flight plan databases, had been rendered unusable.
At the time this article was written, Garmin have been able to restore their apps and services with limited functionalities. As listed out on the Garmin website:
As all these app outages continued to be reported by the users, Garmin issued a statement on their Twitter account.
The outage had spread to affect all Garmin call centers, and almost every mode of direct communication to Garmin had been compromised. All emails sent to any Garmin email address from the 23rd of July to the 27th of July failed to reach their destination. But as the last year has shown, sufficiently skilled attackers can compromise physical systems and operation of companies as well. According to reports from a local news outlet in Taiwan, Garmin’s prediction lines were completely stopped for two days, the 24th and 25th. This was according to an internal email that was leaked to the public.
As the attack continued and Garmin services still weren’t up, several security researchers and companies looked to find the attack that had targeted Garmin.
Due to some excellent work from the researchers at BleepingComputer, the exact attack was found out to be a Ransomware attack, specifically using the Wasted Locker Ransomware. They researchers were able to retrieve photos of the actual encrypted files on a Garmin system.
They were also able to get their hands on the ransom note that was created during the attack.
This ransom note is very similar to the ones received by previous WastedLocker victims. Due to the relative recency and obscurity of the WastedLocker ransomware there hasn’t been any decryption tool made for it yet. All decryption tools created for ransomwares are listed out on NoMoreRansom.org.
As the WastedLocker ransomware seems to use asymmetric encryption in it’s attacks, the probability of a decryption tool being created is extremely low. In almost every other ransomware that uses asymmetric encryption, blue team security experts have only been able to help victims by locating the servers of the attackers that store the key pairs.
More information on the workings of the WastedLocker ransomware can be found here.
The most likely scenario is that the attackers were able to compromise a single system first through phishing techniques, and once they had a foothold in the network, the attackers were able to laterally move across the network and compromise a large number of systems across a period of several weeks. It has also been reported that Garmin has restricted access to all databases and employee computers that are connected through a VPN to prevent further spread of the ransomware.
This is where the main scam occurs. If you start messaging the scammers on whatsapp they will have a set of stories that they use to trick victims. These stories and setups are listed below; all of them are sourced from real scammers that we have dealt with in the past:
Garmin announced that it had been hit with a ransomware attack through a short public statement. And that Garmin had now remediated most of the problems, and almost all services are up and running. The hacker group behind the WastedLocker Ransomware, Evil Corp, have previously been sanctioned by the US treasury. This makes any ransom payment illegal from any US based company. That raises the question of how Garmin was able to get their systems back online, with several reports staging that they have successfully obtained a decryption key.
Garmin services are now almost entirely online indicating a strong possibility that Garmin obtained the decryption several days prior to their public announcement. As in almost all of these cases a single compromised system can lead to network and company wide outages, we recommend never giving up the ransom demanded from you, as this just lets the attackers know that their ransomware works, and there is no guarantee that you will get the decryption key from the attackers. If you or your have been hit by a ransomware attack we recommend going through NoMoreRansom.org for a decryption tool or contacting us through firstname.lastname@example.org, for further assistance.