On July 23, Garmin services were discontinued. Clocks, cycle computers, and other devices had stopped downloading data, and the Garmin Connect app began displaying a message explaining that the sudden failure was due to "maintenance." The FlyGarmin pilot software and navigation database (used for Garmin navigation systems) also failed, believed to have caused some aircraft to be stranded.
A tweet from the brand confirmed that it was “experiencing an outage affecting Garmin Connect and as a result the Garmin Connect website and mobile app were not working at the moment,” but as the outage continued. It continued, speculation began to circulate that it was not just a technical problem, but the result of a ransomware attack that had encrypted critical data on Garmin systems.
We thank all of our clients for their patience and understanding. For more information, visit https://t.co/U3vwBre4U2. July 27, 2020
Tabla de contenido
Sources claiming to have first-hand knowledge of the situation told BleepingComputer that the company's data had been encrypted and that the attackers were demanding a ransom to release it. The sources shared screenshots (supposedly from Garmin systems) showing locked files with the name "GARMIN.WASTED."
ZDNet cited a report from the Taiwanese tech site iThome, which claims that a memo was sent to Garmin's Taiwanese production facilities saying that "servers and databases" were attacked and production lines were attacked. closed for two days during recovery.
The possibility of such an attack was very worrying. Garmin has a lot of personal data about its customers - names, birthdays, contact information, GPS data, and health information - and ransomware makers don't always just encrypt their targets' data. If the ransom is not paid, they could sell it or post it online.
Users find that their devices cannot process activity information even though the connection to the cloud has been interrupted (Image credit: Garmin)
LaComparacion spoke with the brand 48 hours after the outage and received a statement confirming that most of their customer services were still offline:
“Garmin is experiencing an outage affecting Garmin services, including Garmin Connect and Garmin Pilot. Due to the disruption, some features and services on these platforms are not available to customers. Additionally, our product support call centers are affected by the outage and therefore we are currently unable to receive calls, emails, or online chats.
“We are working to restore our systems as quickly as possible and we apologize for the inconvenience caused. Additional updates will be provided as they become available. »
The brand then directed LaComparacion to a short question and answer period, which assured users that “Garmin has no indication that this interruption has affected their data, including activity, payment or payment. other personal information «.
Garmin services began to recover four days after the attack (Image credit: Garmin)
On July 27, four days after the outage began, Garmin Connect services began to come back online and the company finally confirmed that it had been the victim of an attack that encrypted its data (although it was' refrained from mentioning if the attackers had demanded a ransom):
“Garmin […] announced today that it was the victim of a cyberattack that encrypted some of our systems on July 23, 2020. As a result, many of our online services have been discontinued, including website features, customer service, client, client applications and corporate communications.
“We immediately began to assess the nature of the attack and to remedy it. We have no indication that any customer data has been accessed, lost, or stolen, including Garmin Pay payment information.
Additionally, the functionality of Garmin products has not been affected, except for the ability to access online services.
Garmin assured users that their Garmin Pay data was not compromised in the attack (Image credit: Garmin)
On July 30, as services resumed, Garmin president and CEO Clifton Pemble addressed the attack in a speech during the company's annual earnings call.
"[…] Most of you are aware of the recent cyber attack that caused a network outage that affected much of our website and consumer applications," Pemble said. " We immediately assessed the nature of the 'attack and began corrective efforts. We have no indication that customer data has been accessed, lost or stolen.
Additionally, the functionality of Garmin products has not been affected, except the ability to access certain online services. Critical business systems have been restored and we plan to restore the remaining systems in the next few days. We appreciate your patience and kind words of support. We have had clients and friends in this challenge «.
Is my data safe?
Presumably. Garmin has taken every opportunity to reassure its users that their data has not been compromised, and a recent TechCrunch report, citing two sources claiming to have "first-hand knowledge of the incident," says that the ransomware used did not seems capable of stealing or extracting data from locked files.
Your daily data during the outage was recorded on your device, be it your body battery, stress levels, or daily step count, and that data now needs to be synced to Garmin's servers.
Strava was not directly affected, but workouts recorded with Garmin devices were not downloaded during the outage. A statistics chart from Strava shows a complete drop in Garmin's business since July 23, and overall downloads are down by a third.
Workouts gradually began syncing to Strava on July 27, but Strava cautioned that due to the size of the backlog, it could take a week or more to sync all activities, so don't worry if yours were slow to appear. . If you can't wait that long, you can manually upload your activities to Strava.
Strava downloads from Garmin devices were completely suspended on July 23 (Image credit: TheComparison)
Who was behind?
This has not been confirmed, but the name GARMIN.WASTED given to the locked files suggests that the ransomware in question is a variant of WastedLocker, which is operated by a Russian gang known as Hacking Corp and can be adapted to attack. very specific objectives. As Sky News reports, members of the group were sanctioned by the US Treasury last year for committing "two of the worst hacking and bank fraud schemes in the last decade."
If that was correct, it could have put Garmin in a very difficult situation. The sanctions prohibit Americans from transacting with criminals, and since Garmin is an American company, paying a ransom to unlock files could be just that. However, it is unclear if this would apply when extorting a company or individual, but anonymous sources who spoke to Sky said that Garmin did not make a direct payment to its attackers to leak their data.
What is ransomware?
Ransomware is a type of malicious software (malware) that encrypts data, rendering it useless until the victim pays a fee for the decryption key. Payment is required in Bitcoin, so it cannot be traced and is used to fund criminal activities. There is also no guarantee that the payment will allow you to recover your data.
Home users can be affected by ransomware, but gangs find it much more lucrative to target companies that have a lot of sensitive data and have pockets deep enough to pay a large ransom.
As Malwarebytes explains, WastedLocker attacks demand ransoms ranging from € 50,000 (around € 40,000, AU € 70,000) to more than € 10 million (around € 8 million, AU € 14 million) in Bitcoin.
Removal tools exist, there are so many different varieties of ransomware that it encrypts files in different ways, you can only decrypt your files if you know exactly what it got infected with, and a developer was able to come up with a solution. . .
The best way to deal with ransomware is to take regular, proactive backups, so you can restore your files without paying a penalty. These backups must be completely separate from the rest of your system, otherwise they could also be encrypted.
The attacks can be tailored to a particular organization or even a specific person, who might receive the ransomware installer as part of a very genuine email from a colleague, filled with information that a third party would not be likely to know.
"Ransomware attacks are terribly common," IT security expert Graham Cluley told LaComparacion. “This is one of the most important types of cybercrime in recent years. They have affected individuals and organizations alike, and have sometimes brought in millions of dollars for cybercriminals.
“Obviously, not everyone can afford to pay, which means they risk losing not just valuable work, but irreplaceable files of sentimental value, such as family photos. The morale? regular and safe backups and make sure they work.